Messages

Hi.

Is pfSense using NAT or routing between the subnets?

If it's using routing, does DD-WRT have appropriate outbound NAT rules for the 192.168.175.0/24 subnet?

Hi All,

I've got an ongoing issue that I've had both with OPNsense and previously it's main rival before I switched.

Essentially the problem is that if the cable modem loses connectivity to the internet for a period of time, when it regains connectivity, the WAN IP on OPNsense is not renewed unless I reboot.

The cable modem does not shut down it's "LAN" site port when it loses connectivity so OPNsense will not see a link state change when the cable modem loses connectivity or comes back. Additionally I now run OPNsense virtually so it will certainly not see a link state change even when the cable modem is rebooted.

Would it be possible to configure OPNsense to attempt to renew the WAN IP via DHCP every minute while the WAN gateway monitor is offline?

If not, would https://forum.opnsense.org/index.php?topic=10924.0 still be applicable?

You're looking to enable NAT Reflection/NAT Hairpinning/NAT Loopback.

It's a setting you can enable for each NAT translation.

You could always use netstat on the client machine to see what process is causing this.

As an aside, seeing as Palemoon's archive server was breached for over 18 months before they noticed I'd be a bit concerned about relying on their software.

I'm running OPNsense on Proxmox (KVM).

Instead of PCI passthrough I'm using OpenvSwitch with a virtio NIC for each interface, vlan tag applied at the OpenvSwitch level.
I haven't seen any drops yet.

I have had issues in the past with Realtek NICs.

I've seen something similar before.

It's possible for malicious javascript to use CSRF to attempt an attack on a router/firewall from the inside.
This generally takes advantage of default credentials or UPNP to let an attacker in.

If it only happened once it's likely that a page currently open in the browser had something like the above embedded in it.
If it's ongoing I'd be on the hunt for a persistent threat, maybe a malicious browser plugin or similar.

Hi All,

I suspect that this has been covered before.
I've read through a few topics but unfortunately they don't really answer my question.

I have a fairly simple network.
WAN is DHCP
LAN is static in a /30 transport link to an internal layer 3 switch where the interfaces for the internal subnets reside.

With pfSense the automatic outbound NAT allowed for the subnets behind the layer 3 switch to be NAT'd out the WAN.
However, with OPNsense I need to manually define the outbound NAT rules for these subnets.
Simply adding a firewall rule to the LAN interface to allow these subnets out isn't enough to apply NAT to them.

Is this intended behavior or a bug?

If intended I can fully understand.
I mostly come from a Cisco ASA background where you can manually define outbound NAT for a group of subnets or use ANY to allow outbound NAT for anything going in and out of the specified interfaces.