OPNsense Forum

Archive => 17.1 Legacy Series => Topic started by: ivoruetsche on July 02, 2017, 10:50:31 am

Title: NAT no longer work after Let's Encrypt update
Post by: ivoruetsche on July 02, 2017, 10:50:31 am
Hi

Since today, our opnSense FW doesn't route the traffic to the inside servers. The only thing that happens last night was an update:

    7/2/17 00:03:21 11.2 95 KB (system): /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php made changes
    7/2/17 00:03:21 11.2 95 KB (system): /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php made changes
    7/2/17 00:03:21 11.2 95 KB (root): Updated Let's Encrypt SSL certificate: vpn2-zg.4synergy.com
    6/25/17 21:02:49 11.2 95 KB root@192.168.2.65: /firewall_rules.php made changes

I try to revert to the last config from 25.6., but without luck.

For example, we have an internal server with smtp and http from outside to inside (1.2.3.4 > 192.168.1.5), yesterday, the webmail respond on 1.2.3.4, today, the GUI from opnSense. No reaction from SMTP from outside. The same effect on all servers (about 8 oder 9 servers with different external and internal IP's)

On all external IP's from these servers all the ports from openSense respond (https, ssh etc.).

Any idea, it's a big problem at the moment...

gruss ivo
Title: Re: NAT no longer work after Let's Encrypt update
Post by: ivoruetsche on July 02, 2017, 10:39:34 pm

After some hours of research, we found the problem, but for us, it doesn't make sense:

- Firewall: NAT: One-to-One
- Two weeks ago, we replaced the internal IP addresses of all the NAT rules with predefined Aliases.
- We apply the configuration

This configuration runs fine up to last night, to this time, when the Let's Encrypt update script starts. The FW was never restarted during the last two weeks - I think we got also in trouble if we reboot the system in this time.

After some hours (Reset to Factory, Complete System Installation etc. - but always with the "last known good configuration", which wasn't...) we found a hint in the system.log:

Jul  2 17:31:18 xxxx-ch-xxx01-fw02 opnsense: /usr/local/etc/rc.bootup: New alert found: There were error(s) loading the rules: /tmp/rules.debug:98: invalid use of table <xxxx_ch_xxx01_bkp_sxn_bkp01> as the source address of a binat rule - The line in question reads [98]: binat on em0 from $xxxx_ch_xxx01_bkp_sxn_bkp01 to any -> ip.ip.ip.ip

After we replace all the aliases (like "xxxx_ch_xxx01_bkp_sxn_bkp01") with the IP's, the functionality was back.

Well, the question is, why aliases not work here, why the GUI accept it and why it's not happen as long no Let's Encrypt Update runns (or system reboot).

gruss ivo