OPNsense Forum

Archive => 17.7 Legacy Series => Topic started by: opnsense@f2f10.com on December 23, 2017, 02:17:55 pm

Title: NAT Reflection
Post by: opnsense@f2f10.com on December 23, 2017, 02:17:55 pm
HI Guys,

Tried Mailinabox with openSense and run into issues. Anyone here has any thoughts to get this working properly?

https://discourse.mailinabox.email/t/letsencrypt-expired-and-dns-errors/2704/97
Title: Re: NAT Reflection
Post by: opnsense@f2f10.com on December 23, 2017, 04:34:29 pm
@AdSchellevis

Any thoughts on this? thanks!
Title: Re: NAT Reflection
Post by: opnsense@f2f10.com on December 24, 2017, 02:25:14 pm
HI Guys,

I was wondering that  I could use some help here with this NAT Reflection for Port-Forward. It seems not working for me.

Network Address Translation
Reflection for port forwards    Enable (pure nat)
Reflection for 1:1    Enable
Automatic outbound NAT for Reflection     Enable

NAT->Port Foward :
NAT reflection    use system default
Filter rule association    Rule NAT


Firewall: NAT: Outbound  Mode
  Tried both Manual and Hybrid....


 Freebsd , MAIB, how to I check the these info, which is from my openwrt capture????

config redirect
option target 'DNAT'
option src 'wan'
option dest 'dmz'
option proto 'tcp udp'
option src_dport '53'
option dest_port '53'
option name 'dns'
option dest_ip '192.168.140.253'

@TorWrt# iptables-save | grep NAT
-A zone_dmz_postrouting -s 192.168.140.0/24 -d 192.168.140.253/32 -p tcp -m tcp --dport 25 -m comment --comment "mx (reflection)" -j SNAT --to-source 192.168.140.1
-A zone_dmz_postrouting -s 192.168.140.0/24 -d 192.168.140.253/32 -p tcp -m tcp --dport 443 -m comment --comment "web-email (reflection)" -j SNAT --to-source 192.168.140.1
-A zone_dmz_postrouting -s 192.168.140.0/24 -d 192.168.140.253/32 -p tcp -m tcp --dport 80 -m comment --comment "webmail80-let\'sencrypt (reflection)" -j SNAT --to-source 192.168.140.1
-A zone_dmz_postrouting -s 192.168.140.0/24 -d 192.168.140.253/32 -p tcp -m tcp --dport 53 -m comment --comment "dns (reflection)" -j SNAT --to-source 192.168.140.1
-A zone_dmz_postrouting -s 192.168.140.0/24 -d 192.168.140.253/32 -p udp -m udp --dport 53 -m comment --comment "dns (reflection)" -j SNAT --to-source 192.168.140.1

-A zone_dmz_prerouting -s 192.168.140.0/24 -d 76.10.176.225/32 -p tcp -m tcp --dport 25 -m comment --comment "mx (reflection)" -j DNAT --to-destination 192.168.140.253:25
-A zone_dmz_prerouting -s 192.168.140.0/24 -d 76.10.176.225/32 -p tcp -m tcp --dport 443 -m comment --comment "web-email (reflection)" -j DNAT --to-destination 192.168.140.253:443
-A zone_dmz_prerouting -s 192.168.140.0/24 -d 76.10.176.225/32 -p tcp -m tcp --dport 80 -m comment --comment "webmail80-let\'sencrypt (reflection)" -j DNAT --to-destination 192.168.140.253:80
-A zone_dmz_prerouting -s 192.168.140.0/24 -d 76.10.176.225/32 -p tcp -m tcp --dport 53 -m comment --comment "dns (reflection)" -j DNAT --to-destination 192.168.140.253:53
-A zone_dmz_prerouting -s 192.168.140.0/24 -d 76.10.176.225/32 -p udp -m udp --dport 53 -m comment --comment "dns (reflection)" -j DNAT --to-destination 192.168.140.253:53

Details of the problem are documented here......
https://discourse.mailinabox.email/t/letsencrypt-expired-and-dns-errors/2704/99
Title: Re: NAT Reflection
Post by: opnsense@f2f10.com on December 24, 2017, 02:25:57 pm
17.7.11 (installed) is the version of opnSense
Title: Re: NAT Reflection
Post by: opnsense@f2f10.com on December 24, 2017, 02:27:58 pm
@franco

Any thoughts?tks.
Title: Re: NAT Reflection
Post by: franco on December 24, 2017, 02:36:25 pm
It's the holiday season so please be patient. Maybe you also have more luck in the issue tracker, your request seems very specific, but could also be missing info:

what components do you talk about? are you testing locally or against a real deployment? do you use multi-wan?

this url and the other one do not load for me https://discourse.mailinabox.email/t/letsencrypt-expired-and-dns-errors/2704/97


Cheers,
Franco
Title: Re: NAT Reflection
Post by: opnsense@f2f10.com on December 24, 2017, 04:31:13 pm
Thanks for the reply!!! Understood it's holiday ...    ;)

It's a production server. This email server was working fine with OpenWRT due to correct NAT Reflection function..However, after switching to OpnSense almost 3 months, this issue was discovered at time of updating let's encrypt certs. Putting this email server back behind openWRT works fine again.. Details are on that URL.. I will repost here... thanks in advance......!!!!

https://discourse.mailinabox.email/t/letsencrypt-expired-and-dns-errors/2704
Title: Re: NAT Reflection
Post by: opnsense@f2f10.com on December 24, 2017, 04:32:27 pm
https://discourse.mailinabox.email/t/letsencrypt-expired-and-dns-errors/2704
Title: Re: NAT Reflection
Post by: opnsense@f2f10.com on December 24, 2017, 04:33:48 pm
A side question, why do I see so many "rule nat" in the drop-down menu????
Title: Re: NAT Reflection
Post by: opnsense@f2f10.com on December 24, 2017, 04:35:29 pm
I'm not using multi-wan ....
Title: Re: NAT Reflection
Post by: opnsense@f2f10.com on December 25, 2017, 03:41:07 pm
however , i do have another GateWay set up with my private VPN to redirect all traffic through this vpn, except those DMZ traffic which includes this email server....

Not sure whether this is relevant...
Title: Re: NAT Reflection
Post by: opnsense@f2f10.com on December 25, 2017, 03:42:08 pm
https://github.com/opnsense/core/issues/1417

I saw a similar bug tracking post and posted it under it.....
Title: Re: NAT Reflection
Post by: opnsense@f2f10.com on February 18, 2018, 12:07:46 pm

Just reload OpnSense again after trying pfSense; I noticed that one of my rules was using ICMP, instead of IPv4. Once it got fixed, Mailinabox checks everything fine. So, it's not the fault of Pure NAT, it's my fault of configuration.

Title: Re: NAT Reflection
Post by: opnsense@f2f10.com on February 18, 2018, 12:08:24 pm
here's screen capture
Title: Re: NAT Reflection
Post by: hutiucip on February 19, 2018, 09:47:06 am
Many thanks for sharing... :)