Messages

Changed to Networks and all is working now also I think at one point I forgot to click apply as well.

Thanks for your help.

this is what is set the works to pass on port 25 to the server
Nat under port forward

WAN   TCP   *   *   WAN address   25 (SMTP)   192.168.1.54   25 (SMTP)   

As soon as I add the alias as the source addresses  it gets blocked

WAN   TCP   SMTP_alias   *   WAN address   25 (SMTP)   192.168.1.54   25 (SMTP)   


under alias "SMTP_alias" I have it set to URL (ips)

With these addresses added

72.35.12.0/255.255.255.0
72.35.23.0/255.255.255.0
208.70.128.0/255.255.248.0

I had tried before adding the alias to the source and nothing.

I just modified the existing NAT I had for pass the traffic to my local IP on port 25

in the alias if shows it loaded the whole range of ip based on the masks I set.

for example I have this range setup in the alias:    72.35.12.0/255.255.255.0

I have it setup as a URL alias should I be using something else?

Here is what I see in the live log. 

wan      2022-12-17T14:25:56-05:00   72.35.12.47:50702   98.157.240.17:25   tcp   Default deny / state violation rule

I have an external spam filter that passes mail to my mail server on port 25.

I want to ensure that only mail from the spam filter is delivered to my mail server.

I setup an alias with the IP ranges for the spam filters public ip address but the server gets blocked no matter what I try.

I am setting this up on the NAT port forward.


Do anyone have an example of how to set this up?
for example I have this range setup in the alias:    72.35.12.0/255.255.255.0

Thanks,

Trent

Been using opnsense since the  version 17.* days and In prior versions I had no issue adding and IP alias from WAN address block under the virtual IP setting.

Now when I enter one it flags that IP is invalid.  I can export the config file and add or edit manually but was wondering if there is something I am doing wrong when I try to use the GUI.


Thanks,

Trent

I have 2 virtual IP addresses assigned and have adjusted the settings so that you will use the same IP address for a connection. (Made adjustments to the stick connection)

I have 2 outbound NAT rules set for servers so any data out will use the specified IP address. But my question is how can I force all other LAN traffic to simply only the Wan IP address and not use the other defined addresses.


Thanks,

Trent   

After a fresh install not from upgrade, lots of reading and looking at log files I found the issue with the clients connecting to an ftp server in passive mode outside my network.

Because of the Round robin  or whatever you call it, since I have 2 virtual IP listed the program kept using different Public IP address for the various parts of the FTP connect and when I turned it off the FTP started making connection again. This same issue was causing issue in connection to certain Bank sites as their system detected the IP kept changing and blocked us out.

i will take a look at the logs but what I don't understand is everything was working normal until I upgraded to 8.1.
I am thinking to either reinstall 8.1 from scratch like I have seen in some post or go back and stay at 7.5

Just last night I upgraded to OPNsense 18.1.2_2-amd64 and since the upgrade none of the computers that have FTP clients running on them can access an FTP server outside the firewall.

I never added any special rules to the firewall up to this point to get them to work. But the upgrade from 7.7 to 8.1 change something related to the FTP.


Right now I had to move those machines over to an internet connection that is routed through my old firewall to get things working again.  Anyone have any suggestion of something I can try to resolve the issue?



Thanks,

Trent

Everything has been working fine the last month since Installed OPNsense firewall then out of the blue Randow people have started getting SSL certifcate errors when trying to connect to our internal exchange server.

The SSL certificate is valid also one of the warning is an OPN certificate as well.

Anyone have any idea how to have the firewall stop block the SSL certs?  If revert them back to the one firewall everything is fine.

Thanks,

Trent

Bart,

I think I got it now will give it a try

Thanks for your help.


Trent

I understand about the NAT and setting up the specific public IP  to go to the LAN.

But in the rules how do you setup the specific public IP and port to be directed to the LAN.

I see where you can direct the specific port  from the WAN to a specific LAN IP but you can not set the Public IP address.

If I have 2 public IP's and port 80 need to go to 2 different servers how do you set that up in the rules.

64. is public and 10. internal

example 64.28.44.166 port 80 goes to 10.0.0.10 port 80
and 64.28.44.167 port 80 goes to 10.0.0.011 port 80.


I have been looking at the documents and can find an example of how to do this.


Thanks.

Ok I see where to do that.

So by setting this up this just allows the public IP I specify from the Wan onto the LAN net correct?
But I am assuming this setting still wont let any traffic through correct?

If that is the case:
Now how do I open a specific port say 80  from that specific public public ip to be directed onto an IP on the LAN.

Under rules or nat and port forwarding?


Thanks for your help on this Bart!

Where in the Nat do you setup the additional ranges?

I wish the documentation had screen shot examples of how to set various situations.

Hello,

I am wondering how to correctly setup  additional IP addresses on my WAN connection.

I have 8 IP addresses available and need to use the additional IPs to forward ports via NAT to my mail and web server.

Thanks