Dual Wan and Portforward only working on active WAN (double Nat?)

Started by fox-octi, October 25, 2021, 09:30:35 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 25, 2021, 09:30:35 PM Last Edit: October 26, 2021, 10:27:14 AM by fox-octi
External Ip WAN1 Router (Intern: 192.168.2.1) Forward Port 2222 -->OpnSense (192.168.2.139) Port 2222 --> Linux SSH 22

External Ip WAN2 Router (Intern: 192.168.9.1) Forward Port 2222 -->OpnSense (192.168.9.30) Port 2222 --> Linux SSH 22

If Wan1 is active, the forward is working only on Wan1.
If Wan1 is not active, but still alive, it working only on Wan2 which is active at this moment.

I'am really sure, that the configuration is fine, but it is still not working. Can someone help?

Attached you will find my configuration. Hopefully i changed anything, which is credentials and so on.

best regards

chris

October 26, 2021, 10:26:57 AM #1
Solution found:

Incomming Portforward Rule the packet have to be tagged. Aftwards you have to define a rule outgoing on the lan interface depends on the tag, on which gateway the reply should work.

Example:

    <rule>
      <protocol>tcp</protocol>
      <interface>wan</interface>
      <category/>
      <ipprotocol>inet</ipprotocol>
      <descr>SSHForwardGuido</descr>
      <tag>GUIDO</tag>
      <tagged/>
      <poolopts/>
      <associated-rule-id>pass</associated-rule-id>
      <log>1</log>
      <target>Gitlab</target>
      <local-port>22</local-port>
      <source>
        <address>ExterneKundenFesteIPs</address>
      </source>
      <destination>
        <network>wanip</network>
        <port>2222</port>
      </destination>
      <updated>
        <username>root@172.16.222.30</username>
        <time>1635226835.6125</time>
        <description>/firewall_nat_edit.php made changes</description>
      </updated>
      <created>
        <username>root@172.16.222.224</username>
        <time>1613770090.0138</time>
        <description>/firewall_nat_edit.php made changes</description>
      </created>
    </rule>
   
    <rule>
      <protocol>tcp</protocol>
      <interface>opt1</interface>
      <category/>
      <ipprotocol>inet</ipprotocol>
      <descr>SSHForwardRamon</descr>
      <tag>RAMON</tag>
      <tagged/>
      <poolopts/>
      <associated-rule-id>pass</associated-rule-id>
      <log>1</log>
      <target>Gitlab</target>
      <local-port>22</local-port>
      <source>
        <address>ExterneKundenFesteIPs</address>
      </source>
      <destination>
        <network>opt1ip</network>
        <port>2222</port>
      </destination>
      <updated>
        <username>root@172.16.222.30</username>
        <time>1635226643.7175</time>
        <description>/firewall_nat_edit.php made changes</description>
      </updated>
      <created>
        <username>root@172.16.222.30</username>
        <time>1624425142.575</time>
        <description>/firewall_nat_edit.php made changes</description>
      </created>
    </rule>

<rule>
      <type>pass</type>
      <interface>lan</interface>
      <ipprotocol>inet</ipprotocol>
      <tagged>RAMON</tagged>
      <statetype>keep state</statetype>
      <descr>RAMON-GW-Tagged-TCP-UDP-LAN</descr>
      <direction>out</direction>
      <reply-to>OPT1_DHCP</reply-to>
      <quick>1</quick>
      <protocol>tcp/udp</protocol>
      <source>
        <any>1</any>
      </source>
      <destination>
        <any>1</any>
      </destination>
      <updated>
        <username>root@172.16.222.30</username>
        <time>1635233677.4174</time>
        <description>/firewall_rules_edit.php made changes</description>
      </updated>
      <created>
        <username>root@172.16.222.52</username>
        <time>1615028745.5929</time>
        <description>/firewall_rules_edit.php made changes</description>
      </created>
    </rule>
    <rule>
      <type>pass</type>
      <interface>lan</interface>
      <ipprotocol>inet</ipprotocol>
      <tagged>GUIDO</tagged>
      <statetype>keep state</statetype>
      <descr>GUIDO-GW-Tagged-TCP-UDP-LAN</descr>
      <direction>out</direction>
      <reply-to>WAN_DHCP</reply-to>
      <quick>1</quick>
      <protocol>tcp/udp</protocol>
      <source>
        <any>1</any>
      </source>
      <destination>
        <any>1</any>
      </destination>
      <updated>
        <username>root@172.16.222.30</username>
        <time>1635233713.586</time>
        <description>/firewall_rules_edit.php made changes</description>
      </updated>
      <created>
        <username>root@172.16.222.30</username>
        <time>1635232485.8618</time>
        <description>/firewall_rules_edit.php made changes</description>
      </created>
    </rule>
   
November 08, 2021, 09:42:13 AM #2
Hi, I have the same issue.
Do I have to make the changes on CLI? Or to edit a backup and restore?
Where did you found that solution?
Thank you for your anser.
Best regards
Ralf
December 28, 2021, 04:15:30 PM #3
Hi,

the solution was found by testing :)
No Changes by the cli, and no restore was needed.

best regards

Chris
December 28, 2021, 06:01:20 PM #4
Hi Chris,
thank you for your answer, but I still don't know how and where I can configure this.
:(
Ralf
December 30, 2021, 08:33:26 AM #5
Thank you Chris for your support.
I think, we found the solution.
I will perform some tests and publish the results - next year ;)
Cheers
Ralf
Print
Go Up Pages1
User actions