Show Posts
1
24.1 Legacy Series / Re: After reboot wireguard behind opnsense no outbound NAT to WAN Interface pppoe0
« on: March 03, 2024, 02:15:04 pm »
I had a similar issue that I've been wrestling with. In my setup I've an external device that handles the ppp connection and gives me a /29 network. The Opnsense has a WAN interface in that /29 for internet access and should NAT everything behind the IP on the WAN interface which the ppp router will then handle.
However, on a reboot of the FW I was seeing non natted traffic from my network hit the PPP router. The FW on that device is set to drop anything that is sourced from RFC1918. ALL the traffic that was hitting it was ZeroTier (UDP 9993) traffic.
Looking at the states, there were ones for direct (non NAT) in place and NAT ones. If I cleared the state tables (either all or the relevant ones just for the Zerotier traffic) it all all started working again, with the NAT rule being hit and processed properly.
After much playing about, I seem to have found a fix.
Under:
Firewall -> Settings -> Advanced
Tick the "Skip Rules when gateway is down".
This seems to prevent the issue.
My guess is that when this is NOT ticked the FW rules were enabled so traffic was able to leave the interface to the WAN, but whilst the GW was down (which it will be for a little bit after a reboot) NAT Rules aren't yet in effect and hence it was letting through the ZeroTier traffic without NAT. Once the GW came up, the NAT rules start working and the additional states for NAT get created. However, as there is already an earlier state for the NON NAT case, this continues to get processed. As ZeroTier constantly is sending udp traffic, the early state never times out and expires.
By having this feature ticked, the rules are not in place until the GW is up. So the NAT is in place before the rules that allow the ZeroTier traffic out are hit.
I've done a number of reboots since enabling this option and so far, I've not seen a repeat of the issue. Time will tell if I've broken anything else by doing this though :-)
Hopefully this will help in your situation.
However, on a reboot of the FW I was seeing non natted traffic from my network hit the PPP router. The FW on that device is set to drop anything that is sourced from RFC1918. ALL the traffic that was hitting it was ZeroTier (UDP 9993) traffic.
Looking at the states, there were ones for direct (non NAT) in place and NAT ones. If I cleared the state tables (either all or the relevant ones just for the Zerotier traffic) it all all started working again, with the NAT rule being hit and processed properly.
After much playing about, I seem to have found a fix.
Under:
Firewall -> Settings -> Advanced
Tick the "Skip Rules when gateway is down".
This seems to prevent the issue.
My guess is that when this is NOT ticked the FW rules were enabled so traffic was able to leave the interface to the WAN, but whilst the GW was down (which it will be for a little bit after a reboot) NAT Rules aren't yet in effect and hence it was letting through the ZeroTier traffic without NAT. Once the GW came up, the NAT rules start working and the additional states for NAT get created. However, as there is already an earlier state for the NON NAT case, this continues to get processed. As ZeroTier constantly is sending udp traffic, the early state never times out and expires.
By having this feature ticked, the rules are not in place until the GW is up. So the NAT is in place before the rules that allow the ZeroTier traffic out are hit.
I've done a number of reboots since enabling this option and so far, I've not seen a repeat of the issue. Time will tell if I've broken anything else by doing this though :-)
Hopefully this will help in your situation.