virtual IP no more available in nat outgoing (BUG ?)

Started by xerse, February 20, 2023, 11:40:40 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 20, 2023, 11:40:40 PM
Hello,
I'm sorry if what I'm writing is wrong, but unfortunately I had to rebuild a new OPNsense installation. I installed the following version:   OPNsense 23.1.1_2-amd64 - FreeBSD 13.1-RELEASE-p6 -OpenSSL 1.1.1t 7 Feb 2023

I'm struggling during the past days because some NAT (incoming and outgoing rules) does not works as on my old configuration. Unfortunately I've not the latest backup and than I spent time in checking my configuration.

Well today I notice something strange: Outgoing nat configuration not have anymore virtual IPs (that I had in version OPNsense 22.1.7_1-amd64 - FreeBSD 13.0-STABLE - OpenSSL 1.1.1o 3 May 2022). I notiche this during configuration using an old backup (virtual IP if modified take a /128 subnet), but I don't care enough at beginning.

Now It could be possible that something is not working as it should and I would like to have your opinion.

There's another strange behaviour that I'll test better tomorrow. Hard to explain, but as one of my nat problem is related to voip I tryed to do a packet capture. Well not only some packet are not recorded, but it seems that when packet capure is active, my nat problem disappear... OK probably I'm too tired  ;D

Anyway, I really appreciate your opinion.

Thanks

February 21, 2023, 09:21:29 AM #1
The fragile shortcuts are removed. NAT required through VIPs have to be manually configured now.


Cheers,
Franco
February 21, 2023, 09:49:28 AM #2
Hi Franco,

thanks for your reply.

I don't understand enaugh well what you mean.

In brief I done the following:
- I configured Virtual IPs so OPNsense is able to manage additional Public IPs assigned to my server (vmware VM).
- I configure NAT rules to forward incoming packets on specific ports to reach my DMZ servers.
- I configure Outbound rules to thell OPNsense to allow outbound packets from my DMZ servers to reach the internet using a specific VirtualIP address.

In version 22.x, When I configure outbound rules I can select into the "translation/target" drop down menu one of configured Virtual IPs.
In version 23.x, Virtual IP are no more present into the drop down menu.

When I imported my old backup into 23.x new installation, NAT outbound rules appear exactly teh same until I edit them. As soon as I edit a rule, "translation/target" IP is shown as the public IP address with a /128 subnet.

It is at least strange: Any possible changes between 22 and 23 versions should convert a Virtual IP into a  /32 IP. Also my public IP is a Class B Public IP, than a CIDR of 128 bit have no sense.

Can you please eplain better your reply?
Thanks
Sergio






 

   
February 21, 2023, 10:31:48 AM #3
Quote from: xerse on February 21, 2023, 09:49:28 AM
In version 23.x, Virtual IP are no more present into the drop down menu.
You are supposed to add a host alias with your virtual IP and a suitable name like MyVirtualIP and use that in your NAT rules.

Firewall > Aliases
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
February 21, 2023, 10:41:51 AM #4
If you encounter bugs please add screenshots and relevant data instead of trying to "describe" it.

Again, as far as I know the config.xml contents of the "VIP" was just its address and that doesn't change between 22.x and 23.x. What changes is that you don't see the "VIP" designation anymore, because that was a bogus lookup since it only stored the IP address which could have changed...


Cheers,
Franco
February 21, 2023, 11:04:04 AM #5
Hi Franco, Hi pmhausen,

I'm doing a comparison between 22 and 23 installation. Just to add more details, VirtualIP disappear also from the NAT destination drop-down menu.

As far as I know Virtual IP are used to tell OPNsense which additional IPs are managed by the firewall.
Until 22.1.7 VirtualIPs are also avaialble into configuration drop-down menu (like nat).

I undestand that I can use alias to see my virtual ip in version 23 drop-down menu but when, from what version, virtual IP are no more used as before?
Is there any changelog or other notice that highlight in possible problems while restoring a v22 configuration into a new v23 machine? (applying a /128 subnet looks as a bug).

At the moment I'm trying to reconfigure a v22 appliance and test if problems I'm facing disappear. I'll update you asap.

thanks



   
February 24, 2023, 02:58:56 PM #6
I think I have a similar issue
I was trying to get access to the GUI of my modem following this tutorial post https://forum.opnsense.org/index.php?topic=8616.0

The problem is that when I try to create outbound NAT I don't see the virtual IP I defined as a drop down option under "Translation / target"
February 24, 2023, 03:31:40 PM #7
Reading this thread, flash99, I think the way is now meant to be is that the VIP will not be in the dropdown, but you need to change the dropdown to "Single host or network" and enter your ip of your VIP. I would do it as a /32.
February 24, 2023, 03:50:13 PM #8
I already tried this
I can't access the modem if I enter the IP manually
February 24, 2023, 04:27:14 PM #9
Ah ok, sorry for the interference
February 25, 2023, 09:24:24 AM #10
Quote from: flash99 on February 24, 2023, 02:58:56 PM
I think I have a similar issue
I was trying to get access to the GUI of my modem following this tutorial post https://forum.opnsense.org/index.php?topic=8616.0

The problem is that when I try to create outbound NAT I don't see the virtual IP I defined as a drop down option under "Translation / target"

Hi Flash99,

Even if I've not found other reply I could say this:
It seems that new OPNsense v23 use Virtual IP only to know what additional IP one is configuring. The reason is not clear, but it means from one side that you have to write your public IP manually each time you have to create a rule (i.e NAT) and most important you have to be carefull about the subnet as OPNsense use /12 by default (that in my mind is a bug).

On the other side it means that if you load a previous backup older configurations looks like Virtual IP configured,but as soon as you try to edit, the Virtual IP is converted in a single address with /128 subnet (not good at all).

I'm facing a problem with NAT that I'm not able to understand and worst thing, packets capture did not catch  some legs packets. At the same time during few packet capture tests I made, Nat issue seems to disappear (like if the pcap driver bypass some things)

Anyway,  regarding your issue, It could be possible that your problems is related to returning packets:
You will contact your natted device using a NAt forward rule.
than if your OPNsense have it's WAN as 1.1.1.1 and you have a virtual ip ad 1.1.1.2, You have a rules that forward (incoming NAT) connections on 1.1.1.2 ssh port 22 to an internal private IP your device).
Well, when your device reach the internet and than when it reply to your connection attempt from the outside) it use the standard outbound rule. It means thet your device will reply being natted as 1.1.1.1 (OPNsense main WAN IP).

I may suppose that if you create an outbound NAT rule that tell OPNsense to NAT out your device private IP using the VirtualIP 1.1.1.2, It will work.
Print
Go Up Pages1
User actions