Messages

So - ignore the NAT reflection. It is a disaster on this product. Do it the old school way with a rule

Build a simple out bound NAT rule

Say your pubic IP is 1.1.1.1
Your Internal Server ip is 192.168.1.10.

Outbound NAT
Interface LAN
Source LAN NET
Source Port ANY
Destination WAN Address
Dest Port - 5000
Change Destination to (NAT Address) 192.168.1.10
Change Destination port to (NAT PORT) 5001

So the NAT issues for xbox were due to aliases being somehow borked - I deleted them and used IPs and hard coded ports instead.  Issues resolved. On a whim, deleted and recreated aliases and they are working too.

That said, for whatever odd reason upnp has been working.

NAT reflection is still a disaster - So i just manually build the outbound redirect rules to get it to work.

I have calmed down a good bit and have most things working, albiet I am still very frustrated that tinkering with this firewall every few months to get things to work is a never ending battle.

See you again in a few months when the next update comes ;)

port forward by using "other" and typing in ports and address works.
port forward by using alias in drop down hits default deny rule.

-removed them all and added them again.  Working now.

No idea why things like this break.

Good luck getting an answer - this has not ever worked for me on OPNsense.

Darkain - my intent is not to be argumentative - but it is not that cut and dry:

I DO have a static DHCP lease on xbox
upnp WAS working - it broke
Static NAT rule was unable to get more than "moderate" on xbox

Started over (again) baremetal and upnp now works with static DHCP, 1to1 NAT AND upnp....  Insanity that it takes this much to get something rather simple to "work"

The VLAN issues I have had have all been the result of firmware updates - stuff just breaks. BTW, Intel NICs.

The other issue I have is NAT reflection - plain and simple, it does't work. Works on Cisco, Sophos, Palo Alto, Etc. Just not on opnsense.

Like I said, I like the UI and the idea! I think that a lot of very talented work has been put into this. That said for anything more than a simple internet router, this product is a toy for folks who like to hack at things, not a product I would put in a business. There are just too many little bugs, breaking changes and things that just don't work.

Thanks for the response

... see above.

Feel free to close this thread. I am moving on and may come back at a later date. I can't devote hour upon hour fiddling with this to get simple services setup.

Thanks again for the help. Like I said, I want to love this firewall, but don't have time to fiddle with it in its current state.

Thank you for the response:

RE: Interface names
I do understand why the names changed but editing in GUI did not fix issues. Also - there as no way to remove the orphaned assignments and attempting to edit all instances in the xml and then import did not work either. I gave up and started over. Waster under the bridge now...


RE: IPVanish
... giving up here. No need to respond or look into any of the issues. This is a complete waste of my time.

Thanks again for the attempt to help. 

Nat reflection - had huge issues (never resolved, can't remember version, there is a thread) for a very basic setup.  I have no idea if this is fixed or what the issue was, nobody had any clue other than the standard "it works for me" answer.

Had VLAN tag issue after a firmware upgrade - could not get them resolved. Had to start from bare metal a year or so ago (19 to 20 I think)

Now

upnp - was working some versions ago - upgrade to some 20.something and it broke.  Nothing changed in config. Finally got tired of "Moderate NAT" on xbox so set out this week to fix it.

Nothing worked other than ANOTHER bare metal install!  BAM UPNP starts works. I very carefully added back every rule, interface, etc.

I was still on hyper-v and had no reason to be so decided to MOVE to bare metal.

MORE ISSUES - Config between hyper-v instance and bare metal are not compatible.  hn# interfaces became igb# interfaces. I was able to get some stuff running, but not others. The config was a mess. So much for a backup.

Bare metal again!
This time 20.7 - i mean why not start fresh with latest, right?

Latest issue:
upnp is fixed but now IPVanish client will not work. Same f'ing settings as before and same f'ing settings that worked 72 hours ago on 12.1 bare metal.

TLS Error: cannot locate HMAC in incoming packet from [AF_INET]

Then:
Found new bug - fiddling with settings turning on and off TLS Authentication to see error state change. And now turning it back on, will not allow me to paste in a TLS auth Key

I get:
The following input errors were detected:
The field 'TLS Authentication Key' does not appear to be valid

Given the error and the fact that I can't even change the key now, tells me that something is corrupt and not properly applying the encryption to either they key or tunnel.

I really want to like this firewall and keep coming back, but then suddenly remember why I left. It feels like anything more than simple LAN-->Internet is an exercise in frustration and updates are sure to break something every time.

