OPNsense Forum

Archive => 18.1 Legacy Series => Topic started by: sirio81 on May 11, 2018, 09:40:42 am

Title: Nat 1:1 and reflection from the same network
Post by: sirio81 on May 11, 2018, 09:40:42 am

Hi all, I already spoke about nat 1:1 and reflection in this topic (https://forum.opnsense.org/index.php?topic=8613.msg38401#msg38401) but I have another specific problematic to solve.

Consider 3 lan netwroks:

192.168.2.0/24 (office pc)
192.168.3.0/24 (office pc)
192.168.6.0/24 (servers)

I have three servers on 192.168.6.0/24.
For each server I'm using nat 1:1

1.2.3.4 -> 192.168.6.38 (webserver)
1.2.3.5 -> 192.168.6.10 (mailserver 1)
1.2.3.6 -> 192.168.6.11 (mailserver 2)

192.168.6.38 is a webserver.
I've been adding a firewall rule on WAN interface, so that ports 80 and 443 can be reached from outside.
I've been adding 2 rule on LAN interface:
  from 192.168.2.0/24 to 192.168.6.0/24 Pass
  from 192.168.3.0/24 to 192.168.6.0/24 Pass
doing so I'm able to reach my services from office networks.

The only thing that doesn't work is, for example, to contact port 80 from network 192.168.6.0/24.

From the webserver itself

Code: [Select]

nmap  -p 80 1.2.3.4 -Pn
PORT   STATE    SERVICE
80/tcp filtered http
From the webserver to a mailserver

Code: [Select]

nmap -p 25 1.2.3.5 -Pn

Starting Nmap 6.47 ( http://nmap.org ) at 2018-05-11 09:38 CEST
sendto in send_ip_packet_sd: sendto(4, packet, 44, 0, 1.2.3.5, 16) => Operation not permitted
Offending packet: TCP 192.168.6.38:39478 > 1.2.3.5:25 S ttl=59 id=47236 iplen=44  seq=707988922 win=1024 <mss 1460>
sendto in send_ip_packet_sd: sendto(4, packet, 44, 0, 1.2.3.5, 16) => Operation not permitted
Offending packet: TCP 192.168.6.38:39479 > 1.2.3.5:25 S ttl=40 id=38922 iplen=44  seq=707923387 win=1024 <mss 1460>
Nmap scan report for server.domain.com (1.2.3.5)
Host is up.
PORT   STATE    SERVICE
25/tcp filtered smtp
Suggestions?

Title: Re: Nat 1:1 and reflection from the same network
Post by: sirio81 on May 15, 2018, 09:15:51 am

Quote

I've been adding 2 rule on LAN interface:
  from 192.168.2.0/24 to 192.168.6.0/24 Pass
  from 192.168.3.0/24 to 192.168.6.0/24 Pass

I think this is symptom that nat reflection is not working.
It means the requests don't get masqueraded with the public ip.

I double check the concept of nat reflection on wikipedia (https://en.wikipedia.org/wiki/Network_address_translation):

Quote

The local computer (192.168.1.100) sends the packet as coming from 192.168.1.100, but the server (192.168.1.2) receives it as coming from 203.0.113.1

I forgot to mention my firewall is configured with multiwan.
I don't know if that may matter or not.