OPNsense Forum

English Forums => 18.1 Legacy Series => Topic started by: twindscheif on April 21, 2018, 02:46:47 pm

Title: public IP NAT port forward from LAN /w additional router fails since 18.1.x
Post by: twindscheif on April 21, 2018, 02:46:47 pm
Hi there,

a few weeks ago i updated the OPNSense to v18.1.5 from 17.7.x.
After the upgrade i had problems to access external ressources from some internal subnets.
I solved this with creating new outbound NAT-rules which seems not to be needed on 17.7.x (see below).

But now i have recognized an issue with accessing external published services from my LAN subnets.
As noted in title i configured an additional routing instance between OPNSense and my internal networks.
With OPNsense on 17.7.x i had Access to that published services from inside and outside without any problems.

Below i summarized the configuration of my OPNsense:
Since the upgrade of OPNSense from 17.7.10 to Version 18.1.5 i cannot access the service on port 443 of wanip1 from my internal LAN-subnet (results into timeout).
Before i never had problems.
Also i had problems with accessing external ressources through subnets routed coming from behind the internal router0.
I solved this problems with creating new outbound NAT rules for those internal subnets behind the router0.
Accessing the service on port 443 of wanip1 from outside the network works without any issues.
I already updated to 18.1.6 in the meanwhile, but problem the problem persists.
No traffic to public IP or to LAN placed server (192.168.2.2/24) is marked as blocked in OPNSense firewall log.
Any ideas how to solve the problem?
I already switched all the Advanced Firewall Config NAT-Properties in any available state. On every change i resetted the states via diagnostic menu.
But until now i have no idea how to solve it. I can't analyze the Firewall log due to there are no (incoming) NAT-Logs existent.

Current network scenario:
Client connectivity (outgoing):
LAN (192.168.12.0/24) -> Router (192.168.12.254/24) [router0] [in] [routed]-> Router (172.23.14.254/24) [router0] [out] [routed] -> CARP LAN VIP (172.23.14.2/24) -> WAN CARP IP (public IP) [wanip0]
Server connectivity (outgoing):
LAN (192.168.11.2/24) -> Router (192.168.11.254/24) [router0] [in] [routed]-> Router (172.23.14.254/24) [router0] [out] [routed] -> CARP LAN VIP (172.23.14.2/24) -> WAN CARP IP (public IP) [wanip0]
incoming Port Forward to Server:
WAN CARP IP (public IP) [wanip1] [in prt: 443] -> CARP LAN VIP (172.23.14.2/24) -> Router (172.23.14.254/24) [router0] [in] -> Router (192.168.11.254/24) [router0] [out] -> LAN (192.168.11.2/24) [in prt:444]


Configuration:
Port Forward Rule:
Interface "physical" WAN-int (tagged vlan; includes multiple CARP VIP)
Source any
Destination wanip1 (CARP VIP)
destination port 443
redirect target ip: 192.168.11.2/24
redirect port:   (other) 444
NA reflection: Enable
Filter Rule: created through wizard when Port Forward was created

Advanced Firewall Configuration:
Reflection for port forwards: Enabled
Reflection for 1:1: Disabled
Automatic outbound NAT for Reflection: Enabled   

Default interface for outgoing WAN requests: [wanip0]
Outbound NAT Configuration: Hybrid Configuration
Oubound NAT Rule for subnet 192.168.12.0/24:
interface: Interface "physical" WAN-int (tagged vlan; includes multiple CARP VIP)
TCP/IP: IPv4
Protocol: any
Source address: 192.168.12.0/24
Destination: any
Destination port: any
Translation/target: Interface Address
Log: Enabled

Regards,
Thomas
Title: Re: public IP NAT port forward from LAN /w additional router fails since 18.1.x
Post by: kanstin on April 21, 2018, 08:13:40 pm
Go into Firewall: Settings: Advanced, enable "Reflection for port forwards," hit Save.
Title: Re: public IP NAT port forward from LAN /w additional router fails since 18.1.x
Post by: twindscheif on April 21, 2018, 08:25:12 pm
Hi,

thank you for your answer. This is - as i wrote in the advanced Firewall configuration - what i already did.

Advanced Firewall Configuration:
Reflection for port forwards: Enabled
Reflection for 1:1: Disabled
Automatic outbound NAT for Reflection: Enabled   



Regards,
Thomas
Title: Re: public IP NAT port forward from LAN /w additional router fails since 18.1.x
Post by: Davesworld on April 22, 2018, 09:06:40 am
Did you update to 18.1.6? That includes a nat fix.
Title: Re: public IP NAT port forward from LAN /w additional router fails since 18.1.x
Post by: twindscheif on April 22, 2018, 01:28:17 pm
Hi,

yes, first i was on 18.1.5, but now i am on 18.1.6.
But the NAT reflection still doesn't work.
After update to 18.1.6 i additionally deleted the port Forwards and recreated them, just to be sure.

Regards,
Thomas
Title: Re: public IP NAT port forward from LAN /w additional router fails since 18.1.x
Post by: ScottSenffner on April 23, 2018, 02:33:36 pm
I am having the same problem. This is my first attempt at OpnSense and I downloaded the latest version 18.1.6 for my small business router. I am having problems as well with port forwarding.  Any help would be greatly appreciated.

Is there going to be a fix for this?
Title: Re: public IP NAT port forward from LAN /w additional router fails since 18.1.x
Post by: ScottSenffner on April 24, 2018, 04:00:31 am
ok I got it to work tonight.

Go to firewall, nat, port forwarding.

interface: wan or internet
destination: wan or internet address
Destination Port range: specify what ports you want
Redirect target IP single host or network: give internal IP

see if you can try that!

Scott
Title: Re: public IP NAT port forward from LAN /w additional router fails since 18.1.x
Post by: twindscheif on April 24, 2018, 08:25:50 am
Hi Scott,

thanks your answer.
But this is, what i already did:

Configuration:
Port Forward Rule:
Interface "physical" WAN-int (tagged vlan; includes multiple CARP VIP)
Source any
Destination wanip1 (CARP VIP)
destination port 443
redirect target ip: 192.168.11.2/24
redirect port:   (other) 444
NA reflection: Enable
Filter Rule: created through wizard when Port Forward was created

As stated in my first post, the port forward (from inside and outside) worked in the past before applying 18.1.5 / 18.1.6.

Regards,
Thomas