OPNsense Forum
Archive => 18.1 Legacy Series => Topic started by: fridoo on May 03, 2018, 02:05:26 pm
-
I know this question has been posted before, but the answers so far haven't helped me so I'm opening a new topic.
We are migrating from m0n0wall to opnsense. All seems to work well, except we can't get NAT working. All stuff without NAT, such as allowing https access to the firewall itself (for test purposes only) is working well. We're testing our connections from outside using 4G, so it's really from outside. When an outside connection is being tried, nothing is showed in the firewall logs. NAT rules (generally in form WANn port x -> LAN host port x) and corresponding firewall rules look fine. Typical behavior is not a refused connection but a timeout.
What am I doing wrong?
regards,
Frido
-
For NAT forwarding, are you using the Firewall/NAT/Port Forward page to create the rules? OPNsense has the option to add an associated firewall rule when creating a NAT Port Forward rule. This the Filter Rule Association drop down menu at the bottom of the page when creating a Port Forward rule, choose the option "add associated filter rule". This should get you up and running when you use this method.
Another thing worth trying, us an external port scanning source to verify if the port is "open" and actually being forwarded through the firewall. A site such as grc.com offers a free port scanner (it's their Shields UP service).
If this still isn't working, would it be possible for you to post screenshots of your setup? I use a few port forwards as well and I haven't had an issue getting them through OPNsense.
-
Can you post the steps/screenshots of what you are doing?
Here is a few examples of what my port forwards look like for HTTPS/Plex and a custom rule (I use 4022 instead of 22 for SSH) for my Linux box:
(https://i.imgur.com/r5noiod.png)
-
Yes, I used the Port Forward page, and the firewall rules are automatically created.
Here's my NAT setup
(http://hight.ockham.nl/screenshot_opnsense_20180503.png)
Some ports are open for all incoming traffic on a certain WAN address, some (such as Remote Desktop) only for IP adresses of employee home addresses.
-
Your WAN has multiple IPs externally assigned to it?
How's that setup?
-
Yes, WAN has multiple IP addresses. IP is configured as 217.100.205.226 / 29, gateway 217.100.205.225.
Our provider provided the following IP addresses:
.224 Network address
.225 Gateway
.226 - .230 free usable addresses
.231 broadcast address
Should I use the .224 address in the WAN configuration instead of .226 ?
-
So on the setup if you have multiple IPs, did you create them via Virtual IPs on the WAN interface and added them as IP aliases?
You may want to look at 1:1 NAT as well instead if you are always mapping an external IP to a specific server as that might meet your use case better.
-
I don't have any virtual IPs. If the WAN address is .226, should I add the other 4 as virtual IPs?
1:1 NAT is not an option for us
-
I can't test it as I only have a single DHCP interface on mine unfortunately.
I found a match though:
https://forum.opnsense.org/index.php?topic=5424.0
-
I also have multiple WAN IP's on a /29. I use 1:1 NAT for redirection to specific servers, works perfectly.
Why can't you use 1:1 NAT?