OPNsense Forum
English Forums => General Discussion => Topic started by: MWR-Napavine on August 22, 2022, 06:14:08 pm
-
Greetings.
I have a OPNSense Firewall with a single WAN. LAN port goes to a Layer 3 switch which is doing the routing between other networks.
To do this I have an extra Gateway defined for the Layer 3 Switch. Also, the Outbound NAT setting is set to Hybrid so I can manually enter rules for the extended networks.
You may ask "Why are you having the L3 Switch do the routing and not pass the VLANS to the OPNSense router?" Because I have a Content Filter sitting between the Switch and the Firewall, and it needs to see all the traffic. (This is for a K12 School network.)
So my network looks something like this:
Internet -> (WAN Port) OPNSense (LAN Port) -> Content Filter -> Layer3 switch -> Multiple VLANs with different IP Networks
That all works. But I needed to explain all that so I can ask about port forwarding and NAT reflection.
-------
I have some services that are internal servers but are reachable through my OPNSense firewall via port forwarding. This works perfectly outside my networks. It also did work from inside my networks as well via NAT reflection. But somehow, this stopped working.
I've tried many different settings to get this to work:
- Global settings for NAT reflections for port forwards enabled and disabled
- Individual port forward settings for NAT reflection enabled and disabled
- Manually created WAN Firewall rules to allow ports through from any source
- Trying the "Allow Bogons" and/or "Allow Private Networks" Setting from WAN
None of it is allowing internet computers to reach the resources via NAT reflection.
So, I've changed most of the settings back to defaults, as I don't want to be allowing the BOGON or private networks through the WAN if I don't have to.
So, I'm at a loss now of what I can try. I don't see any requests being blocked in the live logs when I attempt to reach those ports, so I don't think it's a firewall issue. Is there a log file somewhere else where I can see if the reflections are working? Or is there something simple I'm missing/forgetting?
Thanks for any support.
-
Did you group your ports with aliases or combine multiple ports in one NAT rule?
Look here: https://forum.opnsense.org/index.php?topic=28639
-
Did you group your ports with aliases...
Group my ports with aliases? Not sure how to do that. I don't think I'm doing that. I do have an alias, but it's a group of IPs, not a group of ports.
I do have some rules for ports 80 and 443, which are then "named" at HTTP and HTTPS... are those the "aliases"? I tried to set them as "Other" and use the port numbers directly, but the system just returns to using the HTTP and HTTPS "aliases" for them.
or combine multiple ports in one NAT rule?
I have many NAT rules. Some have ranges of ports. This wasn't a problem before, but perhaps things have changed.
Look here: https://forum.opnsense.org/index.php?topic=28639
I did read this... The post says when doing port forwarding with a single rule for 2 ports, (the example given was 143 and 587) the forwarding breaks. The solution was to make them two separate rules.
Unfortunately, I have large ranges that I'm forwarding. Is there a way to fix this without making hundreds of individual rules?
I'm probably not understanding the issue clearly. Thanks for any help.
-
Okay, one thing clarified:
I see that I can make aliases for ports. I thought aliases were for hosts/IPs only... but now I see the option to create an alias for ports as well.
From what I'm reading, Aliases might be broken? So don't use them, anyways?
-
I actually have not tried ranges, but if more than one port was in a single NAT rule, reflection did not work for me.
-
I am still trying to figure out why NAT reflection stopped working... but for now I've implemented a split DNS that is a workaround for the issue.
-
I have figured out why the NAT reflection for me didn't work -> the interfaces in the NAT rule need to include the "internal" networks too and not just the WAN interface. Despite the misleading hint "in most cases, you'll want to use WAN here." ;-)
Maybe it is the same "problem" for you too?
-
But that does not do quite the same - this shades the port on the local interface, too. That way, you cannot have both OpnSense on the LAN port 443 and a NATed internal server on the same port accessible on the WAN port.
That gets even more confusing when you do port translations as well.
I found only that one flaw, namely that reflection does not work with more than one port per rule.
-
I am still trying to figure out why NAT reflection stopped working... but for now I've implemented a split DNS that is a workaround for the issue.
For what it is worth, I recently ran into a similar issue, and, this, too, was my solution. I don't have a previous build of OPNsense to know if this was a recent change or not - but the split DNS was the only viable solution that seemed to avoid the problem!
-
I think it's broken and it would seem that there is a bug open for this (below). It's probably worth going in there and voicing your opinion to get some visibility that it isn't just a few of us being green about firewall configuration. I note there are a lot of other threads about this issue going back many versions, one of them logged in 2020 has had 11093 views so I think that says a lot.
https://github.com/opnsense/core/issues/5941 (https://github.com/opnsense/core/issues/5941)