Messages

So i setup Maxmind's GEOIP and it imported all the ranges successfully.
I made an alias that has Russia selected (effectivly a block all in Russia?)
I then added a rule to block all traffic from that geoip alias.
I expected that i could not access any russian sites, but i can still freely access it.

What did i do wrong in my process?

Hi, i was facing the same issue, could not get OPEN nat on xboxlive or battle.net (warzone).
I finally fixed it after a whole week!!!!

Things i did to get it working.
1. forward all nescesarry ports like normal.
2. turn outbound on to hybrid.
3. add a static outbound with static port

(see my screenshots)

If you need more then one device to have OPEN nat, remove the forwards (leave static route and hybrid), and install and run UPNP.

Hope this helps, cheers.

FIXED IT?!!

Its has nothing to do with anything i tried,, i searched and searched and finally found a post that said that i needed to set a outbound rule, wan interface, source : network, nat adress : wan address, static port: yes.

This is the only thing that made the NAT go to OPEN (combined with the forwards i had before)

Is this really needed? What are the implications of this rule?

Can you try to reconfigure the lan and wan via console? I think it asks you to regenerate a cert when you do,maybe that will help?
I personally didn't have any issues, but I'm not using wire guard.

I don't have 'Upstream Gateway' checked, otherwise my config is the same as yours. Specifying a monitor IP is only necessary when the gateway doesn't respond to ping requests.

Same here.... it just checks the gw.

nvm

So i just removed all the forwards, installed upnp, and let that take care of it, sadly this doesnt open require ports either?
Im really lost here, maybe im running into hardware issues? maybe my nic isnt tagging vlan properly? i have no idea what to do here.

Port forwards did work when i wasnt using vlan's

I just reinstalled the machine, and switched re0 for WAN en em0 for LAN.
This doesnt help sadly, still im getting no port forwards to work.
i reset everything back to no VLAN at all.
Still battlenet is moaining about strict nat.

So i just removed all the forwards, installed upnp, and let that take care of it, sadly this doesnt open require ports either?
Im really lost here, maybe im running into hardware issues? maybe my nic isnt tagging vlan properly? i have no idea what to do here.

Port forwards did work when i wasnt using vlan's

So i just tested forwarding, im not getting anything opened, i'm going to capture local traffic on the client tomorow, see if the ports get to the client or not.

So i tried to do a capture on my client pc, sadly the program crashes if i have wireshark running :/
if i cose wireshark, program runs fine.

What can i do to figure this forwarding out once and for all? I'm pulling my hair out over this.

Also im seeing traffic running into a default rule block, but i have rules allowing the traffic?
(see screenshot)

So i just tested forwarding, im not getting anything opened, i'm going to capture local traffic on the client tomorow, see if the ports get to the client or not.

[all trunk ports]

On the trunk I would run everything as tagged and not use VLAN 1 at all - correct. That's exactly what I do in my setup here.

But "remove untagged on all ports" as you put it won't work for end systems that do not participate in trunking. A port based VLAN 15 port will still be untagged so you can connect a system you want in that particular VLAN and nowhere else.

"Remove untagged for all trunk ports" is what I recommend.

i meant remove all untagged vlan1 on all ports...?
So then i only have vlan15 tagged on port 1 , untagged on port 3+5

What i did now is remove all untagged 1 on all ports.
Made a new vlan (16) and tagged port 1, and untagged all other ports (except 3+5 (untagged vlan15).
This seems to work.
However my native lan (10.0.0.1) is now not in use.

Im going to test if forwards are working now. :)

[at all]

@cranky "native VLAN" means untagged. So you get untagged frames for VLAN 1 and tagged ones for VLAN 15 on that port. For OPNsense/FreeBSD that means VLAN 1 is in the parent interface and VLAN 15 on the VLAN interface.

Unfortunately from what I read on the forum some things don't quite work as intended when you mix untagged and tagged frames on the same interface and try to use different firewall rules or DHCP server settings on both.

IMHO (30 years of practice as a network engineer) the concept of a "native VLAN" and untagged frames on a trunk port at all is a huge design mistake and I always avoid them. In my data centre as well as at home. If I implement VLANs then on the trunks everything is tagged and the "native VLAN" - if the switch in question insists on using that concept like e.g. Cisco does - is set to some dummy value that is not used anywhere else.

HTH,
Patrick

So if i read this correctly, i should ignore VLAN1 at all? remove all the untagged on all ports?
Then make a vlan for normal LAN? lets say 16? and then tag 16 and 15 on port 1? (trunk to opnsense)

1 = cable to opnsense (this should be tagged 15 right?)

trunk native vlan 1
trunk allowed vlan add 1,15

haha sadly i dont have console (its a netgear web gui).
So on port1 i get tagged 1+15? if i change the untagged 1 to tagged it drops the LAN traffic :/

From internet. (VPS in datacenter) also Bnet just shows all ports are closed too (from outside).

As im reading it now, my switch is setup wrong.
Im rusty in vlan configuring. and confused cause all ports are standard vlan1 untagged? (so all are access port on vlan1?) (can i remove the untagged vlan1? i mean im not using vlan1, or is the switch depending on vlan1 for the switching?)
Im also getting confused by the PVID setup, they are all set to PVID 1.
So the switch is standard ootb untagged VLAN1 all ports, and PVID 1 on all ports.
From opnsense i just use LAN, and one VLAN(15) (to begin with).



So setup now :

PORT 1 = PVID 1 / UNTAGGED 1 / TAGGED 15
PORT 2 = PVID 1 / UNTAGGED 1
PORT 3 = PVID 15 / UNTAGGED 15
PORT 4 = PVID 1 / UNTAGGED 1
PORT 5 = PVID 15 / UNTAGGED 15
PORT 6 = PVID 1 / UNTAGGED 1
PORT 7 = PVID 1 / UNTAGGED 1
PORT 8 = PVID 1 / UNTAGGED 1
PORT 9 = PVID 1 / UNTAGGED 1
PORT 10 = PVID 1 / UNTAGGED 1
PORT 11 = PVID 1 / UNTAGGED 1
PORT 12 = PVID 1 / UNTAGGED 1
PORT 13 = PVID 1 / UNTAGGED 1
PORT 14 = PVID 1 / UNTAGGED 1
PORT 15 = PVID 1 / UNTAGGED 1
PORT 16 = PVID 1 / UNTAGGED 1


Port 3/5 = cable to clients (this should be untagged 15 with PVID 15 right?)
Port 1 = cable to opnsense (this should be tagged 15 right?) (what to do with the standard VLAN1?)
I did not setup VLAN PVID 1 , its native in the switch.

I think you need to share a bit more about your network setup. You've obviously got another router in the mix?

how is that obviously? there is nothing pointing to that info?

i have no other routing in the network. Opnsense(10.0.0.1) <vlan15(10.0.1.x)> - switch - <vlan15> - client. (10.0.1.200)

@cranky
looks like port forward works. something with reply (routes, reply-to or some)
I join @Greelan's question about routes and another question: where is the connection checked from?

No, no other routing in the network. only opnsense and switch to client.

ISP -> MODEM(Bridge) ->  Opnsense -> Switch -> Client.

Switch Setup :
Port 1 - Cable to Opnsense
Port 3/5 Cables to Clients.
VLAN1 Untagged (all ports)
VLAN 15 Tagged 1,3,5.



If i remove opnsense, and replace it with dd-wrt, problem is gone. (same setup, without vlan)
So im thinking its in the vlan setup?