Dual Wan and Portforward only working on active WAN (double Nat?)

Started by fox-octi, October 25, 2021, 09:30:35 PM

Previous topic - Next topic
External Ip WAN1 Router (Intern: 192.168.2.1) Forward Port 2222 -->OpnSense (192.168.2.139) Port 2222 --> Linux SSH 22

External Ip WAN2 Router (Intern: 192.168.9.1) Forward Port 2222 -->OpnSense (192.168.9.30) Port 2222 --> Linux SSH 22

If Wan1 is active, the forward is working only on Wan1.
If Wan1 is not active, but still alive, it working only on Wan2 which is active at this moment.

I'am really sure, that the configuration is fine, but it is still not working. Can someone help?

Attached you will find my configuration. Hopefully i changed anything, which is credentials and so on.

best regards

chris


Solution found:

Incomming Portforward Rule the packet have to be tagged. Aftwards you have to define a rule outgoing on the lan interface depends on the tag, on which gateway the reply should work.

Example:

    <rule>
      <protocol>tcp</protocol>
      <interface>wan</interface>
      <category/>
      <ipprotocol>inet</ipprotocol>
      <descr>SSHForwardGuido</descr>
      <tag>GUIDO</tag>
      <tagged/>
      <poolopts/>
      <associated-rule-id>pass</associated-rule-id>
      <log>1</log>
      <target>Gitlab</target>
      <local-port>22</local-port>
      <source>
        <address>ExterneKundenFesteIPs</address>
      </source>
      <destination>
        <network>wanip</network>
        <port>2222</port>
      </destination>
      <updated>
        <username>root@172.16.222.30</username>
        <time>1635226835.6125</time>
        <description>/firewall_nat_edit.php made changes</description>
      </updated>
      <created>
        <username>root@172.16.222.224</username>
        <time>1613770090.0138</time>
        <description>/firewall_nat_edit.php made changes</description>
      </created>
    </rule>
   
    <rule>
      <protocol>tcp</protocol>
      <interface>opt1</interface>
      <category/>
      <ipprotocol>inet</ipprotocol>
      <descr>SSHForwardRamon</descr>
      <tag>RAMON</tag>
      <tagged/>
      <poolopts/>
      <associated-rule-id>pass</associated-rule-id>
      <log>1</log>
      <target>Gitlab</target>
      <local-port>22</local-port>
      <source>
        <address>ExterneKundenFesteIPs</address>
      </source>
      <destination>
        <network>opt1ip</network>
        <port>2222</port>
      </destination>
      <updated>
        <username>root@172.16.222.30</username>
        <time>1635226643.7175</time>
        <description>/firewall_nat_edit.php made changes</description>
      </updated>
      <created>
        <username>root@172.16.222.30</username>
        <time>1624425142.575</time>
        <description>/firewall_nat_edit.php made changes</description>
      </created>
    </rule>

<rule>
      <type>pass</type>
      <interface>lan</interface>
      <ipprotocol>inet</ipprotocol>
      <tagged>RAMON</tagged>
      <statetype>keep state</statetype>
      <descr>RAMON-GW-Tagged-TCP-UDP-LAN</descr>
      <direction>out</direction>
      <reply-to>OPT1_DHCP</reply-to>
      <quick>1</quick>
      <protocol>tcp/udp</protocol>
      <source>
        <any>1</any>
      </source>
      <destination>
        <any>1</any>
      </destination>
      <updated>
        <username>root@172.16.222.30</username>
        <time>1635233677.4174</time>
        <description>/firewall_rules_edit.php made changes</description>
      </updated>
      <created>
        <username>root@172.16.222.52</username>
        <time>1615028745.5929</time>
        <description>/firewall_rules_edit.php made changes</description>
      </created>
    </rule>
    <rule>
      <type>pass</type>
      <interface>lan</interface>
      <ipprotocol>inet</ipprotocol>
      <tagged>GUIDO</tagged>
      <statetype>keep state</statetype>
      <descr>GUIDO-GW-Tagged-TCP-UDP-LAN</descr>
      <direction>out</direction>
      <reply-to>WAN_DHCP</reply-to>
      <quick>1</quick>
      <protocol>tcp/udp</protocol>
      <source>
        <any>1</any>
      </source>
      <destination>
        <any>1</any>
      </destination>
      <updated>
        <username>root@172.16.222.30</username>
        <time>1635233713.586</time>
        <description>/firewall_rules_edit.php made changes</description>
      </updated>
      <created>
        <username>root@172.16.222.30</username>
        <time>1635232485.8618</time>
        <description>/firewall_rules_edit.php made changes</description>
      </created>
    </rule>
   

Hi, I have the same issue.
Do I have to make the changes on CLI? Or to edit a backup and restore?
Where did you found that solution?
Thank you for your anser.
Best regards
Ralf

Hi,

the solution was found by testing :)
No Changes by the cli, and no restore was needed.

best regards

Chris

Hi Chris,
thank you for your answer, but I still don't know how and where I can configure this.
:(
Ralf

Thank you Chris for your support.
I think, we found the solution.
I will perform some tests and publish the results - next year ;)
Cheers
Ralf