Messages

It is not strange at all if you try to dig in the requirement.

I have a host coming in on interface 777 with a target on interface 30. The gateway on 777 was configured to use it as a PBF for a specific host to route via gateway connected on 777.

It is routing and firewall rules that play which I assume are configured correctly. Firewall should already know about source and destination. The static routes configured are less preferred wrt subnet mask where firewall has more specific networks on it with a /24(VLAN 30) and /28(VLAN 777).

So for routing firewall will consider both source(10.28.140.50) and destination(10.10.30.13) as directly connected and forward packets. I don't think having a gateway tied to interface 777 would impact this routing decision.

 root@a:~ # route get 10.10.30.13
   route to: testhost
destination: 10.10.30.0
       mask: 255.255.255.0
        fib: 0
  interface: igb1_vlan30
      flags: <UP,DONE,PINNED>
 recvpipe  sendpipe  ssthresh  rtt,msec    mtu        weight    expire
       0         0         0         0      1500         1         0
root@a:~ #

attached is overview. I am trying to ping from a host on VLAN 777 to a host on VLAN 30. If you see both VLANs/networks are directly connected to firewall and no explicit routing is required.The firewall rule is a permit for which I can see incoming traffic on VLAN 777 but I see not OUT traffic on VLAN 30 both in live view nor packet captures. I am trying a simple inter-vlan routing here.

I had to resize the image because of upload size limit which makes screenshot blurry but can still show meaningful information.

Yes, if I ping the host 10.10.30.13 from firewall with source interface of if1 I get ping working. This is really strange.

They are unchecked.

The gateway is to route all default traffic via this interface(if1) and attached gateway as I would like to retire old gateway.

Would I still not see them in packet captures ? I can see them on if2 captures when traffic is coming back from other interface. So I don't really think it is related to logging enabled or not. If I can see packets in captures on same interface if2 when traffic is returned from internet I should be able to see them if they are actually forwarded from if1 to if2. Isn't it ?

And yes the option to log packets matched from the default pass rules  is checked/enabled but I still not see them in live view OR packet captures. I am not sure what am I missing when this should be simple L3 forwarding

Last of the screenshots

Attached are screenshots that may help.

The target server is on same network as if2. In a sense server is directly connected to if2(same network). Why won't this work ? It is similar to having two hosts on same network so in this case one is server and other is the interface if2 on firewall. This makes them both part of the same broadcast domain and thus need no explicit routing to talk to each other.
Now when traffic from client enters firewall on if1 packet would be like:

src: 10.28.140.50
destination: 10.10.30.13
if1: 10.28.140.49
if2: 10.10.30.2

In this case when firewall sees destination to be 10.10.30.13 it knows it needs to send it to if2 and then ARP broadcast on if2- looking for 10.10.30.13 MAC address.

Please find attached firewall rule on interface that receives the traffic from client

I am not able to paste the rule on interface if1. Is there way to paste ?

OK here is what I see:

With packet capture on if1 and if2, I see client to server requests on if1 but not on if2. In live view I see traffic IN on if1 but no OUT on if2 so it is sure packet arrived and was logged by if1 but thereafter it got lost somewhere between if1 to if2 within the firewall itself. If it helps I can snip configurations on if1, if2, NAT, firewall rule for interesting traffic here. I can also snip packet captures.

Correct I would like opnsense to behave like a router with no source or destination translation. I checked there are outbound NAT rules but for interface which is my gateway to internet and not if1. But again:

If with outbound NAT on an interface the traffic received will be source NAT'd but destination would remain same. So in my case destination is server on if2(same network) so I should still see packets on if2(packet capture) with source as NAT'd IP on if1 and destination as target server.

sure will inspect the NAT rules. But I am not clear if outbound NAT rules will impact traffic inbound on same interface. The connection is initiated from a client that is received by firewall on if1(inbound) and target is a server directly connected to if2. So if there are any outbound NAT rules on if1 that should not match traffic inbound on if1.