1
16.1 Legacy Series / NAT with OPNSense firewall behind a Ziggo Horizon box not working
« on: March 25, 2016, 11:24:35 am »
I've installed OPNSense 64-bit on a old HP t5730 (with expansion module for 2nd network card) which works flawless. There is one thing that I cannot solve it seems.
My setup at home is a local cable connection from Ziggo which ends up in the Horizon box from Ziggo. Due to alot of features that are lacking I wanted to create my own appliance hence the thin client.
I've disabled the firewall function of the Horizon box and have configured DMZ for the IP address that opnsense has on the WAN interface. That is 192.168.192.3 (and the IP of the Horizon is 192.168.192.1). The internal LAN address on the opnsense side is 192.168.0.0/24.
The opnsense box has 3 interfaces configured:
WAN - 192.168.192.3
LAN - 192.168.0.1
GIF - HE.net IPv6 tunnel
So far everything works like expected and internet is working at home.
The only issue that I currently run into is that I cannot get NAT / port forwarding to work on the opnsense box and don't know for sure where this goes wrong. When I create a new port forward rule that allows SSH access for a specific external IP and have it route to the internal lan network and redirect it to the IP I want it redirected to it does not seem to be working. Even when I open SSH on the Horizon box it's not responding.
I've included the XML part from the backup config which shows the current NAT rule being active (and is not working):
I've already disabled the internal private network check and the bogon network checks as there is a private network on the WAN port as well due to the Horizon box. The most sad part is that Horizon does not allow ethernet bridging which would have solved my issue already. Does anybody know what I'm missing or doing wrong here?
Thanks!
My setup at home is a local cable connection from Ziggo which ends up in the Horizon box from Ziggo. Due to alot of features that are lacking I wanted to create my own appliance hence the thin client.
I've disabled the firewall function of the Horizon box and have configured DMZ for the IP address that opnsense has on the WAN interface. That is 192.168.192.3 (and the IP of the Horizon is 192.168.192.1). The internal LAN address on the opnsense side is 192.168.0.0/24.
The opnsense box has 3 interfaces configured:
WAN - 192.168.192.3
LAN - 192.168.0.1
GIF - HE.net IPv6 tunnel
So far everything works like expected and internet is working at home.
The only issue that I currently run into is that I cannot get NAT / port forwarding to work on the opnsense box and don't know for sure where this goes wrong. When I create a new port forward rule that allows SSH access for a specific external IP and have it route to the internal lan network and redirect it to the IP I want it redirected to it does not seem to be working. Even when I open SSH on the Horizon box it's not responding.
I've included the XML part from the backup config which shows the current NAT rule being active (and is not working):
Code: [Select]
<nat>
<outbound>
<mode>automatic</mode>
</outbound>
<rule>
<protocol>tcp</protocol>
<interface>wan</interface>
<descr>Newznab SSH</descr>
<associated-rule-id/>
<target>192.168.0.75</target>
<local-port>22</local-port>
<source>
<any>1</any>
<port>22</port>
</source>
<destination>
<network>wanip</network>
<port>22</port>
</destination>
<updated>
<username>root@192.168.0.25</username>
<time>1458762402.1674</time>
<description>/firewall_nat_edit.php made changes</description>
</updated>
<created>
<username>root@192.168.0.25</username>
<time>1458762115.3593</time>
<description>/firewall_nat_edit.php made changes</description>
</created>
</rule>
<rule>
<protocol>tcp/udp</protocol>
<interface>wan</interface>
<descr>Newznab backups</descr>
<associated-rule-id>nat_56f43c35c8f732.82044384</associated-rule-id>
<target>192.168.0.75</target>
<local-port>22</local-port>
<source>
<address>85.222.225.107/24</address>
<port>22</port>
</source>
<destination>
<network>lan</network>
<port>22</port>
</destination>
<updated>
<username>root@192.168.0.25</username>
<time>1458846820.9114</time>
<description>/firewall_nat_edit.php made changes</description>
</updated>
<created>
<username>root@192.168.0.25</username>
<time>1458846773.8235</time>
<description>/firewall_nat_edit.php made changes</description>
</created>
</rule>
</nat>
I've already disabled the internal private network check and the bogon network checks as there is a private network on the WAN port as well due to the Horizon box. The most sad part is that Horizon does not allow ethernet bridging which would have solved my issue already. Does anybody know what I'm missing or doing wrong here?
Thanks!