OPNsense Forum

English Forums => General Discussion => Topic started by: rl82 on July 29, 2021, 03:35:23 pm

Title: NAT 1:1
Post by: rl82 on July 29, 2021, 03:35:23 pm

Hello Everybody,

I was configuring a NAT 1:1 on gns3 environment.
I created a virtual ip, set the NAT Rule as screenshot shows, and a Firewall Rule.

The problem is one: From any Host of WAN, i am able ALSO to ping the internal ip address.  How is this possible?
thanks

Title: Re: NAT 1:1
Post by: rl82 on July 29, 2021, 03:36:57 pm

1st screeshot

Title: Re: NAT 1:1
Post by: bartjsmit on July 29, 2021, 04:22:05 pm

Hi Rocco,

What is the subnet mask on your WAN side?

Can you do a packet trace and filter on 192.168.56.3 please?

Thanks,

Bart...

Title: Re: NAT 1:1
Post by: rl82 on July 29, 2021, 04:26:46 pm

Hallo Bart,


thanks for your prompt reply.

This is the topology,

i will share the screenshot you asked for.

Title: Re: NAT 1:1
Post by: rl82 on July 29, 2021, 04:30:02 pm

NAT 1:1 Configuration

Title: Re: NAT 1:1
Post by: rl82 on July 29, 2021, 04:38:11 pm

packet capture

Title: Re: NAT 1:1
Post by: rl82 on July 29, 2021, 04:39:15 pm

OPNSense Logs - Live view

Title: Re: NAT 1:1
Post by: rl82 on July 29, 2021, 04:39:38 pm

live view

Title: Re: NAT 1:1
Post by: bartjsmit on July 29, 2021, 06:51:38 pm

Is it just ping or can you also open other connections, like SSH to 192.168.56.3?

ICMP is more widely allowed than others and you may have a blanket rule somewhere for it.

Bart...

Title: Re: NAT 1:1
Post by: rl82 on July 30, 2021, 07:07:33 am

I have ICMP protocol allowed as shown in the screenshot

Title: Re: NAT 1:1
Post by: bartjsmit on July 30, 2021, 07:47:26 am

From 192.168.100.5 can you SSH to 192.168.100.10 please?

What about SSH from 192.168.100.5 to 192.168.56.3?

Title: Re: NAT 1:1
Post by: rl82 on July 30, 2021, 11:19:28 am

Hallo Bart, there is no address with 100.10
you mean 100.1 ?

Title: Re: NAT 1:1
Post by: bartjsmit on July 30, 2021, 09:33:55 pm

Sorry, I missed a digit - 192.168.100.102 which is your 1:1 NAT external IP

Title: Re: NAT 1:1
Post by: rl82 on August 03, 2021, 02:17:12 pm

no success

Title: Re: NAT 1:1
Post by: bartjsmit on August 03, 2021, 02:26:44 pm

Can you ssh from webterm1 to 192.168.56.3?

Title: Re: NAT 1:1
Post by: rl82 on August 03, 2021, 02:40:51 pm

is interesting that i can ping only .101 (port forward virual ip) and not .102 (1:1 NAT virtual ip).
ssh no success

Title: Re: NAT 1:1
Post by: bartjsmit on August 03, 2021, 10:13:16 pm

Quote from: rl82 on August 03, 2021, 02:40:51 pm

ssh no success

Can you make sure the SSH server is installed and running?

sudo apt-get install openssh-server
systemctl status sshd

Bart...

Title: Re: NAT 1:1
Post by: rl82 on August 04, 2021, 09:55:38 am

Quote from: bartjsmit on August 03, 2021, 10:13:16 pm

Quote from: rl82 on August 03, 2021, 02:40:51 pm

ssh no success

Can you make sure the SSH server is installed and running?

sudo apt-get install openssh-server
systemctl status sshd

Bart...

thanks Bart for your help.
You mean to install  it in webterm?

Title: Re: NAT 1:1
Post by: bartjsmit on August 04, 2021, 03:55:36 pm

ubuntu1 - the server that sits behind your 1:1 NAT

Title: Re: NAT 1:1
Post by: rl82 on August 10, 2021, 09:08:23 am

sorry Bart, i am not sure i understood.
Might you be please so kind to explain me better?
Do you need some screenshot regarding the configuration?

Thanks :)

Title: Re: NAT 1:1
Post by: Patrick M. Hausen on August 10, 2021, 09:13:26 am

You are trying to SSH to a server behind 1:1 NAT. Bart asked you to check and make sure that SSH is running on that server. Might be simply not active ...

Title: Re: NAT 1:1
Post by: rl82 on August 10, 2021, 10:43:01 am

thanks
here are the output

Title: Re: NAT 1:1
Post by: bartjsmit on August 10, 2021, 11:40:24 am

Can you confirm it works now from your local LAN and from the WAN side of your 1:1 NAT?

There may be a host firewall on ubuntu1 that limits access (UFW in that case). If it doesn't work from your LAN, ensure SSH is allowed from everywhere (at least temporarily for testing)

Bart...

Title: Re: NAT 1:1
Post by: rl82 on August 10, 2021, 01:45:12 pm

Hallo Bart,

i am sorry but i have difficulties to understand the goal:

my problem is that i am able to reach the webserver on ubuntu with his private address (192.168.56.3:81) although i set the NAT Port  Forwarding and the NAT 1:1. I see that if i disable the NAT port forwarding the problem still persists while if i disable the NAT 1:1 the problem is solved, so i assume there is some misconfiguration on the NAT 1:1.

Title: Re: NAT 1:1
Post by: bartjsmit on August 10, 2021, 02:14:51 pm

To me the goal of 1:1 NAT is for traffic parity on the WAN side. The destination address for traffic to your server from outside  is the same as the source address of the return traffic. This solves a lot of issues with NAT (but not all).

Once that bit works, you can worry about other issues.

Title: Re: NAT 1:1
Post by: rl82 on August 10, 2021, 02:31:40 pm

Hello Bart,

thank you for your answer. What you mean with "traffic parity" please?
can be that this options has enabled this bug?
"block private network disabled"

Title: Re: NAT 1:1
Post by: rl82 on August 10, 2021, 02:41:53 pm

I can do ssh from internal browser webterm-1
no ssh from external browser webterm-2

Title: Re: NAT 1:1
Post by: rl82 on August 11, 2021, 02:36:02 pm

so i am not able to solve it  :-X
i will hit my head in this hours and i will find it out.
If i find the solution, i will post it and share for the community :)
thanks everybody

Title: Re: NAT 1:1
Post by: rl82 on August 13, 2021, 09:41:47 am

so no success.
The problem persists: the private ip address of the webserver (192.168.56.3) is REACHABLE from WAN (external network) when i add the NAT 1:1 Rule.