SNAT working selectively

Started by zemanek, May 21, 2025, 03:03:53 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 21, 2025, 03:03:53 PM
Hello,

I have OPNsense 25.1 with one (WAN) interface and 4 VTI interfaces for 4 VPNs. I also have this NAT configuration:

Code Select
# pfctl -s nat
no nat proto carp all
nat on ena0 inet from any to 192.168.202.68 -> 10.112.0.178 port 1024:65535
nat on ena0 inet from any to 192.168.202.69 -> 10.112.0.178 port 1024:65535
nat on ena0 inet from any to 192.168.203.68 -> 10.112.0.178 port 1024:65535
nat on ena0 inet from any to 192.168.203.69 -> 10.112.0.178 port 1024:65535
nat on ena0 inet from any to 10.0.1.0/24 -> (ena0:0) port 1024:65535
nat on ena0 inet from any to 10.1.1.0/24 -> (ena0:0) port 1024:65535
nat-anchor "acme-client/*" all
no rdr proto carp all
no rdr on ena0 proto tcp from any to (ena0) port = ssh
no rdr on ena0 proto tcp from any to (ena0) port = http
no rdr on ena0 proto tcp from any to (ena0) port = 10443
rdr-anchor "acme-client/*" all

where 10.112.0.178 is an IP alias on WAN interface (primary IP 10.100.178.10) (serves as my BGP router IP).

Now when BGP (frr plugin) talks to 192.168.203.68 BGP peer, the source IP of outgoing packets through the VTI (VPN) is correctly replaced with 10.112.0.178.
But when I try to PING 10.1.1.247, the outgoing packets through the VTI keep VTI's IP address (10.101.178.18) instead of being replaced with WAN IP (10.100.178.10).

Why?
May 21, 2025, 04:19:41 PM #1
If I change
Code Select
nat on ena0 inet from any to 10.1.1.0/24 -> (ena0:0) port 1024:65535
to
Code Select
nat on ena0 inet from any to 10.1.1.247 -> 10.112.0.178 port 1024:65535
it does not work either, the outgoing packet's source IP is still VTI's IP address, not 10.112.0.178.

The other difference between BGP communication and ICMP communication is that 192.168.203.68 has a static route with UGHS flags while 10.1.1.0/24 is BGP injected route with UG1 flags.
May 21, 2025, 04:56:36 PM #2
Also I have set



net.inet.ipsec.filtertunnel   = 0x0001
net.inet6.ipsec6.filtertunnel = 0x0001
net.enc.out.ipsec_bpf_mask    = 0x0000
net.enc.out.ipsec_filter_mask = 0x0000
net.enc.in.ipsec_bpf_mask     = 0x0000
net.enc.in.ipsec_filter_mask  = 0x0000

Print
Go Up Pages1
User actions