OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • General Discussion »
  • NAT rules vs Firewall rules, order of precedence
« previous next »
  • Print
Pages: [1]

Author Topic: NAT rules vs Firewall rules, order of precedence  (Read 1590 times)

Taomyn

  • Sr. Member
  • ****
  • Posts: 444
  • Karma: 20
    • View Profile
NAT rules vs Firewall rules, order of precedence
« on: October 02, 2020, 08:32:55 am »
I'm trying to wrap my head around how the different rules get interpreted and prioritised but I get nowhere. I want to set up various rules that redirect specific traffic based on host and network aliases, but also on a GeoIP one. Basically this:

if inbound host in host_block_alias redirect to machine_x
if inbound host in network_block_alias redirect to machine_x
if inbound host not in allowed_geoip_alias redirect to machine_x

So I have created 3 new inbound NAT rules for the WAN interface, and rules it generated are similar to

allow inbound SMTP to machine_y
allow inbound http/https to machine_y
allow inbound ssh to machine_z
allow inbound host_block_alias to machine_x
allow inbound network_block_alias to machine_x
allow inbound not allowed_geoip_alias to machine_x

The NAT rules look something like

NAT port SMTP to machine_y
NAT port http/https to machine_y
NAT port ssh to machine_z
NAT all ports for host_block_alias to machine_x
NAT all ports for network_block_alias to machine_x
NAT all ports not for allowed_geoip_alias to machine_x

But the next part is what then confuses me - I need to allow SMTP from anywhere except the host and network i.e. it needs to be excluded from the GeoIP rule, and no matter what I do the GeoIP rule still blocks SMTP traffic from IPs in its list.

I've tried different combinations of ordering either or both the NAT and firewall rules and nothing helps. The following to me seems logical but it doesn't worK:

allow inbound SMTP to machine_y
allow inbound host_block_alias to machine_x
allow inbound network_block_alias to machine_x
allow inbound not allowed_geoip_alias to machine_x
allow inbound http/https to machine_y
allow inbound ssh to machine_z

NAT port SMTP to machine_y
NAT all ports for host_block_alias to machine_x
NAT all ports for network_block_alias to machine_x
NAT all ports not for allowed_geoip_alias to machine_x
NAT port http/https to machine_y
NAT port ssh to machine_z

What am I misunderstanding about the rules and their precedence?
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • English Forums »
  • General Discussion »
  • NAT rules vs Firewall rules, order of precedence
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2