Messages

Yes, 1 to 1 NAT forwards the whole IP with whole its ports: 1 to 1 NAT means 1 (public IP, all ports) to 1 (private IP, all ports, respectively). You can think of it as an in between 2 IPs (one public, one private) mirroring/ cloning. :)

I didn't test it, but you should have had the same success in Outbound DNS if you have used the "Advanced" field under "General" section of Unbound DNS to put the wildcard expression(s) - so not being mandatory to recreate all overrides in Dnsmask DNS. See attached images :)

Thank you for your answer, but i think we misunderstand each others here becasue you come to a conclusion that i dont know about the network or ports.

Sorry, mea culpa!

i am  the IT / network guy. and it appear something was wrong with the firewall a A10 hardware and it been replaced and the firewall rules are working now.
i start the post to check with other if i've missed something but the issue was the firewall and not me or the rules.

Glad to hear you did find it and did solve it!

people are posting thread to ask for help/share experience not telling them who to hire or how bad/ good  they knowlidge is.

You are right, I shouldn't have said what I have said, even if it was certainly true, especially since it turns out it's not!

I sincerely apologize for my post, and I truly regret I did cast a dark shadow over your expertise. In spite of having good intentions, this is a situation I am ashamed of generating. Please, one more time, excuse my lack of success trying to be only helpful.

I wish you the best!

I believe the most appropriate way of doing a DNS redirection to OPNsense is as in the attached image - this way, the redirection takes place only for external DNS requests, not messing with multiple internal sites/ network segments/ DNS servers dynamic resolution.

So you would permit, from the OPNsense point of view, even a ping-pong/ infinite loop of DNS requests in between internal DNS servers/ forwarders, all these requests being forwarded by OPNsense without any restriction or redirection (working as intended) but once a particular DNS request is made to any external DNS server, the Redirect to Self rule will do its magic.  ;)

PS Very important:
1. The rule should have "NAT reflection" = Disable! (!) (The default setting is "Use system default" - change it to "Disable"!)
2. Permit creation of filter/ FW association rule.

Maybe sub-netting/ summarizing your range would be a temporary solution?!?!  :-\

So, if you have a range of IPs, lets say 16.50 -> 16.60 then you might try a setup for 192.168.16.48/28. Of course, you should manage this very carefully, it might impact your other settings, like interface rules and etc., but at least, in what concerns your post, it might be a solution, if you plan and manage it right.

I hope it helps.

[router]

If you mean to use OPNsense as an internal router, then do as in the attached image

Your rules from the images should be like below:

INT / Source   / Source Port / Destination / Destination Port     /   Gateway
LAN / Lan Net /        *         /        *        / 80 (HTTP)              /   *
LAN / Lan Net /        *         /        *        / 443 (HTTPS)          /   *
...
...
...
LAN / Lan Net /        *         /        *        / 587 (SUBMISSION) /  *

Meaning, in most cases, you do the port/ service filtering on the destination port, as source port is randomly established, and is not the same as the service port.

PS I don't mean to offend you, but this is pretty basic (ABC), and as you can see, other people around already gave you this solution, but without examples (as being quite basic stuff, they must have thought it was just a small "typo"/ misplacement!). Are you sure you know what you're doing? Since you said it involves users, and proxies, and so on and so forth, I guess it's about a production environment... If so, maybe someone with deeper knowledge/ experience (better both) might be much more appropriate for a production environment; should you maybe ask for help from a local IT guy/ company?!... Just suggesting!... :)

Anyway, I wish you the best with your network! :)

when the intrusion is not enabled I reach a 1000Mbps/s and when its enables I reach a 20 Mbps/s

is this a normal that the ID kills all my speed?

Is enabling/ disabling ID(P)S the only thing that you do in order to have these differences? It is way-way-way too much of a difference in throughput... :(

It might be related to DNS traffic problems caused by enabling IPS: there are multiple posts claiming that enabling IPS tempers with and heavily impacts DNS traffic.

So, try and see if IDS only works for you, or if it seams to be "everything blocked" as almost "everything" on the internet relies on DNS.

[HAVE]

Be aware that OPNsense does NAT by default regarding traffic between internal (LAN/ OPT) interfaces and external (WAN) interfaces, so disabling the NAT is necessary but not sufficient: you would need ROUTE entries for your internal IPs in order to reach them from WAN (supplementary to FW rules -- as FW rules do not replace route rules).

Think of it as there are 2 different "gardians" on OPNsense, one being the router, and the other being the firewall: they both have to know where your packets are intended to, and to agree to direct (the router)/ permit (the firewall) those packets.

More then this, your internal IPs HAVE to be public IPs, as RFC 1918 private IPs are not routable over the internet/ WAN -- private IP ranges are simply dropped on routers over the internet. If you do have private IPs, your only option is to NAT/ Port-Forward them in order to reach them from WAN.

Hello everyone!

@franco & @ other administrators in particular, this matter with sluggish and erratic specific traffic caused by Suricata (DNS traffic for that case) sounds exactly like the problems I encountered since 17.1.4 (17.1.4 being the last stable version of OPNsense at the moment I started using it), problems with RDP (port 3389) and with Veeam back-up/ copy/ transfer traffic: no log traces in either of FW log or IPS log, but both services are massively impacted by enabling IPS. With only IDS, or with Suricata completely disabled, no problems. I have found out that for RDP the cause is the ruleset "ET-Emerging DOS" (maybe a single one rule, or a few rules in the ruleset, I don't know, I didn't dig it further...) and no ideea up to now about Veeam traffic.

And now DNS traffic seems to be impacted by enabling IPS, in the same massive and erratic way... :/ It might be one rule, or a few of them, in one or more then one rulesets (ill written rules, maybe, since they don't leave any traces in the log files? :-? ), or might be some bug(s) in the engine of Suricata itself.

I have a few replies I have written over the last few months regarding these problems, and here are a few links to those replies:

https://forum.opnsense.org/index.php?topic=3639.msg21340#msg21340

https://forum.opnsense.org/index.php?topic=5323.msg21620#msg21620

https://forum.opnsense.org/index.php?topic=3639.msg21583#msg21583

https://forum.opnsense.org/index.php?topic=4140.msg21270#msg21270

I hope it's of any help, and I wrote this lines since any info might be a lead toward the right course of action for finding the solution.

PS I didn't update to 17.7 yet, and I don't use IPS any more since a good while, as I already had problems I explained upon.

Hello!

This is "by the book", if you follow the documentation you will get the exact answer for your situation. Please, be aware that I am NOT trying to be "superior" with my lines, I only try to avoid repeating the documentation here, and again. :)

If there is something else you're looking for, and you can't achieve, then come back with required details.

Thank you!

Hi. That would actually be awesome. Thanks for that!


Sent from my iPhone using Tapatalk

You're welcome! :)

All I want to do is to be able to test if I get internet as my provider is flaky sometimes.

You can also monitor the GW (apinger), it allows you to ping the IP of the provider's gateway, or another public IP. Though, I wasn't concerned about an URL, to check if DNS translations works... Try!

Exactly!

I have read in my email your initial reply, without the update, and I entered here to tell you the solution. Glad you found it quickly!

Keep up the good work!