Outbound Nat Broken in 19.1R1/2 ?

Started by Cerberus, January 23, 2019, 04:00:03 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 23, 2019, 04:00:03 PM Last Edit: January 23, 2019, 04:06:54 PM by Cerberus
Hi,

i am currently trying to do an outbound nat for several internal machines to a zerotier based network on my opnsense machine. I have trouble selecting the subnet size on "source address" or "destination address" when i select "single host or network", the subnet mask dropdown is just empty. On 18.7 i am able to select the subnet size for the network i entered.

I am trying to use an alias as alternative but the result is that the outbound rule is not working. In rules.debug i see "unable to convert address, see to for details" for this rule.
January 23, 2019, 04:40:20 PM #1
Hi there,

Thanks a lot, created a ticket: https://github.com/opnsense/core/issues/3148

Could be that the upgrade of the bootstrap select JS code caused this.


Cheers,
Franco
January 23, 2019, 10:35:58 PM #2
https://github.com/opnsense/core/commit/2af9202d64

# opnsense-patch 2af9202d64

Patch will be part of the final 19.1. There's still a layout issue here, but we'll have to fix this after 19.1 is out.


Thanks,
Franco
January 24, 2019, 09:39:59 AM #3 Last Edit: January 24, 2019, 10:01:40 AM by Cerberus
Hi,

i modified opnsense_legacy.js localy and the gui stuff works as expected but my problem still persist. My goal is to let one of my local network to reach hosts that sits in a zerotier network, i want to use nat so that all internal adresses get translated by the opnsense zerotier address.

In debug rule i found this error:

#debug: Unable to convert address, see to for details
# nat on ztXXXXXXX inet from xx.xx.xx.xx/20 to {"address":"opt1"} -> (ztXXXXXXX:0) port 1024:65535

The rule does not work.

I am almost sure i did the same on my old 18.7 with the difference i used "lan" as source, this time its a specific network.
January 24, 2019, 10:09:09 AM #4
Define "18.7". 18.7.10 or something earlier? Assuming "opt1" is ZT I'm not sure this ever worked.

From what I can see we started fixing from /20 selection here so that's two separate issues, no? (just to clarify)


Cheers,
Franco
January 24, 2019, 10:27:23 AM #5
i mean 18.7.10.

i restored my old appliance and comparing the settings, i found the difference.

Example:
Local LAN : 10.1.0.0/20
Zerotier Net: 10.2.1.0/24
Interface: ZT123

in 18.7.10 i configured it as:

Interface: ZT123
Source address: Singe Host or Network > 10.1.0.0/20
Destination address: Single Host or Network > 10.2.1.0/24
Translation Target ZT123 address

In 19.1 i did:
Interface ZT123
Source address: Singe Host or Network > 10.1.0.0/20
Destination address: "ZT123 Network"
Translation Target ZT123 address

I think "ZT123 Network" from dropdown should be as good as typing in the Network/Mask by myself?
January 25, 2019, 11:10:32 PM #6
It should be the same, but doesn't seem to be the case for tun/tap devices here (which e.g. Zerotier and OpenVPN use). Normal interfaces on top of NICs and VLANs etc are ok.

A ticket in GitHub would be helpful to look into it in the mid term.


Thanks,
Franco
Print
Go Up Pages1
User actions