"
This turned out to be a completely separate problem than what I expected — traffic was flowing to servers on the PUB interface, but was getting dropped due to Linux reverse path filtering (rp_filter). As such, the OPNsense firewall correctly showed that connections were being passed, but the firewall on the server wasn't logging any rejected packets. tcpdump on the server showed the packets coming in, which eventually led me to find the filter. OPNsense was doing the right thing all along :D
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#1
22.7 Legacy Series / Re: Routing between public IPs on different interfaces without NAT
September 04, 2023, 10:02:26 PM #2
22.7 Legacy Series / Routing between public IPs on different interfaces without NAT
August 16, 2023, 05:36:57 PM
Hello! I'm trying to get traffic routed across an OPNSense 22.7 installation on a Protectli VP2420, using publicly routable IPs on different interfaces. My setup...
For this question, I'm focusing on WAN and PUB. I have servers connected on PUB and configured with the appropriate public IPs, but for some reason, any incoming connection to these servers always appears to originate from the OPNsense system itself — the remote IP is not the real origin of the connection elsewhere on the Internet, but rather the IP on the WAN interface. This interferes with some functionality, so my goal is to figure out how to route incoming traffic from WAN over to a system on PUB without rewriting or translating the remote address.
I've tried a variety of firewall and NAT configuration options, but haven't managed to find a combination which both lets traffic through and "preserves" the remote IP on connections. For Outbound NAT settings, I've switched to Manual outbound rule generation. However...
I suspect something about this rule is related to, or causing, the remote IP issues on incoming connections — but it's the only configuration I've stumbled across that lets clients on the public Internet reach services on the PUB interface. Regardless of whether this rule is present or absent, the firewall logs always show incoming connections to my test web service, and always indicate they're being passed through.
I've read elsewhere on this forum that OPNsense always routes across interfaces, and the usual concern is firewall rules — but I'm at a loss in this situation about what I'd need to configure to allow that traffic to get routed and disable NAT at the same time. I'd appreciate any pointers or tips anyone has, and can post more configuration if needed. Thanks!
- WAN interface uses PPPoE to the ISP
- A "PUB" interface has a /28 public IPv4 block
- LAN interface has the usual private range
For this question, I'm focusing on WAN and PUB. I have servers connected on PUB and configured with the appropriate public IPs, but for some reason, any incoming connection to these servers always appears to originate from the OPNsense system itself — the remote IP is not the real origin of the connection elsewhere on the Internet, but rather the IP on the WAN interface. This interferes with some functionality, so my goal is to figure out how to route incoming traffic from WAN over to a system on PUB without rewriting or translating the remote address.
I've tried a variety of firewall and NAT configuration options, but haven't managed to find a combination which both lets traffic through and "preserves" the remote IP on connections. For Outbound NAT settings, I've switched to Manual outbound rule generation. However...
- With no rules, it seems as though servers on PUB don't get any incoming traffic at all. A test web server logs no incoming requests or connections.
- The only rule that keeps traffic flowing at all is one manual rule, on interface PUB, source any, with NAT Address set to "Interface address."
I suspect something about this rule is related to, or causing, the remote IP issues on incoming connections — but it's the only configuration I've stumbled across that lets clients on the public Internet reach services on the PUB interface. Regardless of whether this rule is present or absent, the firewall logs always show incoming connections to my test web service, and always indicate they're being passed through.
I've read elsewhere on this forum that OPNsense always routes across interfaces, and the usual concern is firewall rules — but I'm at a loss in this situation about what I'd need to configure to allow that traffic to get routed and disable NAT at the same time. I'd appreciate any pointers or tips anyone has, and can post more configuration if needed. Thanks!
Pages1