Thank you for the response!
Unless I am missing something - I am trying to reflect internal to internal:

Internal Primary Lan
192.168.1.0/24


Wan Interface (Static IP)
1.2.3.4

Internal Host A 192.168.1.100
Internal Host B 192.168.1.200

Port Forward Rule
1.2.3.4:5001 --> 192.168.1.200:5001  (working from public internet)

Internal Traffic
192.168.1.100:5001 --> 192.168.1.200:5001 working on internal network

192.168.1.100:5001 --> 1.2.3.4:5001 is not working

What would be my next steps for troubleshooting?

I just did a quick test:
- portforwarding TCP 80 to internal Webserver
- enable only "Reflection for port forwards"
- create an A-record in Unbound with my external WAN IP
Works as expected   ???

Not sure if you are trying to help, or just be snarky... sure appears to be the later. Either way responses like that are insanely frustrating.

As I mentioned - this is not working for me and I have found numerous threads with reports of the same issue... none of which have appear to have been resolved.

As I mentioned - this EXACT configuration was working in pfsense (days ago). Same config settings, same network, just changed router from pfsense to opnsense.

Not Mentioned - this same network configuration was working with SOPHOS UTM (weeks ago) - with manually defined NAT and DNAT rules (Sophos does not have auto "hairpin" or "reflection"

My setup is rather simple with only a very small number of rules.

3 External IPs
1 LAN
2 VLAN - one of them idle, the other setup for OpenVPN gateway

Port forwarding for Primary IP works and Port forwarding to (2) virtual IPs work.
Outbound nat for LAN --> WAN
Outbound nat for VLAN -->OpenVPN

No floating rules
Outbound Rules
1 Rule per VLAN (ANY outbound) to allow traffic (1 to WAN, 1 to OpenVLAN)
1 Rule (default) for LAN outbound (ANY)
5 Port forwarding rules 3 for primary IP and 1 per secondary IP (all working from external networks).

Not reflection is NOT working at all.

I have seen this same issue (never resolved) come up for the better part of 2 years over multiple live version.

Can somebody in the know, please answer?

Simple setup
All NAT reflection options enabled
Port Forwarding for internal service set.

External --> Internal = working
Tested on several ports and internal hosts

Internal --> Reflection --> Internal = NOT WORKING

Nothing logged (I assume this is expected)
This IS NOT a DNS issue.
DNS resolves properly to external IP

Traffic via FQDN or IP results in site cannot be reached
I can ping the external IP from internal though...

This worked with the exact same settings in pfsense.

After reading 20 threads just like this ... somthing appears to be broken.

Please don't offer split DNS as a resolution. NAT reflection should be working.

Same issue here -

NAT reflection turned on in Advance
NAT reflection enabled on Port Forwarding Rule

Working
External -> 80, 443, etc Rules -> internal host

From INSIDE
DNS returns proper external IP
Unable to browse to host using External IP or FQDN, with or without specifying the port.

Someting appears to be broken here. Moved from PFsense and reflection was working. Same setup.

Thanks to a reddit user - it appears I have an answer.

The issue is NOT OPNsense or pfSenese

Microsoft Server 2012r2 appears to fail to apply trunk settings to the virtual adapters when a VM reboots.  The fix is to re-apply the VLAN settings to the virtual adapter anytime the VM reboots.

This site has a brief explanation and a script that will work around the issue.
https://gtacknowledge.extremenetworks.com/articles/Solution/Hyper-V-fails-to-pass-VLAN-tags-on-a-bridge-at-controller-service

Thank you for the input -

Not sure why I am having issues either. I would guess that it has something to do with Hyper-V also but I am unable to pinpoint the issue. I did not get pfSense setup yet, but it will be telling if the issue presents there as well.

I am not (by any means) proficient with wireshark, but I assume that some careful traffic inspection is going to be needed to resolve this.

Thank you again.

As mentioned - got things working by deleting the interfaces and VLANS and starting over...

Reboot OPNsense and BAM broken again. DHCP not responding to requests and static IP hosts can not route through VLAN.

Shut down OPNsense and start Sophos UTM (previous firewall with same VLAN config) and things work as expected.

Given the lack of comment here and the overall lack of traffic on this forum as a whole, I assume that I am going to be on my own. Sadly, I appear to have found the answer to the question in my other thread... this firewall is more of a toy than a business tool, regardless of the amount of hard work and talent rolled into it.  A shame, because I really like the interface and overall feel but the inability for it to maintain a simple stable VLAN after a reboot is a deal breaker.

No intent here to ruffle any feathers, just give honest feedback.

Enjoy - headed over to pfSense to give that a spin simply because it is more mature and has a much larger user base for peer support.