Messages

Upgraded to 24.1_1 and everything at first appeared to be working ... but:

Now I can get to the internet from either one of my two LAN segments - provided I either go directly to an IP or change my DNS server on the host to a DNS server outside my opnsense.

So a picture:

PC1 (10.1.1.10) ------> OPNSENSE (10.1.1.1)

PC2 (10.2.2.10) ------> OPNSENSE (10.2.2.1)

OPNSENSE (10.10.10.10) -----> COMCAST RTR (10.10.10.9) -----> Internet (say 1.1.1.1)

PC1 can ping 10.1.1.1
PC2 can ping 10.2.2.1
PC1 can ping 10.10.10.10
PC2 can ping 10.10.10.10
PC1 cannot ping 10.10.10.9
PC2 cannot ping 10.10.10.9
PC1 can ping 1.1.1.1
PC2 can ping 1.1.1.1
DNS - if set to the internal 10.1.1.1 -- resolves only "internal" (Unbound overrides), if DNS set to external 1.1.1.1, no internal resolution (obviously)

Opnsense itself:
Can ping 10.1.1.10 and 10.2.2.10 (PC1 and PC2)
Can ping 10.1.1.1 and 10.2.2.1 (the internal side of itself)
Cannot ping 10.10.10.10 (the external side of itself)
Can ping 10.10.10.9 (upstream gateway)
Cannot ping 1.1.1.1
No DNS resolution (even though defined in setup)

Anyone got hints?

Looking at another thread dealing with much the same issue -- try using a different mirror. The DE mirror seems to not have issues. I am going to confirm later today on a second system. I finally got my first test system updated over night using its default mirror (assuming the US since that is where I am), but it took over 8 hours to do.

My test one finally updated -- after just letting it sit over night (took better than 8 hours). I will try an update from one of the other mirrors today on a second system.

Hopefully someone is watching and can fix the mirror issue.

Getting a like error from my system ... what has happened?

It sounds like an incompatible DAC. Had the same kind of issue with some optical SFP+ on a Mikrotik switch.

I have two Cisco DAC (SFP-H10GB-CU1M) and have no issues with the connection between the R86S and Mikrotik CRS317 it is connected to.

FraLem -- I have not been able to fully stress test them.

You can look at a review of the device here though: https://youtu.be/Z-YLy-RRZnM

I have the same equipment. Do the following and both sfp+ work at 10G:

Add a file to the /boot directory. Name: loader.conf.local  -- this enables the keeping of the file across updates, etc.

Contents of the file:

mlx4en_load="YES"

--- save and reboot. Both adapters then are detected as expected.

Ok - I will look at the anti-lockout rules ... but this is not the interface the UI uses. The UI uses the LAN interface, this is the WAN interface.

And even if it were the Virtual IPs and their 1:1 NATs should not be affected. This is the real crux here. The 1:1 NATs should be accomplished before the port forwards on the WAN IP -- when implemented in the proper order there is no issue with the rules.

And again for the anti-lockout rules -- those should be on the LAN interface not the WAN interface.

Work arounds are great - figured those out - the real question: Am I seeing the real issue correctly. And what should the actual way the software operates be?

So I played and played and played -- basically I rebuilt my entire firewall in test ... and I can make the setup work, that is until I do a specific port forward ...

What is the order of execution for the NAT 1:1 and Port Forward rules?

I have the following working -- a /29 public IP subnet ... so:

gateway: x.x.x.9
opnsense: x.x.x.10
static IPs: x.x.x.11-x.x.x.14

I then have virtual IPs mapped onto the WAN interface (which is a static IP of x.x.x.10) and 1:1 NAT to internal addresses:
x.x.x.11 --> y.y.y.211
x.x.x.12 --> y.y.y.212
x.x.x.13 --> y.y.y.213
x.x.x.14 --> y.y.y.214

Added WAN firewall rules to allow specific ports for the 1:1 NATs (y.y.y.211-214)

To this point everything works as expected. I then a port forward for x.x.x.10 (OPNsense) port WebPorts to y.y.y.55 port WebPorts (80, 443)

Once that port forward is added everything that was 1:1 NAT stops working. This leads me to believe that OPNsense applies the rules in a different order than pfSense. From what I can see in the logs it appears that the port forward gets applied first -- then the 1: NATs ... which seems somewhat counter to the purpose of 1:1 NAT.

Am I seeing this correctly?

Thanks - I have checked all of those and yes used the pfSense document before -- since this exact setup works just perfectly under pfSense.

Guess OPNsense can't handle the simple Virtual IPs being on the WAN interface (hence no routing needed for this setup -- all of the static public IPs are on the same interface, there is no interface needing routing).

Do I know this to be an OPNsense issue -- yes. No need to contact the ISP since I could put pfSense back in place and the exact same setup would begin functioning again.

So the question -- what is different about OPNsense trying to handle Virtual IPs for a multiple public static IP situation -- not a Multi-WAN -- single WAN with multiple static IPs ... what should be (and is under OPNsense's parent, pfSense) simple seems to not be so.

So specifically what should I be looking at in the Firewall -- Settings -- Advanced ... assume the Dual-WAN you refer to is Multi-WAN. In the physical sense there is not a Multi-WAN involved. Literally this is a single NIC for the WAN with multiple IPs (using Virtual IPs) mapped to it.

So what settings would be in question here? I find no reference to them in the documentation. I know it has to a be a block that OPNsense has but which one and where? I have configured what the documentation has and everything works except for when on a truly external to my network machine.

I can get to the web server on the x.x.x.11 virtual IP from the internal network and when connected by VPN - so there is a block somewhere in the OPNsense rules/settings. But the documentation doesn't make clear which one. I know the base system will work as I converted a working pfSense (same basic system under the hood) to OPNsense and this problem begins occurring.

Hello - I am having trouble setting up 1:1 NAT for my /29 public subnet.

I have an x.x.x.8/29 subnet - the ISP gateway is x.x.x.9 -- my opnsense router is at x.x.x.10 and basic networking/access for all my internal subnets is functioning.

I have added a Virtual IP entry for each of my remaining /29 IPs:

Mode: IP Alias
Interface: WAN
Address: x.x.x.11/29   (also x.x.x.12/29, x.x.x.13/29, x.x.x.14/29)

The interface appears to have taken ownership as expected of the Virtual IPs as pinging the x.x.x.<10,11,12,13,14> all respond from an external machine,

Each of the Virtual IPs has a 1:1 NAT entry:

Interface: WAN
Type: BINAT
External Network: x.x.x.11   (or 12, 13, 14)
Source: Single Host or Network x.x.x.211/32  (or 212, 213, 214 as appropriate)
NAT Reflection: Enabled

Firewall Rules on the WAN interface:

Pass rule -- In, IPv4, TCP, Source: any, Destination: x.x.x.211 Ports: <alias for 80, 443>

--- so now the issue:

Internally the web server responds as expected. But when I attempt to access from an external machine using say https://x.x.x.11 or by the registered DNS name the response is: 404 Site x.x.x.11 is not served on this interface

What is it I am missing?