OPNsense Forum

Archive => 17.1 Legacy Series => Topic started by: labsy on May 17, 2017, 12:09:46 am

Title: [SOLVED] Cannot get NAT rules to work
Post by: labsy on May 17, 2017, 12:09:46 am

I've just installed OPNSense 17.1.4 on VMWare 6.5 host. I used VMXNET3 type NIC adapters on both LAN and WAN sides.
Test setup as router --> OK
Test as Web Proxy --> OK
Pinging from OPNSense WAN and LAN destinations --> OK
Test with or without IPS/IDS --> both OK

Now, fine, excellent!
BUT no... I stuck with NAT rules.
Simple NAT rule on WAN interface, from WAN IP to LAN IP, port 80 (HTTP) no go?!

Interface: WAN
Proto: TCP
Destination: WAN Address (or Wan alias IP)
Destination from: HTTP to: HTTP
Redirect target IP: one of LAN server's IP
Redirect target port: HTTP
Pool option: default
NAT Reflection: Default/Enable/Disable (tried all of them)
Filter Rule association: None/Pass (tried both)

Ok, then I changed OPNSense port from HTTP to HTTPS and to 12345 instead of 443.
But NAT still does not work.

Then I took A LOT OF TIME and tried all possible combinations, FROM Any/Wan/Lan, then NAT Redirect On/Off, Roule Pass/none...also tried from public 81 to local 80.... nothing works!!?
Also tried to change OPNSense WAN IP and added WAN IP ALIAS, then NAT redirect FROM WAN Alias, then I upgraded to 17.1.6 without problems, BUT.... no go, simply NAT does not work whatever I do.

Any idea?
Title: Re: Cannot get NAT rules to work
Post by: zenlord on May 17, 2017, 08:28:01 am
I had some issues while setting up my OPNsense router with NAT, and after I had solved the base issues with my internal network, I couldn't get to work the simplest of NAT rules. I solved the issue by removing the NAT rules, Saving the changes and creating a new NAT rule (and including the option to 'add a firewall rule').
Title: Re: Cannot get NAT rules to work
Post by: Zenspartan on May 18, 2017, 06:24:43 pm
I've worked on the exact same issue, but I found that if I disabled the upstream gateway low and behold the nat worked (ssh to machine on the lan). However lan access to the upstream obviously did not. Did tcpdump on wan and lan side and found traffic was being passed, so wasn't a firewall rule issue. Ping works under both conditions bizarrely

Title: Re: Cannot get NAT rules to work
Post by: labsy on May 18, 2017, 11:00:57 pm
I'we tried the following, but without sucess:
- changed LAN and WAN adapters, rebooted twice
- deleted NAT rules and recreated them
- changed LAN IP subnet to something different, just for test
- tried rule from 80 to 80 and from 81 to 81
No, still does not work. Cannot get any NAT rule to work.
Title: Re: [SOLVED]Cannot get NAT rules to work
Post by: labsy on May 19, 2017, 10:43:01 pm
I found out that NAT return packages are not just thrown back to WAN origin, but are rather forwarded to WAN Gateway. As I was testing from "internal simulated WAN", return packages were not sent back to my PC, but rather to WAN gateway. That's why it did not work!
As soon as I connected my service PC outside to internet, so that I was not only behind OPNSense, but also behind WAN gateway, all works like a charm :)

Explaining scheme:
Internet --> WAN Gateway --> Wan Interface --> OPNSense NAT rules --> LAN interface --> LAN network
x.x.x.x   -->   --> --> ......................... -->    -->

So, when I was in network, NAT did not work for me, as return packages were not sent to my PC on IP, but rather to Gateway IP
I had to move my PC back to INTERNET, so I was behind WAN gatewy to receive return packages.

I do not know whether this is a bug or feature, but it's nice to know.