Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
NAT exposing private addresses on WAN
« previous
next »
Print
Pages: [
1
]
Author
Topic: NAT exposing private addresses on WAN (Read 1504 times)
bakerjw
Newbie
Posts: 5
Karma: 0
NAT exposing private addresses on WAN
«
on:
August 29, 2023, 04:02:46 pm »
We have a fairly complex routed test network and are attempting to use opnsense to provide a NAT connection to a production network. I have simplified our implementation as much as possible.
We have a subnet for management purposes - 192.168.255.0/24 gateway 192.168.255.1
We are attempting to NAT to network 123.123.123.0/24
Our opnsense server interfaces are:
LAN 192.168.255.25/24 gateway 192.168.255.1
WAN 123.123.123.27/24 gateway 123.123.123.1
for testing, I have...
A system on the 192.168.255.0/24 subnet at 192.168.255.22/24 gateway 192.168.255.1.
A system on the production network 123.123.123.237/24 gateway 123.123.123.1
Using the VM at 192.168.255.22, I ping 123.123.123.237.
On 123.123.123.237, Wireshark shows ICMP traffic coming from 192.168.255.22.
I am not sure why opnsense is not natting the address. I am using the automatic rules.
I am sure this is something simple that I overlooked.
Guidance?
Thanks
Logged
Patrick M. Hausen
Hero Member
Posts: 6839
Karma: 574
Re: NAT exposing private addresses on WAN
«
Reply #1 on:
August 29, 2023, 04:09:11 pm »
Automatic rules only NAT the directly connected networks. Everything internal that is reached via some router needs a manual NAT rule. You can switch the NAT mode to "hybrid" for that to keep the automatic rules. I prefer full manual. Your choice.
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
Saarbremer
Sr. Member
Posts: 353
Karma: 14
Re: NAT exposing private addresses on WAN
«
Reply #2 on:
August 29, 2023, 04:20:37 pm »
I don't get it. You use OPNsense to connect to networks but their default route is via .1 - a different router. So what is OPNsense's job here?
Logged
bakerjw
Newbie
Posts: 5
Karma: 0
Re: NAT exposing private addresses on WAN
«
Reply #3 on:
August 29, 2023, 04:47:44 pm »
Our test network is isolated from all other networks and only contains private IP address subnets.
Every subnet gateway ends with .1 as this is the router interface defined for each of them.
Our router has a static route to direct destination IPs of 123.123.123.0/24 to the opnsense LAN interface.
Certain devices running on our test subnets require access to a single production public subnet.
e.g. 192.168.255.0/24 --> NAT --> 123.123.123.0/24
Stripping it down as simply as possible. Consider 1 single subnet.
opnsense is at 192.168.255.25/24
A test VM is at 192.168.255.22/24 and has a gateway of 192.168.255.25(opnsense LAN interface)
The test VM sends a ping to 123.123.123.237
123.123.123.237 observes an ICMP packet coming from 192.168.255.22 on the 123.123.123.0 subnet.
The IP address of the test VM should be natted and should have the WAN interface IP.
Logged
Saarbremer
Sr. Member
Posts: 353
Karma: 14
Re: NAT exposing private addresses on WAN
«
Reply #4 on:
August 29, 2023, 04:59:04 pm »
Two Qs:
* What is your outbound NAT configuration from the firewall in OPNsense? Especially regarding the mode and the NAT rules.
* You made sure, that packet filter is running and firewalling works as expected?
Logged
bakerjw
Newbie
Posts: 5
Karma: 0
Re: NAT exposing private addresses on WAN
«
Reply #5 on:
August 29, 2023, 05:50:08 pm »
The Firewall | NAT | Outbound rules were automatically created.
Automatic rules
Interface Source Networks Source Port Destination Destination Port NAT Address NAT Port Static Port Description
LAN Loopback networks, 127.0.0.0/8 * * 500 LAN * YES Auto created rule for ISAKMP
LAN Loopback networks, 127.0.0.0/8 * * * LAN * NO Auto created rule
WAN Loopback networks, 127.0.0.0/8 * * 500 WAN * YES Auto created rule for ISAKMP
WAN Loopback networks, 127.0.0.0/8 * * * WAN * NO Auto created rule
I am going to have to plead ignorance on whether the packet filtering is running or not.
Logged
Saarbremer
Sr. Member
Posts: 353
Karma: 14
Re: NAT exposing private addresses on WAN
«
Reply #6 on:
August 29, 2023, 06:35:57 pm »
In the firewall settings you can disable packet filtering globally. But I guess that's not the case here.
But your NAT rules look incorrect.
They apply on loopack networks only. You may want to define your NAT rules manually according to your network settings.
The target interface is the interface where outgoing traffic needs to be NAT'ted. That is usually the WAN interface. NAT on LAN is not required - unless you explicitly need it. But in your case, I guess WAN is sufficient. Make sure alle affected network ranges are indicated.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
NAT exposing private addresses on WAN