OPNsense Forum

Archive => 16.1 Legacy Series => Topic started by: Manxmann on July 30, 2016, 11:43:05 pm

Title: I must be going nuts - Port Forwarding not working
Post by: Manxmann on July 30, 2016, 11:43:05 pm
Hey Folks,

I'm just setting up a small VM server for a gaming convention, nothing I haven't already done but for the life of me I can't seem to get this simple thing working.

So system is as follows.

XenServer 7.0 HP DL380 G5 Xeon L5420
2 nics (1 dedicated to management, 1 VM trunk) + 1 'Internal' Network hosted within the Xenserver

2 VM's :
1/ Debian Jessie running SSH server 1 nic connected to 'internal' network.
2/ OPNSense 16.1 (also tried 16.7) 2 nics (1 x trunk, 1 x 'internal')

TOE disabled on ALL virtual and physical Nic's on the XenServer and also within the OPNSense VM itself.

network plan:
<Client> ----- <trunk net 172.16.10.0/24> ----- < Nic1 Firewall VM Nic2> ------- <Internal Net 192.168.111.0/24> ----- <Debian server>

Default install of OPNSense no mods to rules / nat etc.

So all I want to do is setup a simple port forward from the external Nic1 of the FW port 22 to the same port on the internal Debian Server but it simply doesn't work.

The WAN (nic 1) on the FW has block private networks turned OFF.
1 Port Forward rule, auto FW rule.
I've tried adding a 2nd Virtual IP to the WAN

Looking at the FW logs the traffic is 'passed' by the FW, running TCP dump on the Debian server i can see the incoming request and the reply.

The state table of the firewall shows two entries :

ALL TCP 192.168.111.100 (172.16.10.90) <- 172.16.10.112:58457 SYN_SENT:ESTABLISHED
ALL TCP 172.16.10.112:58457 -> 192.168.111.100:22 ESTABLISHED:SYN_SENT

The state entries stay like this until purged from the table i.e. the 3 way handshake never completes.

I already have pretty much exactly this configuration, WAN is public IP subnet but other than that the same, up an running on my main home VM Platform with no issues so know it can work.

So thinking there must be a VM Host platform issue, switch issue this is a new server for just this job after all I checked everything a dozen times over and couldn't find a problem. Out of desperation I built a new VM this time installing a Linux based UTM/Firewall platform (Sophos/Astaro UTM). Using this software with the exact same VM guest configuration for nics/disks/IP's etc everything works first time and a I can access the servers SSH instance from the client.

I've tried 16.7 with no luck, totally flummoxed, suggestions?

About to try an alternate VM Platform but as I say it works perfectly on my home server.
Title: Re: I must be going nuts - Port Forwarding not working
Post by: Manxmann on July 31, 2016, 09:08:03 pm
Ok still no luck with 16.1/7, apologies for what I'm about to say :)

I've installed PFSense 2.3.2 and that works like a charm as well so I'm lost.
Title: Re: I must be going nuts - Port Forwarding not working
Post by: silent_mastodon on August 06, 2016, 07:17:26 am
You and me both man. I had the exact same issue, couldn't ever make it work, had to go with a similar alternative 'cause no answers were forthcoming.

I wonder if a setup like this is part of the testing framework opnsense uses? Seems like a fairly common use-case that isn't getting attention.
Title: Re: I must be going nuts - Port Forwarding not working
Post by: Zeitkind on August 06, 2016, 12:33:13 pm
Quite sure it's the same problem as reported before. There is a bug in gateway handling - or at least some strange stuff going on IF you test from the "local" WAN network, i.e. the external machine is in the same network as the WAN gateway. Check if you see the missing outgoing packets at your next gateway, because opnsense will likely send out the packets with the wrong destination MAC.
You can test it if you simply remove ALL gateways on the opnsense machine, NAT should work then.

The discussion about this is in the german channel, but well..
https://forum.opnsense.org/index.php?topic=3415.0
https://forum.opnsense.org/index.php?topic=1668.0