Port forwarding (NAT) working, but only for 1 connection

Started by frater, February 20, 2020, 11:43:17 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 20, 2020, 11:43:17 AM Last Edit: February 20, 2020, 04:34:46 PM by frater
Starting yesterday I stopped implementing pfsense and switched to opnsense (not 100% sure).
This setup was a dual-WAN setup, like I've implemented many times in pfsense.

There are 2 connections. A cable router and a VDSL-modem in bridge.
As for now the cable router is a NAT router/modem with a "DMZ" toward the opnsense router.

For the VDSL-connection I have a connection to the modem (Vigor 130) and on VLAN 34 of that connection I have a 2nd interface and that interface gives me a WAN-address.

I noticed that port forwarding on the dual-NAT is not working, but does start to work when the VDSL-connection is down.

I have this configuration with several pfsense-routers and have not noticed this behaviour there. I don't mean to imply that pfsense does this better. I have seen things on opnsense that make me believe that multi-WAN is being handled better on opnsense.

One of those features is the ability to designate a gateway as a "default gateway candidate". In this configuration I de-select this for the connection to the Vigor-130.

I have created 2 gateway groups and 1 interface group.

I placed the 2 interfaces with gateways to the Internet in a group named:  "InternetIFS"
The 2 gateway groups have both gateways in it with 1 in tier 1 and the other in tier 2.

I de-selected "Block private networks" on the double-NAT connection, but this does not seem sufficient.

I have created a port 443 forward to an HTTPS-server in the NAT-section for the interface group "InternetIFS".
This is working for the VDSL-connection, but not for the double-NAT connection which has all the ports forwarded to the opnsense router.

Interfaces
LAN:   igb0  192.168,16.1/24
WAN:   igb1 192.168.178.5/24 with 192.168.178.1 as gateway.  ("Block private networks" = off)
Vigor130:    igb2 192.168.1.10  with 192.168.1.1 as gateway.
InternetonVDSL: igb2.34   86.*.*.235 with 86.*.*.129 as gateway. ("Block private networks" = off)

Interface groups
InternetIFS = WAN + InternetonVDSL

Gateways
WanGW4:  192.168.178.1 "upstream = checked"   Monitor IP:212.*.*.166
VDSL:  86.*.*.129 "upstream = checked"
VIGOR130_DHCP:  192.168.1.1 "upstream = unchecked"

Gateway Groups
Failover = WanGW4, VDSL
VDSLwFailover = VDSL, WanGW4


The NAT-rules are created on the Interface group named "InternetIFS"
There is a setting "reply-to" which can be disabled, but this setting does NOT exist for NAT-rules.

Print
Go Up Pages1
User actions