Messages

I found firewall -> nat -> port forward -> nat reflection -> enable to not be working


after digging around the internet a bit I found the solution was to set:


firewall -> nat -> port forward -> nat reflection -> use system default

and then go to:
firewall -> settings -> advanced -> network address translation -> Reflection for port forwards -> checked
firewall -> settings -> advanced -> network address translation -> Automatic outbound NAT for Reflection -> checked


I had to go back and set nat reflection to system default to get it to work. 


My hardware and software versions:
DEC740

Type    opnsense   
Version    23.1.11   
Architecture    amd64   
Commit    f1305748e   
Mirror    https://pkg.opnsense.org/FreeBSD:13:amd64/23.1   
Repositories    OPNsense   
Updated on    Wed Jul 5 23:42:46 CDT 2023   
Checked on    N/A

Good luck,
Layla

rebooting lets me re-enable to module without it dropping all internet

restarting the service results in it dropping all internet


either way it simply seems to just be broke.  very frustrating.

same issue:
https://forum.opnsense.org/index.php?topic=34756.0

briefly fixed it by reinstalling the package, but reverted to previous behavior.

been testing it by throwing known bad ips at it.

so on my system with a static wan ip and manual nat forwarding rules, if I disable the root user, which I would like to do as a security measure, it appears to disable NAT.

which breaks the internet.

thing is, I would like to disable the root user as a standard security measure :(.


hardware:
DEC740

software version:
Type    opnsense   
Version    23.1.11   
Architecture    amd64   
Commit    f1305748e   
Mirror    https://pkg.opnsense.org/FreeBSD:13:amd64/23.1   
Repositories    OPNsense   
Updated on    Wed Jul 5 23:42:46 CDT 2023   
Checked on    N/A

edit: This does not seem to have completely fixed my issues, when I went to verify function today it did not work again.

I tried reinstalling the module again, and lost all internet, much to my shock.  Promptly disabled the entire intrusion detection service.  This will be another midnight project :(.

I thought I fixed my broken services -> intrusion detection

I tried everything with my intrusion detection, which was why I bought the router.  I couldn't get to get block anything, and I could only get it sometimes to alert.  Policies wouldn't take and it just seemed broke.


I thought I fixed it with:
system -> Fireware -> Packages -> suricata -> reinstall

magically everything started working.



My hardware:
brand new DEC740 fresh out the box,

software version:
Type    opnsense   
Version    23.1.11   
Architecture    amd64   
Commit    f1305748e   
Mirror    https://pkg.opnsense.org/FreeBSD:13:amd64/23.1   
Repositories    OPNsense   
Updated on    Wed Jul 5 23:42:46 CDT 2023   
Checked on    N/A

Layla

automatic nat rules not being created for public static wan ip

found this topic:
https://forum.opnsense.org/index.php?topic=16835.msg76606#msg76606

still relevant.   But found it all over the internet once I realized what to search for.

brand new DEC740,

Type    opnsense    
Version    23.1.11    
Architecture    amd64    
Commit    f1305748e    
Mirror    https://pkg.opnsense.org/FreeBSD:13:amd64/23.1    
Repositories    OPNsense    
Updated on    Wed Jul 5 23:42:46 CDT 2023    
Checked on    N/A

took me quite some time to figure out.   Worked fine in testing, went to swap in live and the entire resort went down. 

Turns out the resorts static WAN ip does not generate the automatic outbound NAT rules like the dhcp WAN does.


I also did not just know how to add the outbound NAT rules, so this took quite a while a bit for me to fix.


if you end up finding this post on forum search, here is what I did:
Hybrid outbound NAT rule generation

then:

Interface    Source    Source Port    Destination    Destination Port    NAT Address    NAT Port    Static Port
WAN2    ! WAN2 net    *    *    *    WAN2 address    *    NO         
WAN2    ! WAN2 net    *    *    500    WAN2 address    *    YES


Good luck,
Layla