SNAT + DNAT on Multilpe WAN

[atb79]

Hi All,

We are an active business license user. We can't seem to find where to open a ticket to get support, so I'm posting here for the benefit of others.

We have been slowly migrating from Astaro/SophosUTM to OPNsense now and so far, are happy with the results, for the most part this is a nice platform and quite stable.

We have a firm requirement to be able to use opnsense as a "jump host" for certain services (ports) and send them to other servers on the net. (reference: Pub_3bb and Pub_ais are both public interfaces)

I understand that this might seem strange to some, but it's quite normal for us. The use cases for this are for businesses, and I've included a screenshot of how simple this setup was/is in Astaro.

Below, we have been trying to get the same results but without a stable result. We have been partially successful in that we initially got the setup to work for a few hours, but then after some time, it failed to work and will not come back.

Suspicions lie in our multi-wan (3 connections), and perhaps we don't fully understand some of the options available for SNAT/DNAT. Personally, I can easily understand DNAT, but SNAT confuses me.

We need some guidance in getting this setup to work 100% reliably so we can complete some more of our migrations.

Any assistance is greatly appreciated and would kindly ask to skip asking "why" we need this. Think if you have some old clients on shared low-speed international lines, but they have high-speed local access and they need fast international remote access but aren't able to pay for it.

5 second setup on Astaro:

Settings here indicate incoming traffic on Pub_3bb address will go back out on the same address.

OPNsense DNAT

NAT Reflection is set to DEFAULT.

OPNsense SNAT



Some more of the advanced settings:


Any help in getting this working for us would greatly be appreciated, we are willing to open a support ticket if required, just need a bit of help locating where to do that.

[viragomann]

5 second setup on Astaro:

Settings here indicate incoming traffic on Pub_3bb address will go back out on the same address.

OPNsense DNAT

NAT Reflection is set to DEFAULT.

OPNsense SNAT

Any reason, why you have created the rules on pub_ais, while the origin rule on the Astaro are applied to Pub_3bb?

Apart from this you need to change the protocol in both NAT rule to "TCP/UDP", since DNS use both.

[Monviech (Cedrik)]

We are an active business license user. We can't seem to find where to open a ticket to get support

Support can be purchased in addition and is done over email and/or remote support:
https://shop.opnsense.com/product-categorie/support/

[atb79]

I have 2hrs support included that I haven't used, what email do I send to?
I've looked everywhere and its really hard to find the official support channel.

[Monviech (Cedrik)]

It should be support[at]opnsense.com

[atb79]

5 second setup on Astaro:

Settings here indicate incoming traffic on Pub_3bb address will go back out on the same address.

OPNsense DNAT

NAT Reflection is set to DEFAULT.

OPNsense SNAT

Any reason, why you have created the rules on pub_ais, while the origin rule on the Astaro are applied to Pub_3bb?

Apart from this you need to change the protocol in both NAT rule to "TCP/UDP", since DNS use both.

The interfaces we have are
Pub_AIS
Pub_3bb
Pub_True
...
Pub = Public / External interface connected to the internet
_xxx = the Internet service provider

...

As we have load balancing over these 3 ISP interfaces.

[Seimus]

Lets start with the docs; https://docs.opnsense.org/manual/nat.html

Lets specify what is what:
Port Forward =  "Destination NAT" or "DNAT"
Outbound NAT = "Source NAT" or "SNAT"

Lets look at your example Port Forward



Now what will happen here is following:
1. If a packet comes to Interface pub_ais that is TCP from any source and any source port and its designated for destination This Firewall (any IP that the FW has configured) with destination port 53 > it will be matched against this NAT rule

2. If its matched against the rule > Change the Destination IP to 8.8.8.8 and Destination Port 53


Lets look at your example Outbound NAT



Now what will happen here is following:
1. If a packet comes to Interface pub_ais from any Source that is TCP and any source port yet is designated for Destination 8.8.8.8 with destination port 53 > it will be matched against this NAT rule.

2. If its matched against the rule > Change the Source IP to Interface address (IP of pub_ais) and change the source port to any available dynamically allocated (Static port Disabled)



My question here is what is the intention?

A. Are you trying to basically redirect DNS request for 8.8.8.8 from your LAN networks to your own DNS server like OPNsense or Standalone DNS on your LAN network? Or the vise versa, force DNS requests of any kind to be sent to 8.8.8.8?

B. Or from Internet rather than LAN, but in that case why would you do that, why to serve and redirect public designed traffic thru your device to somewhere else?

For A. > Because if yes all you need is a proper Port forward Rule on the LAN interface, redirecting the traffic to that Specific IP matching Destination  UDP/ 53.

P.S. Packet Flow Diagram, e.g how is the packet order order processes thru the FW
https://forum.opnsense.org/index.php?topic=36326.msg177133#msg177133


Regards,
S.