1
24.1 Legacy Series / Issues with SSH NAT in OPNsense
« on: July 09, 2024, 01:44:19 pm »
Heys guys, I'm new to OPNsense and have a problem settings up our JumpServer behind the OPNsense.
Setup:
OPNsense WAN IP: 138.246.0.0/24
OPNsense LAN IP: 10.54.32.100
JumpServer IP: 10.54.32.10 (behind OPNsense)
WAN Interface: bge0
LAN Interface: vtnet0
Issue 1: SSH NAT Forwarding
I have set up a NAT rule to forward SSH traffic from the WAN IP (138.246.0.0/24) on port 22 to the JumpServer (10.54.32.10) on port 22. Despite configuring this rule, the traffic is being blocked by the default deny / state violation floating rule.
NAT Rule Summary:
Interafce: WAN
IPv4
TCP
Source: any
Source port range: SSH - SSH
Destination: WAN address
Destination Port range: SSH - SSH
Redirect IP: Single host 10.54.32.10
Redirect Port: SSH
Description: Forward SSH traffic
Pool Options: default
NAT reflection: off
Filter rule association: None
Actions Taken:
- Verified NAT rule is correctly set up.
- Attempted to add pass rules to allow traffic from the JumpServer and LAN clients(normal and floating rule).
- Observed that the traffic is still being blocked by the floating rule.
How can I ensure that the NAT rule for SSH is applied before the floating rules block the traffic?
Interestingly If I configure a temp rule via the cli:
echo "rdr pass on bge0 proto tcp from any to any port 22 -> 10.54.32.10 port 22" > /tmp/ssh_redirect_rule
pfctl -f /tmp/ssh_redirect_rule
the rule will just work fine, but why? Why does it now work when configured over the GUI?
Thanks for any help
Setup:
OPNsense WAN IP: 138.246.0.0/24
OPNsense LAN IP: 10.54.32.100
JumpServer IP: 10.54.32.10 (behind OPNsense)
WAN Interface: bge0
LAN Interface: vtnet0
Issue 1: SSH NAT Forwarding
I have set up a NAT rule to forward SSH traffic from the WAN IP (138.246.0.0/24) on port 22 to the JumpServer (10.54.32.10) on port 22. Despite configuring this rule, the traffic is being blocked by the default deny / state violation floating rule.
NAT Rule Summary:
Interafce: WAN
IPv4
TCP
Source: any
Source port range: SSH - SSH
Destination: WAN address
Destination Port range: SSH - SSH
Redirect IP: Single host 10.54.32.10
Redirect Port: SSH
Description: Forward SSH traffic
Pool Options: default
NAT reflection: off
Filter rule association: None
Actions Taken:
- Verified NAT rule is correctly set up.
- Attempted to add pass rules to allow traffic from the JumpServer and LAN clients(normal and floating rule).
- Observed that the traffic is still being blocked by the floating rule.
How can I ensure that the NAT rule for SSH is applied before the floating rules block the traffic?
Interestingly If I configure a temp rule via the cli:
echo "rdr pass on bge0 proto tcp from any to any port 22 -> 10.54.32.10 port 22" > /tmp/ssh_redirect_rule
pfctl -f /tmp/ssh_redirect_rule
the rule will just work fine, but why? Why does it now work when configured over the GUI?
Thanks for any help