OPNsense Forum

Archive => 18.1 Legacy Series => Topic started by: neillans on January 31, 2018, 01:16:29 pm

Title: 17 -> 18 upgrade, lost NAT
Post by: neillans on January 31, 2018, 01:16:29 pm

Upgrade completed through the WebGUI without any errors, however, after the upgrade completed NAT was non-functional.

I could ping the firewall, DHCP etc all working, but no NAT was occurring.  Firewall was indicating a default deny rule being hit on cases.

Cleared the firewall back to factory, and changed just the LAN interface IP - this caused NAT to fail.

Cleared the firewall back to factory, applied a config override on WAN interface (needed due to options required for Fibre Modem), and again, NAT failed.

It seems it will only run with NAT with no interface changes - assume this is unexpected?
Is there any configuration diagnostics that I can perform (bearing in mind only the above have been altered on this testing, no previous config!), I'm happy to capture logs etc when I'm not going to impact users. At the minute I'm trying to decide if I downgrade back to v17, or try a completely blank install of v18 (and not an upgrade).

Title: Re: 17 -> 18 upgrade, lost NAT
Post by: phoenix on January 31, 2018, 01:26:48 pm

You need a patch, see this thread: https://forum.opnsense.org/index.php?topic=7078.0

Title: Re: 17 -> 18 upgrade, lost NAT
Post by: neillans on January 31, 2018, 09:09:49 pm

Fraid the patch didn't work.
I think I've found it though...

Two issues;

NAT on automation and hybrid was NOT generating any rules:

root@firewall:~ # pfctl -sn
nat-anchor "zabbix-agent/*" all
no rdr proto carp all
no rdr on re0 proto tcp from any to (re0) port = https
no rdr on re0 proto tcp from any to (re0) port = http
no rdr on re0 proto tcp from any to (re0) port = ssh
rdr on re1 inet proto tcp from any to (re1) port = 5341 -> 192.168.0.112 port 5341
rdr on re1 inet proto tcp from any to (re1) port = 32400 -> 192.168.0.198 port 32400
rdr on re1 inet proto tcp from any to (re1) port = 10050 -> 192.168.0.102 port 10050
rdr on re1 inet proto tcp from any to (re1) port = 10051 -> 192.168.0.102 port 10051
rdr-anchor "zabbix-agent/*" all

Changing it to manual, and creating a WAN rule generated the following nat rule set:

root@firewall:~ # pfctl -sn
nat on re1 inet all -> { 151.229.241.160, 192.168.5.2 } port 1024:65535 round-robin
nat-anchor "zabbix-agent/*" all
no rdr proto carp all
no rdr on re0 proto tcp from any to (re0) port = https
no rdr on re0 proto tcp from any to (re0) port = http
no rdr on re0 proto tcp from any to (re0) port = ssh
rdr on re1 inet proto tcp from any to (re1) port = 5341 -> 192.168.0.112 port 5341
rdr on re1 inet proto tcp from any to (re1) port = 32400 -> 192.168.0.198 port 32400
rdr on re1 inet proto tcp from any to (re1) port = 10050 -> 192.168.0.102 port 10050
rdr on re1 inet proto tcp from any to (re1) port = 10051 -> 192.168.0.102 port 10051
rdr-anchor "zabbix-agent/*" all

I had a virtual IP configured, but not used - and this was being picked up by the nat rule as above - removing this corrects the NAT rule nat on re1 inet all -> 151.229.241.160 port 1024:65535 which gives me working internet again!