Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - hase

Pages1
#1
23.1 Legacy Series / Exempt some traffic from NAT
June 22, 2023, 04:02:11 PM
opnsense noob here (with some netwroking background).

simple setup:



            +----------+                 +------------+
--- LAN --- | opnsense | --- DSL net --- | dsl-router |
            +----------+                 +------------+
              |
             |                      +-------------+
             +------- cable net --- | cable router|
                                    +-------------+


I also have Multi-WAN set up with a fail-over GW-group CABLE-DSL, seems to work so far.

I was puzzled by the fact that I could not reach any device on the DSL network from within the LAN network.
The reason is simple: the NAT gets applied to the SYN-packets originating in LAN and then the packet is fed to the firewall. The firewall rules and routing then trat the packet as a packet originating on the firewall itself - so the gateway is forced to the GW-group and sent to the cable router.
the cable router then bounces the packet right back (detination is in an internal network, the opnsense is set as the gw for all internal networks on the cale box).

The incoming packet on the WAN is the blocked by a fw rule.

So far, I understand the problem.
Packet is natted, then firewalled then routed, ends up at the cable box.

What I want to achive is:

- traffic LAN -> BEI going through NAT
- traffic LAN -> DSL-net no NATted

I tried switching NAT-outbound to "Hybrid" and adding a NO NAT rule for source "LAN net" destination "DSL net".

Result: same as without the rule. packet originating on LAN still natted to the opnsense IP address in sourceIP and then forwarded to the cable router, even with the destination address clearly in the DSL net range.

#2
23.1 Legacy Series / Re: Multi-WAN: how to force traffic to one specific gateway?
June 22, 2023, 03:36:19 PM
Hi,

I did compose a reply post here - quite long - and then it hit me.
The problem is that my LAN->DSL net traffic is going through NAT.

My network is very basic (for now):
- DSL router 192.168.177.1
-- has its own wlan with existing clients
- cable router 192.168.176.1
- opnsense appliance
-- interface WAN: DHCP client to the cable router (opnsense-IP fixed in DHCP, set as exposed host)
-- interface DSL: DHCP client to the DSL router (opnsense-IP fixed in DHCP, set as exposed host)
--interface LAN: internal, firewalled network.
--- DHCPv4 server in opnsense

Because the opnsense applies the NAT, the SYN-packet from my LAN device is modified (source address is set to an IP of the opnsense).
This modified packet is then fed to the firewall, therefore the auto-generated roule marked "let out anything from firewall host itself (force gw)" is applied - and this forces the ateway to the cable router, as that is currently active.

So the new question is: how do I bypass NAT for some of my traffic while applying it to Internet-bound traffic?

I will fiddle with that for a moment.

thanks for talking :-)
greetings from a hot Berlin/Germany
hase
#3
23.1 Legacy Series / Multi-WAN: how to force traffic to one specific gateway?
June 15, 2023, 12:57:59 PM
Hi,
I am a bit experienced with IP, but a relative noob with opnsense.

I do have a Multi-WAN Setup working, and the automatic switching between my (fast but flaky) cable and (notsofast, reliable) DSL seems to work fine.

For $Reasons I also have some devices on the Network handled by the DSL router besides the opnsense.

I did manage to access the DSL routers web interface (IP 192.168.177.1, also the DSL-GW in Tier2 of the CABLE-DSL gateway group)  from computers on the LAN.
But when I try to reach any device within 192.168.177/24 other than the .1, the traffic goes out to the Cable-GW.
I see that as incoming traffic on the WAN (=Cable) interface on the opnsense: blocked by the default rules.

I do have an FW rule on the LAN interface for the destination range 192.168.177/24 with Gateway DSL-GW, direction in (also tried out, same effect). the rule is atop the rule permitting LAN-originated traffice to 0/0.
Also, as far as I undestand the BSD routing table (as presented in the opnsense Web interface), the routing engine of the IP stack shoould direct dest-192.168.177/24 traffic through the respective ethernet interface.

I want the FW to default all traffic through the cable router and only fall back to DSL in exceptions (cable down), but I also want management traffic to my legacy network from the office network...

What am I missing?

merci
hase
Pages1