NAT port forward not working in Google Cloud Platform (GCP)

Started by infinite.state, October 03, 2022, 12:53:40 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 03, 2022, 12:53:40 PM Last Edit: October 21, 2022, 01:44:38 PM by infinite.state
Hello,

I've set up opnsense 22.7.4 on a VM within Google Cloud Platform.

I can successfully access the admin console GUI.

I have two interfaces vtnet0 and vtnet1 mapped to two nics on the VM spread across two VPCs, the first for the WAN configuration, the second for LAN.

My goal is to access a web server on the LAN from the internet.

I have configured a NAT port forwarding rule and automatically created firewall rule.

However, I get a timeout on web server access attempts.

The tcpdump output is indicating end to end comms is initiated, and the opnsense firewall logs show all traffic as passed, nothing blocked.

Here's an example dump for one access attempt via chrome.

10.0.0.53 port 80 is the web server address.
10.152.0.17 port 80 is the internal address of the opnsense firewall.
ext-addr is an obfuscation of local machine on the internet.

Code Select

00:00:08.738829 rule 73/0(match): pass in on vtnet0: (tos 0x0, ttl 60, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    ext-addr.56933 > 10.152.0.17.4443: Flags [S], cksum 0xdb53 (correct), seq 3936844035, win 65535, options [mss 1440,nop,wscale 6,nop,nop,TS val 1912210116 ecr 0,sackOK,eol], length 0
00:00:00.000061 rule 1/0(match): rdr in on vtnet0: (tos 0x0, ttl 60, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    ext-addr.56932 > 10.152.0.17.80: Flags [S], cksum 0xde59 (correct), seq 3515961359, win 65535, options [mss 1440,nop,wscale 6,nop,nop,TS val 3348823347 ecr 0,sackOK,eol], length 0
00:00:00.000005 rule 74/0(match): pass in on vtnet0: (tos 0x0, ttl 60, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    ext-addr.56932 > 10.0.0.53.80: Flags [S], cksum 0xdecd (correct), seq 3515961359, win 65535, options [mss 1440,nop,wscale 6,nop,nop,TS val 3348823347 ecr 0,sackOK,eol], length 0
00:00:00.000010 rule 71/0(match): pass out on vtnet1: (tos 0x0, ttl 59, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    ext-addr.56932 > 10.0.0.53.80: Flags [S], cksum 0xdecd (correct), seq 3515961359, win 65535, options [mss 1440,nop,wscale 6,nop,nop,TS val 3348823347 ecr 0,sackOK,eol], length 0
00:00:00.000073 rule 1/0(match): rdr in on vtnet0: (tos 0x0, ttl 60, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    ext-addr.56931 > 10.152.0.17.80: Flags [S], cksum 0x5961 (correct), seq 629397617, win 65535, options [mss 1440,nop,wscale 6,nop,nop,TS val 2359353555 ecr 0,sackOK,eol], length 0
00:00:00.000003 rule 74/0(match): pass in on vtnet0: (tos 0x0, ttl 60, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    ext-addr.56931 > 10.0.0.53.80: Flags [S], cksum 0x59d5 (correct), seq 629397617, win 65535, options [mss 1440,nop,wscale 6,nop,nop,TS val 2359353555 ecr 0,sackOK,eol], length 0
00:00:00.000007 rule 71/0(match): pass out on vtnet1: (tos 0x0, ttl 59, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    ext-addr.56931 > 10.0.0.53.80: Flags [S], cksum 0x59d5 (correct), seq 629397617, win 65535, options [mss 1440,nop,wscale 6,nop,nop,TS val 2359353555 ecr 0,sackOK,eol], length 0
00:00:00.245674 rule 1/0(match): rdr in on vtnet0: (tos 0x0, ttl 60, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    ext-addr.56934 > 10.152.0.17.80: Flags [S], cksum 0x935e (correct), seq 3200398349, win 65535, options [mss 1440,nop,wscale 6,nop,nop,TS val 2479467215 ecr 0,sackOK,eol], length 0
00:00:00.000027 rule 74/0(match): pass in on vtnet0: (tos 0x0, ttl 60, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    ext-addr.56934 > 10.0.0.53.80: Flags [S], cksum 0x93d2 (correct), seq 3200398349, win 65535, options [mss 1440,nop,wscale 6,nop,nop,TS val 2479467215 ecr 0,sackOK,eol], length 0
00:00:00.000022 rule 71/0(match): pass out on vtnet1: (tos 0x0, ttl 59, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    ext-addr.56934 > 10.0.0.53.80: Flags [S], cksum 0x93d2 (correct), seq 3200398349, win 65535, options [mss 1440,nop,wscale 6,nop,nop,TS val 2479467215 ecr 0,sackOK,eol], length 0


The webserver sees none of this traffic when running a tcpdump there.

The LAN nic on the opnsense server has an IP of 10.0.0.88 in the same vpc and subnet as the web server.

A ping test from opnsense to the web server is successful.

The web sever is serving correctly on port 80 via a curl of localhost.

Any ideas?

Thanks.
Print
Go Up Pages1
User actions