Port-forwarding does not keep the same port on reply

zemanek · February 24, 2023, 01:44:23 PM

I have a setup like this (with port-forwarding and outbound NAT):

------------------------------------
| 10.1.0.0/16 |
------------------------------------
|
|
---
|\ /|
| \ |
|/ \|
---
|
|
-----------------------------------------------------------
| 172.16.1.0/24 |
-----------------------------------------------------------
| |
| 172.16.1.55 | 172.16.1.66
--------------------- ------------------
| WAN | | |
| OPNsense | | testbox |
| | | |
--------------------- ------------------

178 9.541227 172.16.1.66 172.16.1.55 TCP 74 54634 → 443 [SYN] Seq=0 Win=62727 Len=0 MSS=8961 SACK_PERM=1 TSval=521962793 TSecr=0 WS=128
179 9.541272 172.16.1.55 10.1.100.160 TCP 74 48790 → 443 [SYN] Seq=0 Win=62727 Len=0 MSS=8961 SACK_PERM=1 TSval=521962793 TSecr=0 WS=128
180 9.543391 10.1.100.160 172.16.1.55 TCP 74 443 → 48790 [SYN, ACK] Seq=0 Ack=1 Win=62643 Len=0 MSS=8365 SACK_PERM=1 TSval=1336597102 TSecr=521962793 WS=128
181 9.543403 172.16.1.55 172.16.1.66 TCP 74 51030 → 54634 [SYN, ACK] Seq=0 Ack=1 Win=62643 Len=0 MSS=8365 SACK_PERM=1 TSval=1336597102 TSecr=521962793 WS=128

The reply to testbox is not coming from port 443 of OPNsense but from 51030, so the testbox never establishes connection. What do I have to configure to make it work in this network setup (I need any communication from 10.1.0.0/16 to appear as from 172.16.1.55 where IPsec to other site is terminated and the testbox is just to verify the rules)?

Port-forwarding does not keep the same port on reply

zemanek

February 24, 2023, 01:44:23 PM Last Edit: February 24, 2023, 03:22:34 PM by zemanek