OPNsense virtual deployment for test, NAT not working

[Cossack]

Hello everyone,

For three days straight, I am trying to resolve one issue.

I have set up a test environment on my PC using VirtualBox.

There is OPNsense firewall, with three interfaces:
WAN - bridged with my PC network card
LAN - Host only network, so I can manage OPNsense
OPT1 - generic interface connected to MikroTik virtual machine

MikroTik virtual machine has three interfaces:
Two are internal and one host only for management

And one virtual machine connected to MikroTik.

Now, this VM that is behind the infrastructure can reach public domain, ping google.com etc and has Internet access.

I am trying to setup a NAT, so I can using firewall public IP reach the VM using SSH. Public IP in this case is my router issued internal IP…

But its not working!!! And rules, to enable ICMP, does not work!!! I am slowly getting insane here. Any help would be very appreciated…

[Saarbremer]

Hi,

in order to help you, please provide a schematic which device is connected to what using which IP, its respective netmask and what connection you try to accomplish. I don't understand your goal neither your setup from the text

Some templates (unfortunately explained in German) can be find here: https://forum.opnsense.org/index.php?topic=7216.0

[Cossack]

Thank you for your reply. I will try to provide a picture instead, because not sure how that I can use.

So, I am using VirtualBox on my PC

Goal: Set up network with connected switch to OPNsense and test if NAT is working to reach virtual machine connected to switch using SSH

I have set up three Virtual machines:
OPNsense
MikroTik
RockyLinux

Please see the picture.

Now, RockyLinux has access to Internet running this topology, but I want to enable NAT to RockyLinux VM on OPNsense, to test how it works. From my current experience, WAN port, what ever things I allow, it does not take effect.

[Saarbremer]

Here are 3 steps to consider:

- On OPNSense: Your OPNsense is not on a public IPv4 -> Make sure all "Block private networks" are unchecked on all (including WAN) interfaces. [Interfaces > Respective Interface settings]

- On OPNSense: For outgoing NAT check if outgoing NAT is allowed by automatic or hybrid rules (default, should be already there). [Firewall > NAT > Outgoing]

- On Huawei Router: Set up port forwarding from your huawei to 192.168.51.10 port 22. Don't know how this works on huawei but there should be ways to do it.

- On OPNSense: Allow incoming traffic on WAN to OPT1 for port 22 (IP, TCP) or define the rule according to your needs. At least TCP to port 22 of the VM shall be allowed. This enables the traffic going from Huawei back to your VM.

Is that what you needed?

[Cossack]

Close, but not exactly. Thank you for looking into this.

You see host 192.168.8.98? That is the place where I want to connect using SSH to VM with IP 192.168.51.10

- On OPNSense: Your OPNsense is not on a public IPv4 -> Make sure all "Block private networks" are unchecked on all (including WAN) interfaces. [Interfaces > Respective Interface settings]

This is done already.

- On OPNSense: Allow incoming traffic on WAN to OPT1 for port 22 (IP, TCP) or define the rule according to your needs.

can you please elaborate, how would rule configuration would look like?

Also, I tried setting up ICMP, but it did not work on WAN despite my best attempts...

[Saarbremer]

[ICMP]
- First, please check that on OPNsense you have a WAN rule that allows ICMP from 192.168.8.0/24

If not available add a rule like this:
In [Firewall > Rules > WAN]:
    Action: Pass
    Interface: WAN
    Protocol: ICMP
    ICMP type: any
    Source: any
    Destination: WAN address
    Description: Allow ping on WAN

Make sure to reload the rules if you add / change something.

- Can you ping 192.168.8.60 from your workstation?

[Cossack]

I tested a different setup, using actual hardware, everything working as intended.

Maybe it is a bug of virtual environment and my home network. I used bridged adapter, maybe that was the cause.

Still thank you for your replies.