[Solved] No Outbound NAT rules after upgrading to OPNsense 22.1.5

Started by svenny, April 08, 2022, 03:45:09 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 08, 2022, 03:45:09 PM Last Edit: April 09, 2022, 01:10:30 AM by svenny
Hi all,

after upgrading to 22.1.5 I'm not anymore able to surf the web from LAN. The problem seems to be the lack of Outbound NAT rules for WAN interfaces (I'm using Multi-WAN, but for single WAN the problem is the same).

In the page "Firewall: NAT: Outbound" (I'm using "Automatic outbound NAT")  I can see all the rules, but the output of the command "pfctl -sn" shows nothing in regards. In another OPNsense installation, where I did not upgrade to 22.1.5, I can see these rules launching the same command ( "pfctl -sn" ) from shell.

Is there a way to add these rules manually from the command line, so I can state that this is the problem?

Many thanks in advance.

Cheers


April 08, 2022, 10:31:16 PM #1
I would like to add these instructions to pf.conf manually, but I'm not able to find this file:

Code Select

nat on pppoe2 inet from (em0:network) to any port = isakmp -> (pppoe2:0) static-port
nat on pppoe2 inet from (lo0:network) to any port = isakmp -> (pppoe2:0) static-port
nat on pppoe2 inet from 127.0.0.0/8 to any port = isakmp -> (pppoe2:0) static-port
nat on pppoe2 inet from 10.10.0.0/24 to any port = isakmp -> (pppoe2:0) static-port
nat on pppoe2 inet from (em0:network) to any -> (pppoe2:0) port 1024:65535
nat on pppoe2 inet from (lo0:network) to any -> (pppoe2:0) port 1024:65535
nat on pppoe2 inet from 127.0.0.0/8 to any -> (pppoe2:0) port 1024:65535
nat on pppoe2 inet from 10.10.0.0/24 to any -> (pppoe2:0) port 1024:65535


Don't know why they're not loaded automatically. The difference between this and the other gateway, for which these rules are loaded, is that this link is a PPPoE one...

Thank you for your help.

Cheers
April 09, 2022, 12:25:26 AM #2
I don't know why, but the following firewall rule was preventing other rules from loading:

Code Select

pass in quick on pppoe2 route-to ( pppoe2 <provider_gateway_ip> ) reply-to ( pppoe2 <provider_gateway_ip> ) inet proto icmp from $My_static_IP to {(pppoe2)} keep state label "0107958196d99255f51b8d5dc140fd65"


This firewall rules was intended to permit ping to the gateway IP from outside.

I was able to find the problem with the following command:

Code Select

root@OPNsense:~ # pfctl -n -f /tmp/rules.debug
/tmp/rules.debug:171: syntax error


After removing this rule from the firewall the rules for "Outbound NAT" of the PPPoE gateway have been restored correctly.

Cheers
April 11, 2022, 09:08:47 AM #3
Validation was added via https://github.com/opnsense/core/commit/77594c8b in 22.1.4. This first and foremost is a configuration issue.


Cheers,
Franco
April 11, 2022, 06:19:36 PM #4
Perfect! Many thanks Franco.

Cheers
Print
Go Up Pages1
User actions