OPNsense Forum
English Forums => General Discussion => Topic started by: rl82 on July 29, 2021, 03:35:23 pm
-
Hello Everybody,
I was configuring a NAT 1:1 on gns3 environment.
I created a virtual ip, set the NAT Rule as screenshot shows, and a Firewall Rule.
The problem is one: From any Host of WAN, i am able ALSO to ping the internal ip address. How is this possible?
thanks
-
1st screeshot
-
Hi Rocco,
What is the subnet mask on your WAN side?
Can you do a packet trace and filter on 192.168.56.3 please?
Thanks,
Bart...
-
Hallo Bart,
thanks for your prompt reply.
This is the topology,
i will share the screenshot you asked for.
-
NAT 1:1 Configuration
-
packet capture
-
OPNSense Logs - Live view
-
live view
-
Is it just ping or can you also open other connections, like SSH to 192.168.56.3?
ICMP is more widely allowed than others and you may have a blanket rule somewhere for it.
Bart...
-
I have ICMP protocol allowed as shown in the screenshot
-
From 192.168.100.5 can you SSH to 192.168.100.10 please?
What about SSH from 192.168.100.5 to 192.168.56.3?
-
Hallo Bart, there is no address with 100.10
you mean 100.1 ?
-
Sorry, I missed a digit - 192.168.100.102 which is your 1:1 NAT external IP
-
no success
-
Can you ssh from webterm1 to 192.168.56.3?
-
is interesting that i can ping only .101 (port forward virual ip) and not .102 (1:1 NAT virtual ip).
ssh no success
-
ssh no success
Can you make sure the SSH server is installed and running?
sudo apt-get install openssh-server
systemctl status sshd
Bart...
-
ssh no success
Can you make sure the SSH server is installed and running?
sudo apt-get install openssh-server
systemctl status sshd
Bart...
thanks Bart for your help.
You mean to install it in webterm?
-
ubuntu1 - the server that sits behind your 1:1 NAT
-
sorry Bart, i am not sure i understood.
Might you be please so kind to explain me better?
Do you need some screenshot regarding the configuration?
Thanks :)
-
You are trying to SSH to a server behind 1:1 NAT. Bart asked you to check and make sure that SSH is running on that server. Might be simply not active ...
-
thanks
here are the output
-
Can you confirm it works now from your local LAN and from the WAN side of your 1:1 NAT?
There may be a host firewall on ubuntu1 that limits access (UFW in that case). If it doesn't work from your LAN, ensure SSH is allowed from everywhere (at least temporarily for testing)
Bart...
-
Hallo Bart,
i am sorry but i have difficulties to understand the goal:
my problem is that i am able to reach the webserver on ubuntu with his private address (192.168.56.3:81) although i set the NAT Port Forwarding and the NAT 1:1. I see that if i disable the NAT port forwarding the problem still persists while if i disable the NAT 1:1 the problem is solved, so i assume there is some misconfiguration on the NAT 1:1.
-
To me the goal of 1:1 NAT is for traffic parity on the WAN side. The destination address for traffic to your server from outside is the same as the source address of the return traffic. This solves a lot of issues with NAT (but not all).
Once that bit works, you can worry about other issues.
-
Hello Bart,
thank you for your answer. What you mean with "traffic parity" please?
can be that this options has enabled this bug?
"block private network disabled"
-
I can do ssh from internal browser webterm-1
no ssh from external browser webterm-2
-
so i am not able to solve it :-X
i will hit my head in this hours and i will find it out.
If i find the solution, i will post it and share for the community :)
thanks everybody
-
so no success.
The problem persists: the private ip address of the webserver (192.168.56.3) is REACHABLE from WAN (external network) when i add the NAT 1:1 Rule.