OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of FLguy »
  • Show Posts »
  • Topics
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Topics - FLguy

Pages: [1]
1
General Discussion / Port Forward NAT Weird Behavior when using WAN Address
« on: June 17, 2024, 12:41:34 am »
Hello all,

I'm not sure if this is a bug, or why opnSense is behaving this way.  But if I have this Port Forward NAT rule that uses the "WAN Address" object and Port Forwards SSH higher in the list.  All other Vitral IP SSH NATs will go to the "Dell_Host".  Regardless of the Virtual IP I'm trying to use, like popos_NAT (192.168.169.7) or pmox_nat (192.168.169.210).  I will also get a new SSH fingerprint message.  The WAN address is 192.168.169.20.




If I move this WAN Address rule to the bottom of the list, it works.  I can also change the forwarding port to something like TCP 2222 and 2223 for both of these rules, which will work. 




Why am I having this issue with the WAN Address object? 

Thank you

2
General Discussion / SSH NAT not working
« on: March 02, 2023, 02:57:10 am »
Hey all,
I can't believe I can't solve this one but failing to get either 1:1 or Port Forward NAT to work.  The goal is to create a "DMZ host, " just a 1:1 NAT with filters for what ports you want to be exposed.  6+ hours later, and I'm still in this rabbit hole.  I first tried using my main FW, then a test VM FW, and 3rd brand new hardware firewall.  No matter what I do.  I can't get SSH NAT'ed over OPNsense right now.

I have tried using Port Forward, & 1:1 NATs, setting rules, and even finding the configuration for proxy arps.  In my heart, 1:1 NATs should be doing proxy arp by default.  In some configuration cases, I can see the traffic passing in Live View and capturing packets in tcpdump on the ssh server side.  But SSH will not connect.

Let's use the test lab to talk about the problem.  An ESXi host running two VMs + ssh client on Windows:

Windows host (putty): 192.168.169.10

OPNsense 23.1 FW vm:
WAN (DHCP):192.168.169.44 [esxi Port Group: VM Network]
LAN: 192.168.1.1 [esxi Port Group: PG Test]

Fresh ubuntu VM (sshd):
LAN: 192.168.1.101 [esxi Port Group: PG Test]

But let's go really basic, just a basic Port Forward.  I have a "management" host at .100.  .100 and .101 can SSH into each other just fine.  If I put either of these VMs into the VM Network port group (bypass the firewall), the Windows host can ssh.  Inside VMs can reach the internet.

OPNsense was installed fresh and ran the setup wizard.  The only non-default change was unchecking Block Private networks on WAN interface.   
Code: [Select]
Firewall:NAT:Port Forward
Interface:WAN
Destination: WAN address
Dest Port: 22 ssh
Redirect target IP: 192.168.1.101
Redirect target port: 22 ssh
With everything else set to defaults:
Code: [Select]
NAT reflection: system default = disabled
Filter rule association: Add associated filter rule
Save and Apply.  I see both the NAT rule and WAN rule get created. 

In the Live View, traffic is allowed:


Attached is the pcap from .101.  3way doesn't complete, .10 doesn't Ack.  :|  What is going on?  Getting a 1to1 NAT is less successful than this (ARP is an issue).  But I want to know what I'm going wrong?  I see no errors on the firewall, but SSH will not connect. 

Thanks,
Nick

3
Tutorials and FAQs / Regenerate Self-Signed Web GUI TLS Certificate
« on: February 20, 2023, 11:48:22 pm »
Hello,

I'm posting this thread because right now google has an older post from 19.7 forums that comes in #1.  The reply in that post does not work.  Today, we have two options now.

1. Quick and easy, introduced in 21.1:
Code: [Select]
configctl webgui restart renew
2. The longer Path.
Setup Self-Signed Certificate Chains with OPNsense

The default Web GUI TLS certificate is created on the first install.  I don't believe updates renew this cert, but I could be wrong.  My cert was localhost.opnsense.local.

4
Hardware and Performance / i226 nic supported?
« on: August 18, 2022, 03:51:24 am »
Getting one of these Topton systems off Aliexpress.  They don't have the unit I wanted, and they want to replace it with a system that has i226 nics.  But I remember we had to wait some time to get the i225 supported.  Does anyone know if the i226 is supported?

Thanks for the time and support,
Nick

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2