Messages

1

20.1 Legacy Series / Re: Converting Cisco NAT rules to OpnSense

« on: April 09, 2020, 04:30:33 pm »

Hi Shadesh,

I created it to try and match that Cisco rule, but from what you're saying, I believe I shouldn't need it, so it's disabled for now.

Thanks

2

20.1 Legacy Series / Re: Converting Cisco NAT rules to OpnSense

« on: April 09, 2020, 02:56:39 pm »

Hi Shadesh,

It is part of a VLAN and I can ping it from the FW and from any other host on any other VLAN.

Are you saying that I should be using the Automatic NAT rule generation? The reason I've moved to manual NAT rules is that I will route everything through an anonymous VPN - eventually... and I was following the blog that I referenced earlier, however, to get this Sure Signal thing working, I'm happy to try Automatic - if that is what you are suggesting.

Screenshot attached.

Interestingly, I did something to lose all Internet connectivity. I've got it back now, but I've disabled the "Single Gateway. I thought that at least one gateway would be required. Is it not the same as the Cisco command `ip route 0.0.0.0 255.255.255.255 Dialer0`?

Thanks again.

3

20.1 Legacy Series / Re: Converting Cisco NAT rules to OpnSense

« on: April 09, 2020, 11:06:38 am »

Hi Shadesh,

Thank you for replying.

192.168.81.30 is in a VLAN and is connected to the internal interface. Both on Cisco and OpnSense (igb0[LAN]).

I had OpnSense in Hybrid Outbound NAT mode. The device on 192.168.81.30 did not work, so I tried to add the rule mentioned above.

I read a very informative post about NAT'ing on pfSense https://blog.monstermuffin.org/pfsense-guide-nat-firewall-rules-networking-101/ where I have now set it to manual mode. I've put in my rules so the VLANs can get out to the Internet, plus this rule. VLANs can access the internet, but the device on 192.168.81.30 does not connect.

For background information, this device is a femtocell (Vodafone Sure Signal). Part of the job of the device is to create a VPN tunnel back to Vodafone. For troubleshooting purposes, I have opened up the firewall with logging on, however, I cannot see any traffic pertaining to Vodafone's public IPs, pertinent ports or 192.168.81.30 in the logs, bar the DHCP request.

Thanks again.

4

20.1 Legacy Series / Re: Converting Cisco NAT rules to OpnSense

« on: April 08, 2020, 08:17:59 pm »

Anyone, please? I am really struggling with this. I can't find any good examples...

5

20.1 Legacy Series / Converting Cisco NAT rules to OpnSense

« on: April 08, 2020, 12:17:08 am »

Hi,

On my recently dead Cisco router, I had the NAT rule, thus:

Code: [Select]

ip nat inside source list 101 interface Dialer0 overload
!
access-list 101 permit ip host 192.168.81.30 any

I'm trying to give OpnSense the same behaviour. I've tried both "Outbound" and "Port-forward" but I can't seem to get it to work. I'm not sure if it's something with the NAT rule or FW rule, however, the VLAN the local device (192.168.81.30) is on has an any-any in and out rule with logging enabled. I do not see any traffic hitting the rule.

Here's what I've tried:
Outbound NAT:

|Interface	|Source	|Source Port	|Destination	|Destination Port	|NAT Address	|NAT Port	|Static Port|
|WAN	|192.168.81.30	|*	|*	|*	|WAN Address	|*	|No|

Port Forward:

|Interface	|Proto	|Source Address	|Ports	|Destination Port	|Destination Address	|Ports	|NAT IP	|Ports
|WAN	|-	|*	|*	|*	|*	|*	|192.168.81.30	|*|

I'm not 100% sure which type of NAT to use and whether the logging shows in the "Live View"

If anyone could offer some pointers, I'd be very grateful.

T.I.A

6

20.1 Legacy Series / Re: Routing issue - I think

« on: April 06, 2020, 03:36:25 pm »

Not so much a routing issue, but a switching issue.

The OpnSense FW is replacing a 10 year-old Cisco router and I used the same config on the switchport of the switch:

Code: [Select]

interface gigabitethernet27
 description "***TRUNK to OpnSense (NIC1)***"
 switchport trunk allowed vlan add 50,65,100
 switchport trunk native vlan 10
!

Once I removed the `switchport trunk native vlan10` line and added 10 to the allowed list, it worked.

Code: [Select]

interface gigabitethernet27
 description "***TRUNK to OpnSense (NIC1)***"
 switchport trunk allowed vlan add 10,50,65,100
!

Now, to work out how these firewall rules work...

7

20.1 Legacy Series / Routing issue - I think

« on: April 05, 2020, 10:39:57 pm »

Hi,

I've got OpnSense almost configured. I can connect to and from VLANs and access the Internet, however, an outstanding issue is really foxing me. As the title suggests I think I'm missing something on the Gateway / route table, but I can't work it out.

Hardware has two NICs: igb0 (LAN) and em0 (WAN)
OpnSense's IP  = 192.168.10.1/28 on VLAN10.
Default "LAN" interface has no IP. In effect a trunk port.
VLAN50 = 192.168.50.1/24

VLAN10 has a switch (192.168.10.2) on it and the port connected to OpnSense is set to trunk and includes VLAN10.

I have two devices connected to the aforementioned switch: Laptop A and Laptop B. Both switch ports are set to access with VLAN10 and VLAN50 respectively.

Issue
Laptop A - 192.168.10.9
Cannot connect to OpnSense (192.168.10.1) web interface.
Cannot connect to any other VLAN / Internet.
Can connect to switch's (192.168.10.2) web interface.

Laptop B - 192.168.50.108
Can connect to OpnSense (192.168.10.1) web interface.
Can connect to all VLANs.
Cannot connect to switch's (192.168.10.2) web interface.

I've tested whilst disabling the firewall. Obviously I cannot route to the Internet, but the issue remains.

I have one Gateway set:
Name = WAN_PPPoE
Interface = WAN
Protocol = IPv4
Priority = 254
Gateway = 195.102.260.130 (My public IP).

I have no user-defined routes.

I've searched and searched and after 12 hours, I'm reaching out in the hope that someone may be able to spread some light on my issue. If you have any ideas of what's going on, I'd be grateful if you could share.

Thanks in advance.