Manual Outbound NAT conflicts with Port Forwarding

Seethaar · March 29, 2020, 12:23:39 PM

Hi All,

I have divided this write up into two parts. Please go to the second part only if the first part does not make sense. Both the parts deal with the same question.

PART 1:
Topology: 100.0.0.1/29 (WAN) <> OPNSENSE 19.7 <> (LAN)192.168.0.0/24 <> Router <> 10.0.0.0/24
Question: How do I get Automatic OUTBOUND NAT work for subnets routed to LAN interface (in this case 10.0.0.0/24)

PART 2:

Port Forwarding on WAN IP address works great, if I leave the Outbound NAT to automatic.

For eg:
Topology: 100.0.0.1/29 (WAN) <> OPNSENSE 19.7 <> (LAN)192.168.0.0/24 <> Router <> 10.0.0.0/24
Scenario: 100.0.0.1:443 port forwarded to 10.0.0.1:443

Port Forwarding on IP address in WAN subnet works great, if I leave the Outbound NAT to automatic.

For eg:
Topology: 100.0.0.1/29 (WAN) <> OPNSENSE 19.7 <> (LAN)192.168.0.0/24 <> Router <> 10.0.0.0/24
Scenario: 100.0.0.2:443 port forwarded to 10.0.0.1:443

Automatic Outbound NAT works great for directly connected subnets/networks.

For eg:
Topology 100.0.0.1/29 (WAN) <> OPNSENSE 19.7 <> (LAN)192.168.0.0/24
Scenario: Internet traffic from 192.168.0.0/24
Solution: Automatic NAT only

But If we have networks routed on the LAN side (few hops away) then I am forced out use Hybrid NAT (Manual rules before automatic NAT) with STATIC PORT option set to 'yes'.

For eg:
Topology 100.0.0.1/29 (WAN) <> OPNSENSE 19.7 <> (LAN)192.168.0.0/24 <> Router <> 10.0.0.0/24
Scenario: Internet traffic from 10.0.0.0/24 + 100.0.0.1:443 port forwarded to 10.0.0.1:443
Solution: HYBRID NAT: Manual NAT for Internet traffic from 10.0.0.0/24 + Automatic NAT for traffic from 192.168.0.0/24

Problem statement:

When I use HYBRID NAT with a Manual rules for the routed subnets (few hops away) before automatic NAT, I can still port forward on WAN IP address, but not on any other IP address on the WAN subnet. In this case

For eg:
Topology 100.0.0.1/29 (WAN) <> OPNSENSE 19.7 <> (LAN)192.168.0.0/24 <> Router <> 10.0.0.0/24
Scenario: Internet traffic from 10.0.0.0/24 + 100.0.0.2:443 port forwarded to 10.0.0.1:443
Case 1: HYBRID NAT: Manual NAT for Internet traffic from 10.0.0.0/24 + Automatic NAT for traffic from 192.168.0.0/24

Behaviour: Traffic from internet sources destined to 100.0.0.2:443 gets port forwarded to 10.0.0.1:443 but the return traffic from 10.0.0.1:443 gets OUTBOUNDED NATed to 100.0.0.1:443 due to the MANUAL NAT rule. Anyways OUTBOUND NAT traffic from 10.0.0.0/24 to internet works fine.

Case 2: HYBRID NAT: Manual NAT disabled for Internet traffic from 10.0.0.0/24 + Automatic NAT for traffic from 192.168.0.0/24

Behaviour: PORT Forward works perfect. Internet traffic from 192.168.0.0/24 works fine. But Internet traffic from 10.0.0.0/24 breaks i.e., does not get OUTBOUND NATed.

Sorry about the long case study. Just to make some sense.

Question: How do I get Automatic OUTBOUND NAT work for subnets routed to LAN interface (in this case 10.0.0.0/24)

Please advise.

Thanks,
Ayyappan

Seethaar · April 25, 2020, 11:34:32 AM

Resolved.

- The reason my port forwarding was conflicting with Outbound NAT, because I did the OUTBOUND NAT as "any". But when I specify LAN subnets. No more conflicts.

- It would be good to view the automatic NAT rules though.

Manual Outbound NAT conflicts with Port Forwarding

Seethaar

March 29, 2020, 12:23:39 PM

Seethaar

April 25, 2020, 11:34:32 AM #1