Messages

1

General Discussion / Re: NAT Reflection - Was working, not sure why it stopped.

« on: August 27, 2022, 11:12:17 am »

I am still trying to figure out why NAT reflection stopped working... but for now I've implemented a split DNS that is a workaround for the issue.

2

General Discussion / Re: NAT Reflection - Was working, not sure why it stopped.

« on: August 25, 2022, 05:10:02 pm »

Okay, one thing clarified:

I see that I can make aliases for ports. I thought aliases were for hosts/IPs only... but now I see the option to create an alias for ports as well.

From what I'm reading, Aliases might be broken? So don't use them, anyways?

3

General Discussion / Re: NAT Reflection - Was working, not sure why it stopped.

« on: August 25, 2022, 05:02:23 pm »

Did you group your ports with aliases...

Group my ports with aliases? Not sure how to do that. I don't think I'm doing that. I do have an alias, but it's a group of IPs, not a group of ports.

I do have some rules for ports 80 and 443, which are then "named" at HTTP and HTTPS... are those the "aliases"? I tried to set them as "Other" and use the port numbers directly, but the system just returns to using the HTTP and HTTPS "aliases" for them.

or combine multiple ports in one NAT rule?

I have many NAT rules. Some have ranges of ports. This wasn't a problem before, but perhaps things have changed.

Look here: https://forum.opnsense.org/index.php?topic=28639

I did read this... The post says when doing port forwarding with a single rule for 2 ports, (the example given was  143 and 587) the forwarding breaks. The solution was to make them two separate rules.

Unfortunately, I have large ranges that I'm forwarding. Is there a way to fix this without making hundreds of individual rules?

I'm probably not understanding the issue clearly. Thanks for any help.

4

General Discussion / NAT Reflection - Was working, not sure why it stopped.

« on: August 22, 2022, 06:14:08 pm »

Greetings.

I have a OPNSense Firewall with a single WAN. LAN port goes to a Layer 3 switch which is doing the routing between other networks.

To do this I have an extra Gateway defined for the Layer 3 Switch. Also, the Outbound NAT setting is set to Hybrid so I can manually enter rules for the extended networks.

You may ask "Why are you having the L3 Switch do the routing and not pass the VLANS to the OPNSense router?"  Because I have a Content Filter sitting between the Switch and the Firewall, and it needs to see all the traffic. (This is for a K12 School network.)

So my network looks something like this:

Internet -> (WAN Port) OPNSense (LAN Port) -> Content Filter -> Layer3 switch -> Multiple VLANs with different IP Networks

That all works. But I needed to explain all that so I can ask about port forwarding and NAT reflection.

-------

I have some services that are internal servers but are reachable through my OPNSense firewall via port forwarding. This works perfectly outside my networks. It also did work from inside my networks as well via NAT reflection. But somehow, this stopped working.

I've tried many different settings to get this to work:

• Global settings for NAT reflections for port forwards enabled and disabled
• Individual port forward settings for NAT reflection enabled and disabled
• Manually created WAN Firewall rules to allow ports through from any source
  
• Trying the "Allow Bogons" and/or "Allow Private Networks" Setting from WAN

None of it is allowing internet computers to reach the resources via NAT reflection.

So, I've changed most of the settings back to defaults, as I don't want to be allowing the BOGON or private networks through the WAN if I don't have to.

So, I'm at a loss now of what I can try. I don't see any requests being blocked in the live logs when I attempt to reach those ports, so I don't think it's a firewall issue. Is there a log file somewhere else where I can see if the reflections are working? Or is there something simple I'm missing/forgetting?

Thanks for any support.