Problems with Outbound NAT

[Layer8]

Hi all,

we have a network configuration like shown in the attached picture.

Our problem is, that NAT is not working on the WAN Interface on OPNSENSE WAN and we dont know why.

We can ping to 8.8.8.8 from OPNSENSE WAN (because the SRC address of the packet which arrives at the ISP router is 10.90.0.3).
But we cant ping to 8.8.8.8 from OPNSESE CORE (because the SRC address which arrives at the IPS router is 10.90.2.1, but should also be 10.90.0.3).

The picture of the packet capture is from the WAN Interface of OPNSENSE WAN.

As far as we know, NAT is activated on the default [WAN] Interface in a default setup. So the WAN interface should NAT out of the box. If we take a look at the Firewall - NAT - Outbound NAT configuration on the OPNSENSE WAN, everything looks fine.

Any ideas why?


OPNSENSE WAN is a fresh installation.

[Layer8]

We found the reason for this behavior.

It is necessary to add additional outbound NAT rule. The reason for this is, that OPNsense will only do NAT for all Interfaces and their assigned IP-Networks which are locally available as an Interface.

On our OPNSENSE WAN, we only have a hand full of interfaces / IP-subnets. On our OPNSENSE CORE, we have a lot of interfaces. The default Outbound NAT rule only includes the hand full of local interfaces by default.

If you want to NAT from any IP-Subnet in you LAN which is attached on a remote LAN-Router, you have to switch from Outbound from Automatic to Hybrid Mode and add a manual rule which allows NAT for any or specific list of networks. In our case, we have created an alias for private v4 IPs and added this to our manual outbound NAT rule.

I am not sure if this is industry standard / best practice to handle it like this in a default setup, but we have assumed that a router or firewall would NAT every internal network by default, not only these kind of networks which are assigned to an interface. Now we know it better.

[nzkiwi68]

That behavior is normal.

In a more complex setup like you are running, you would be expected to run NAT hybrid or NAT manual and write your own NAT rules.

If you have routes pointing back to internal subnet via a LAN or other internal interface connection to a layer 3 switch or another router and you want these to access the internet, then these all need a NAT rule too.

I never just have a blanket NAT rule, I always write a specific subnet NAT rule out.

That's normal for all sorts of firewall products I have worked with.