OPNsense Forum
Archive => 17.1 Legacy Series => Topic started by: dragon2611 on June 07, 2017, 12:13:25 am
-
Should a Nat rule that's is applied as "Uplink1 Address" (where the interface is called Uplink1) apply just to the main address on that interface or to all IP Alias's on that interface as well.
Getting someone complaining they're not getting the expected response from a server, but the only nat rule for that server on that port has a src match on it so shouldn't be firing as he won't be coming from that source address.
There is one further down for anywhere but it's for "Uplink1 Address" but given the IPalias is an address on uplink1 I'm wondering if it's hitting that (otherwise I'd expect a straight drop)
-
Which type of NAT are you debugging? DNAT or SNAT? If the latter, you need to use 1:1 NAT on OPNsense to preserve state on the other end.
Bart...
-
Dnat, there was a rule for that IP alias and that port but it had a source address match on it as well , so that *should* have only fired if they were coming from a certain IP range.
The only other rule for that port was for ANY source but it was for Interface Address so I think they were hitting that and getting the other VM which is why their credentials didn't work.
I would have expected actually they'd just get a connection timeout as I didn't have any other NAT rules for that IP alias and that particular port, it looks like interface address may well be actually interface addresses (I.e ALL ip's on that interface)