Messages

1

General Discussion / Re: NAT exposing private addresses on WAN

« on: August 29, 2023, 05:50:08 pm »

The Firewall | NAT | Outbound rules were automatically created.

Automatic rules
        Interface   Source Networks   Source Port   Destination   Destination Port   NAT Address   NAT Port   Static Port   Description
       LAN   Loopback networks, 127.0.0.0/8   *   *   500   LAN   *   YES   Auto created rule for ISAKMP
       LAN   Loopback networks, 127.0.0.0/8   *   *   *   LAN   *   NO   Auto created rule
       WAN   Loopback networks, 127.0.0.0/8   *   *   500   WAN   *   YES   Auto created rule for ISAKMP
       WAN   Loopback networks, 127.0.0.0/8   *   *   *   WAN   *   NO   Auto created rule

I am going to have to plead ignorance on whether the packet filtering is running or not.

2

General Discussion / Re: NAT exposing private addresses on WAN

« on: August 29, 2023, 04:47:44 pm »

Our test network is isolated from all other networks and only contains private IP address subnets.
Every subnet gateway ends with .1 as this is the router interface defined for each of them.
Our router has a static route to direct destination IPs of 123.123.123.0/24 to the opnsense LAN interface.
Certain devices running on our test subnets require access to a single production public subnet.
e.g. 192.168.255.0/24 --> NAT --> 123.123.123.0/24

Stripping it down as simply as possible. Consider 1 single subnet.
opnsense is at 192.168.255.25/24
A test VM is at 192.168.255.22/24 and has a gateway of 192.168.255.25(opnsense LAN interface)
The test VM sends a ping to 123.123.123.237
123.123.123.237 observes an ICMP packet coming from 192.168.255.22 on the 123.123.123.0 subnet.
The IP address of the test VM should be natted and should have the WAN interface IP.

3

General Discussion / Re: OPNSense to NAT an already routed network.

« on: August 29, 2023, 04:28:06 pm »

I might not have described our scenario well enough.

We have an isolated routed test network of various private IP subnet ranges. (10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16)
Devices on these private subnets need to be able to connect to a single production subnet using a NAT connection.

4

General Discussion / NAT exposing private addresses on WAN

« on: August 29, 2023, 04:02:46 pm »

We have a fairly complex routed test network and are attempting to use opnsense to provide a NAT connection to a  production network. I have simplified our implementation as much as possible.

We have a subnet for management purposes - 192.168.255.0/24 gateway 192.168.255.1
We are attempting to  NAT to network 123.123.123.0/24
Our opnsense server interfaces are:
LAN 192.168.255.25/24 gateway 192.168.255.1
WAN 123.123.123.27/24 gateway 123.123.123.1

for testing, I have...
A system on the 192.168.255.0/24 subnet at 192.168.255.22/24 gateway 192.168.255.1.
A system on the production network 123.123.123.237/24 gateway 123.123.123.1

Using the VM at 192.168.255.22, I ping 123.123.123.237.
On 123.123.123.237, Wireshark shows ICMP traffic coming from 192.168.255.22.

I am not sure why opnsense is not natting the address. I am using the automatic rules.
I am sure this is something simple that I overlooked.
Guidance?
Thanks

5

General Discussion / OPNSense to NAT an already routed network.

« on: August 28, 2023, 08:17:33 pm »

We have a test network consisting of multiple private IP addresses connected by a router. e.g. 192.168.0.0/24, 192.168.1.0/24, 192.168.255.0/24, 172.16.0.0/16, etc...

We are using OPNSense to connect to a public IP subnet.

The OPNSense server LAN IP address is 192.168.255.25 with a default gateway set at 192.168.255.1.
There are other systems on the 192.168.255.0/24 subnet and they are able to be pinged from other subnets that we use so we know that our routing works.
As an example, a system at 192.168.100.14/24 gateway 192.168.100.1 can ping 192.168.255.22 gateway 192.168.255.1

Systems that are on the 192.168.255.0/24 subnet can ping and access the OPNSense server fine but none of the others can.

How can I configure OPNSense to understand that 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16 are part of the LAN interface scope?

Many thanks for pointing me in the right direction.