Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
23.1 Legacy Series
»
Interesting "leak phenomina" when setting GW for a LAN IP for "out"
« previous
next »
Print
Pages: [
1
]
Author
Topic: Interesting "leak phenomina" when setting GW for a LAN IP for "out" (Read 1000 times)
fbeye
Full Member
Posts: 144
Karma: 1
Interesting "leak phenomina" when setting GW for a LAN IP for "out"
«
on:
July 11, 2023, 07:03:53 pm »
I found an issue that concerns me, but maybe it is normal behavior that I am unaware of. I will explain it best I can.
WAN IP : x.x.x.182
Network : 192.168.5.0
Block of STATIC WAN IP's [ x.x.x.177 - x.x.x.182]
I have a Static NAT x.x.x.181 to 192.168.5.181. Remotely when I connect to it all works fine, I get redirected to correct LAN IP using correct WAN IP. Perfect. On 192.168.5.181 I have docker and run qbittorre-vpn. Connects fine all is perfect and I verify my VPN IP is correct. But, on 192.168.5.181 when I do 'whjatsmyip' I get x.x.x.182. So, incoming is fine but outgoing resolves to FW IP. Makes sense... So I make a rule that 192.168.5.181 to use GW x.x.x.181. I do 'whatsmyip' and awesome, shows x.x.x.181 as my WAN IP.
Now, the VPN Docker is aside from this. 192.168.5.181 as a whole is not on the VPN, simply that Docker, so I SHOULD see x.x.x.181, not the VPN IP or x.x.x.182.
But, now that I made the lan out rule and check my qbittorrent-vpn, it shows BOTH VPN IP and x.x.x.181 IP as seeds/leech!!!! Somehow by making a rule for thae lan ip to out on it's correct wan ip, I have it open my vpn and wan ip as connections. How is this possible? If the qbit is running through the vpn, how could it possibly know about my real wan ip?
Logged
Patrick M. Hausen
Hero Member
Posts: 6844
Karma: 575
Re: Interesting "leak phenomina" when setting GW for a LAN IP for "out"
«
Reply #1 on:
July 11, 2023, 07:50:54 pm »
Don't use a GW but an outbound NAT rule to make inbound and outbound match.
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
fbeye
Full Member
Posts: 144
Karma: 1
Re: Interesting "leak phenomina" when setting GW for a LAN IP for "out"
«
Reply #2 on:
July 11, 2023, 10:29:32 pm »
Hello, I got rid of he GW setup..
I was wondering though, theoretically should outgoing also use the same as incoming [without any outgoing rule] when 1:1 NAT is set up, or will outgoing always default to FW GW thus there will always need to be a NAT Outgoing, if I need the LAN IP to have the correct WAN IP?
Logged
Patrick M. Hausen
Hero Member
Posts: 6844
Karma: 575
Re: Interesting "leak phenomina" when setting GW for a LAN IP for "out"
«
Reply #3 on:
July 11, 2023, 10:30:51 pm »
You always need an explicit outgoing NAT rule. The outgoing NAT does not care about any inbound rules and vice versa.
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
fbeye
Full Member
Posts: 144
Karma: 1
Re: Interesting "leak phenomina" when setting GW for a LAN IP for "out"
«
Reply #4 on:
July 11, 2023, 10:37:09 pm »
Very interesting. I always ignorantly thought that to be the case. Thank you.
I wonder if my DNS or something has not updated cause I #1 deleted the LAN rules you mentioned but #2 have yet to do outbound NAT rule but my 192.168.5.181 still resolves to it's correct WAN x.x.x.181. I assume this should not be because as you say outbound cares nit about inbound. It has to be a cached or something.
Logged
fbeye
Full Member
Posts: 144
Karma: 1
Re: Interesting "leak phenomina" when setting GW for a LAN IP for "out"
«
Reply #5 on:
July 12, 2023, 03:47:25 am »
Well I am clearly doing something wrong.
Am I correct in thinking, I do not mind letting everything I do on 192.168.5.180 use the VPN for WAN Address, but I can create an OUTBOUND NAT for Port 587 [email submission] that will bypass VPN and use the correct WAN x.x.x.180?
So there is better understanding;
Interfaces: Virtual IPs: Settings: x.x.x.181/24 WAN IP Alias
Firewall: NAT: One-to-One: WAN x.x.x.181 192.168.5.181 *
With those 2 alone, my 192.168.5.181 works fine as it should. With VPN OFF it has incoming and outgoing on x.x.x.181. When I establish the VPN, incoming works fine outgoing does not, as it is clearly on the VPN IP, so what I did was;
Firewall: NAT: Outbound:
Interface WAN
TCP/IP Version IPv4
Protocol TCP (tried any as well)
Source address - 192.168.5.181
Translation/target - x.x.x.181
When monitoring the mail log, keeps getting connection refused.
«
Last Edit: July 12, 2023, 04:27:13 am by fbeye
»
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
23.1 Legacy Series
»
Interesting "leak phenomina" when setting GW for a LAN IP for "out"