Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
High availability
»
Dual Wan and Portforward only working on active WAN (double Nat?)
« previous
next »
Print
Pages: [
1
]
Author
Topic: Dual Wan and Portforward only working on active WAN (double Nat?) (Read 6364 times)
fox-octi
Newbie
Posts: 29
Karma: 0
Dual Wan and Portforward only working on active WAN (double Nat?)
«
on:
October 25, 2021, 09:30:35 pm »
External Ip WAN1 Router (Intern: 192.168.2.1) Forward Port 2222 -->OpnSense (192.168.2.139) Port 2222 --> Linux SSH 22
External Ip WAN2 Router (Intern: 192.168.9.1) Forward Port 2222 -->OpnSense (192.168.9.30) Port 2222 --> Linux SSH 22
If Wan1 is active, the forward is working only on Wan1.
If Wan1 is not active, but still alive, it working only on Wan2 which is active at this moment.
I'am really sure, that the configuration is fine, but it is still not working. Can someone help?
Attached you will find my configuration. Hopefully i changed anything, which is credentials and so on.
best regards
chris
«
Last Edit: October 26, 2021, 10:27:14 am by fox-octi
»
Logged
fox-octi
Newbie
Posts: 29
Karma: 0
Re: Dual Wan and Portforward only working on active WAN (double Nat?)
«
Reply #1 on:
October 26, 2021, 10:26:57 am »
Solution found:
Incomming Portforward Rule the packet have to be tagged. Aftwards you have to define a rule outgoing on the lan interface depends on the tag, on which gateway the reply should work.
Example:
<rule>
<protocol>tcp</protocol>
<interface>wan</interface>
<category/>
<ipprotocol>inet</ipprotocol>
<descr>SSHForwardGuido</descr>
<tag>GUIDO</tag>
<tagged/>
<poolopts/>
<associated-rule-id>pass</associated-rule-id>
<log>1</log>
<target>Gitlab</target>
<local-port>22</local-port>
<source>
<address>ExterneKundenFesteIPs</address>
</source>
<destination>
<network>wanip</network>
<port>2222</port>
</destination>
<updated>
<username>root@172.16.222.30</username>
<time>1635226835.6125</time>
<description>/firewall_nat_edit.php made changes</description>
</updated>
<created>
<username>root@172.16.222.224</username>
<time>1613770090.0138</time>
<description>/firewall_nat_edit.php made changes</description>
</created>
</rule>
<rule>
<protocol>tcp</protocol>
<interface>opt1</interface>
<category/>
<ipprotocol>inet</ipprotocol>
<descr>SSHForwardRamon</descr>
<tag>RAMON</tag>
<tagged/>
<poolopts/>
<associated-rule-id>pass</associated-rule-id>
<log>1</log>
<target>Gitlab</target>
<local-port>22</local-port>
<source>
<address>ExterneKundenFesteIPs</address>
</source>
<destination>
<network>opt1ip</network>
<port>2222</port>
</destination>
<updated>
<username>root@172.16.222.30</username>
<time>1635226643.7175</time>
<description>/firewall_nat_edit.php made changes</description>
</updated>
<created>
<username>root@172.16.222.30</username>
<time>1624425142.575</time>
<description>/firewall_nat_edit.php made changes</description>
</created>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<ipprotocol>inet</ipprotocol>
<tagged>RAMON</tagged>
<statetype>keep state</statetype>
<descr>RAMON-GW-Tagged-TCP-UDP-LAN</descr>
<direction>out</direction>
<reply-to>OPT1_DHCP</reply-to>
<quick>1</quick>
<protocol>tcp/udp</protocol>
<source>
<any>1</any>
</source>
<destination>
<any>1</any>
</destination>
<updated>
<username>root@172.16.222.30</username>
<time>1635233677.4174</time>
<description>/firewall_rules_edit.php made changes</description>
</updated>
<created>
<username>root@172.16.222.52</username>
<time>1615028745.5929</time>
<description>/firewall_rules_edit.php made changes</description>
</created>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<ipprotocol>inet</ipprotocol>
<tagged>GUIDO</tagged>
<statetype>keep state</statetype>
<descr>GUIDO-GW-Tagged-TCP-UDP-LAN</descr>
<direction>out</direction>
<reply-to>WAN_DHCP</reply-to>
<quick>1</quick>
<protocol>tcp/udp</protocol>
<source>
<any>1</any>
</source>
<destination>
<any>1</any>
</destination>
<updated>
<username>root@172.16.222.30</username>
<time>1635233713.586</time>
<description>/firewall_rules_edit.php made changes</description>
</updated>
<created>
<username>root@172.16.222.30</username>
<time>1635232485.8618</time>
<description>/firewall_rules_edit.php made changes</description>
</created>
</rule>
Logged
RalfOE
Newbie
Posts: 30
Karma: 2
Re: Dual Wan and Portforward only working on active WAN (double Nat?)
«
Reply #2 on:
November 08, 2021, 09:42:13 am »
Hi, I have the same issue.
Do I have to make the changes on CLI? Or to edit a backup and restore?
Where did you found that solution?
Thank you for your anser.
Best regards
Ralf
Logged
fox-octi
Newbie
Posts: 29
Karma: 0
Re: Dual Wan and Portforward only working on active WAN (double Nat?)
«
Reply #3 on:
December 28, 2021, 04:15:30 pm »
Hi,
the solution was found by testing
No Changes by the cli, and no restore was needed.
best regards
Chris
Logged
RalfOE
Newbie
Posts: 30
Karma: 2
Re: Dual Wan and Portforward only working on active WAN (double Nat?)
«
Reply #4 on:
December 28, 2021, 06:01:20 pm »
Hi Chris,
thank you for your answer, but I still don't know how and where I can configure this.
Ralf
Logged
RalfOE
Newbie
Posts: 30
Karma: 2
Re: Dual Wan and Portforward only working on active WAN (double Nat?)
«
Reply #5 on:
December 30, 2021, 08:33:26 am »
Thank you Chris for your support.
I think, we found the solution.
I will perform some tests and publish the results - next year
Cheers
Ralf
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
High availability
»
Dual Wan and Portforward only working on active WAN (double Nat?)