Messages

I am trying to build a robust redundant basic setup concept with OPNsense and got stuck when it comes to NAT reflection.

Since I'm trying to be redundant I want to use the following setup:
A Dailup Router, which obtains a static IP from an ISP and provides a configurable internal network.
This router, GW1, has 192.168.255.2 set as the exposed host IP, all external traffic will be NATed there.

GW1
  -WAN [8.7.6.5/?] (the static ISP assigned IP)
  -TWAN [192.168.255.1/30] (2 host subnet, internal/transfer side)

OPNsense
  -TWAN
    - [192.168.255.5/30] (2 host subnet for CARP on WAN interface)
    - CARP [192.168.255.2/30] (same subnet as TWAN on GW1)
  -EXT
    - [192.168.255.9/30] (2 host subnet for CARP on EXT interface)
    - CARP [8.7.6.5/32] (the static ISP assigned IP)
  -LAN
    - [10.123.0.2/24] (LAN subnet)
    - CARP [10.123.0.1/24] (LAN gateway IP)

The Default GW is set up for the TWAN Interface to be 192.168.255.1, default traffic is sent to the GW1 via TWAN.
There is a Port Forward on the TWAN Interface in place, redirecting all IPv4 traffic to 8.7.6.5. This should DNAT 192.168.255.2 to 8.7.6.5 and therefor terminate on the EXT CARP IP.

A SSH Port Forward is created on Interface EXT with Destination 8.7.6.5 to be forwarded to a LAN IP 10.123.0.10. (DNAT, right?)

In my Experience up to this point everything is fine. Unless I want to access 8.7.6.5 from 10.123.0.11.
My desired behaviour would be for EXT CARP 8.7.6.5 to do a SNAT with every package that is from a private range (10/8, 192.168/16, etc.) and replace the source with 8.7.6.5.

The forwarded SSH connection to 10.123.0.10 then would have a source of 8.7.6.5 (and NOT 10.123.0.11). 10.123.0.10 would then again reply to 8.7.6.5, which should get NATed back to 10.123.0.11.
10.123.0.10 would only see the WAN IP of the requesting device and not try to directly answer to 10.123.0.11.

I don't seem to be able to setup a rulte for this, any suggestions?

So in my home I've got a Fritz!Box and I changed my network setup for my home network to be directly handled by my Fritz!Box.
This way I can restart/update/shut down my Server with OPNsense, without loosing my basic network.

My main network is something like 192.168.4.0/22, with 192.168.7.254 being my Fritz!Box as a default GW and DNS Server, 192.168.7.251 my OPNsense#1, 192.168.7.253 the CARP vIP and 192.168.7.252 reserved for a secondary OPNsense.

On my OPNsense I used to have a transfer net (10.0.200.0/29) with a CARP vIP of 10.0.200.1, which was my WAN transfer zone (with the Fritz!Box having 10.0.200.4).

Now while I can add routes in the Fritz!Box I can not add a port forward/exposed host for any IP outside of the Fritz!Box range (192.168.4.0/22). This is a know "won't fix" limitation of the Fritz!Box ever since they switched to their new, modern interface.
I was hoping I could add a vIP of 192.168.7.250 to OPNsense and NAT everything that comes in to 10.0.200.1.
This way I would have my WAN related rules on my old and seperated Interface rather than having to mix this in with my LAN zone.

So I created a test NAT for 10.0.200.1:80 to point at some test HTTP host. If I access 10.0.200.1:80 from my PC (inside the 192.168.4.0/22 net), I get a response as expected.
Now with the vIP 192.168.7.250 I created a NAT rule (any -> 10.0.200.1) and accessing 192.168.7.250:80 won't work.
Also I tried to set up 1to1 NAT for the same purpose and it also doesn't seem to work.

Now my question is: am I completely misunderstanding something and this can't work, is this a known limitation (maybe not yet known?) or is my configuration just broken and it should actually work?

@alh I would like to express my gratitude for your detailed list of settings, as this solved my issue after hours of trying to get this to work.

Spot on, thanks for the examples. I was able to write my own very first plugin, now to see if my code meets the contribution guidelines.

While unrelated to the issue, anyone knows ho to re-read the ACL.xml? I installed und uninstalled helloworld to refresh, but c'mon. Also, is there a way yet to make the permission appear as "API" instead of "GUI" in the permission assignment table?

I noticed that It's old API. My idea was to access the data as direct from the config as necessary.
What would be the recommended way to read the config without a Controller/Model being availible?

I would suggest to get rid of PPPoE.

This means make your router provide a "Transfer Net", eg. 10.0.200.0/29 (3bit subnet, 4 Addresses + Broadcast + Net). Configure your router to 10.0.200.1/29, dail itself in and even do DynDNS stuff if required. Define Address 10.0.200.2 to be an exposed host, basically NATing/Forwardng everything from WAN to 10.0.200.2.

Now configure your WAN Interface on OPNsense to 10.0.200.2/29 and basically that's it.

To get the traffic flowing you could set your OPNsense WAN interface to do NAT to 10.0.200.1 or set a route in your Router for 10.0.0.0/8, 192.168.0.0 -> 10.0.200.2.

The reason why I actually did this is because I wanted to use OPNsense active/backup config, and PPPoE is just not working for that. But with CARP I can create a virtual IP in that subnet (10.0.200.4) and expose that IP on my router, so all the traffic comes in on the active instance.
Unfortunatly the automatic Gateway stuff and outbound traffic didn't work for me as expected, since you can only reference interfaces but not VIPs in the Gateway interface, Outbound traffic will always take the active FIrewall IP. Still works, but one doesn't get the interruption free failover I was hoping for (SSH session not dropping).

I'm currently trying to get certificates from OPNsense via the API. As there are no APIs provided to access the Trust store I had the idea of simply creating a user with API key for every client that needs to get a cert, assign the required cert as one of the "User Certificates" and introduce a new System Privilege "API - Allow own certificate/key download".

I get the API and API permission related stuff to work, but I have no clue how to access the user and cert model properly.
What I now would need to do is to get the user ($this->logged_in_user from ApiControllerBase), with which I could get user certificates for that user. With that cert refid(s) I can get descr, crt, prv and caref and that's it.

Problem is, after $this->logged_in_user I have no idea which Model/Controller to call to get my desired data. Can somebody help out?

I would  like to understand, if there is a technical limit due to CARP in place or if it's just an OPNsense limitation.

Using a Fritz!Box (or any router actually) I'm capable of creating a "emulated fixed WAN line" by creating a 10.0.200.1/30 subnet for transfer, assigning 10.0.200.1 to my router, 10.0.200.2 to my OPNsense and configuring the 10.0.200.2 address as an exposed host in my router.

Now with a second OPNsense I want to create a failover configuration, and naturally CARP sounds right. Removing the IP from the interface and leaving it empty on both OPNsense boxes, and then creating a CARP virtual IP, so the active instance is capable of talking to the Router.

problem:

• I can't create an CARP virtual IP without an IP assigned to the interface
• even if, the gateway with automatic NAT rule creation is bound to the Interface, not the vIP
• I need to check the connectivity via ping in the gateway, as the line itself always appears up

I still have a HA network configured for syncing purposes, so accessing the active CARP IP from the backup OPNsense would work with routing trough that net, e.g. for accessing the Internet.
Am I missing something, do I have the wrong ideas of a proper HA architecture or is it wanted this way but just not implemented yet?