1
18.1 Legacy Series / public IP NAT port forward from LAN /w additional router fails since 18.1.x
« on: April 21, 2018, 02:46:47 pm »
Hi there,
a few weeks ago i updated the OPNSense to v18.1.5 from 17.7.x.
After the upgrade i had problems to access external ressources from some internal subnets.
I solved this with creating new outbound NAT-rules which seems not to be needed on 17.7.x (see below).
But now i have recognized an issue with accessing external published services from my LAN subnets.
As noted in title i configured an additional routing instance between OPNSense and my internal networks.
With OPNsense on 17.7.x i had Access to that published services from inside and outside without any problems.
Below i summarized the configuration of my OPNsense:
Since the upgrade of OPNSense from 17.7.10 to Version 18.1.5 i cannot access the service on port 443 of wanip1 from my internal LAN-subnet (results into timeout).
Before i never had problems.
Also i had problems with accessing external ressources through subnets routed coming from behind the internal router0.
I solved this problems with creating new outbound NAT rules for those internal subnets behind the router0.
Accessing the service on port 443 of wanip1 from outside the network works without any issues.
I already updated to 18.1.6 in the meanwhile, but problem the problem persists.
No traffic to public IP or to LAN placed server (192.168.2.2/24) is marked as blocked in OPNSense firewall log.
Any ideas how to solve the problem?
I already switched all the Advanced Firewall Config NAT-Properties in any available state. On every change i resetted the states via diagnostic menu.
But until now i have no idea how to solve it. I can't analyze the Firewall log due to there are no (incoming) NAT-Logs existent.
Current network scenario:
Client connectivity (outgoing):
LAN (192.168.12.0/24) -> Router (192.168.12.254/24) [router0] [in] [routed]-> Router (172.23.14.254/24) [router0] [out] [routed] -> CARP LAN VIP (172.23.14.2/24) -> WAN CARP IP (public IP) [wanip0]
Server connectivity (outgoing):
LAN (192.168.11.2/24) -> Router (192.168.11.254/24) [router0] [in] [routed]-> Router (172.23.14.254/24) [router0] [out] [routed] -> CARP LAN VIP (172.23.14.2/24) -> WAN CARP IP (public IP) [wanip0]
incoming Port Forward to Server:
WAN CARP IP (public IP) [wanip1] [in prt: 443] -> CARP LAN VIP (172.23.14.2/24) -> Router (172.23.14.254/24) [router0] [in] -> Router (192.168.11.254/24) [router0] [out] -> LAN (192.168.11.2/24) [in prt:444]
Configuration:
Port Forward Rule:
Interface "physical" WAN-int (tagged vlan; includes multiple CARP VIP)
Source any
Destination wanip1 (CARP VIP)
destination port 443
redirect target ip: 192.168.11.2/24
redirect port: (other) 444
NA reflection: Enable
Filter Rule: created through wizard when Port Forward was created
Advanced Firewall Configuration:
Reflection for port forwards: Enabled
Reflection for 1:1: Disabled
Automatic outbound NAT for Reflection: Enabled
Default interface for outgoing WAN requests: [wanip0]
Outbound NAT Configuration: Hybrid Configuration
Oubound NAT Rule for subnet 192.168.12.0/24:
interface: Interface "physical" WAN-int (tagged vlan; includes multiple CARP VIP)
TCP/IP: IPv4
Protocol: any
Source address: 192.168.12.0/24
Destination: any
Destination port: any
Translation/target: Interface Address
Log: Enabled
Regards,
Thomas
a few weeks ago i updated the OPNSense to v18.1.5 from 17.7.x.
After the upgrade i had problems to access external ressources from some internal subnets.
I solved this with creating new outbound NAT-rules which seems not to be needed on 17.7.x (see below).
But now i have recognized an issue with accessing external published services from my LAN subnets.
As noted in title i configured an additional routing instance between OPNSense and my internal networks.
With OPNsense on 17.7.x i had Access to that published services from inside and outside without any problems.
Below i summarized the configuration of my OPNsense:
Since the upgrade of OPNSense from 17.7.10 to Version 18.1.5 i cannot access the service on port 443 of wanip1 from my internal LAN-subnet (results into timeout).
Before i never had problems.
Also i had problems with accessing external ressources through subnets routed coming from behind the internal router0.
I solved this problems with creating new outbound NAT rules for those internal subnets behind the router0.
Accessing the service on port 443 of wanip1 from outside the network works without any issues.
I already updated to 18.1.6 in the meanwhile, but problem the problem persists.
No traffic to public IP or to LAN placed server (192.168.2.2/24) is marked as blocked in OPNSense firewall log.
Any ideas how to solve the problem?
I already switched all the Advanced Firewall Config NAT-Properties in any available state. On every change i resetted the states via diagnostic menu.
But until now i have no idea how to solve it. I can't analyze the Firewall log due to there are no (incoming) NAT-Logs existent.
Current network scenario:
Client connectivity (outgoing):
LAN (192.168.12.0/24) -> Router (192.168.12.254/24) [router0] [in] [routed]-> Router (172.23.14.254/24) [router0] [out] [routed] -> CARP LAN VIP (172.23.14.2/24) -> WAN CARP IP (public IP) [wanip0]
Server connectivity (outgoing):
LAN (192.168.11.2/24) -> Router (192.168.11.254/24) [router0] [in] [routed]-> Router (172.23.14.254/24) [router0] [out] [routed] -> CARP LAN VIP (172.23.14.2/24) -> WAN CARP IP (public IP) [wanip0]
incoming Port Forward to Server:
WAN CARP IP (public IP) [wanip1] [in prt: 443] -> CARP LAN VIP (172.23.14.2/24) -> Router (172.23.14.254/24) [router0] [in] -> Router (192.168.11.254/24) [router0] [out] -> LAN (192.168.11.2/24) [in prt:444]
Configuration:
Port Forward Rule:
Interface "physical" WAN-int (tagged vlan; includes multiple CARP VIP)
Source any
Destination wanip1 (CARP VIP)
destination port 443
redirect target ip: 192.168.11.2/24
redirect port: (other) 444
NA reflection: Enable
Filter Rule: created through wizard when Port Forward was created
Advanced Firewall Configuration:
Reflection for port forwards: Enabled
Reflection for 1:1: Disabled
Automatic outbound NAT for Reflection: Enabled
Default interface for outgoing WAN requests: [wanip0]
Outbound NAT Configuration: Hybrid Configuration
Oubound NAT Rule for subnet 192.168.12.0/24:
interface: Interface "physical" WAN-int (tagged vlan; includes multiple CARP VIP)
TCP/IP: IPv4
Protocol: any
Source address: 192.168.12.0/24
Destination: any
Destination port: any
Translation/target: Interface Address
Log: Enabled
Regards,
Thomas