OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • 24.7 Production Series »
  • Source IP is always changing to OPNSense's interface
« previous next »
  • Print
Pages: [1]

Author Topic: Source IP is always changing to OPNSense's interface  (Read 288 times)

Voix

  • Newbie
  • *
  • Posts: 5
  • Karma: 0
    • View Profile
Source IP is always changing to OPNSense's interface
« on: October 18, 2024, 06:50:56 pm »
Hi all,

I have the opnsense v.24.7.6 with Internet, LAN and DMZ (with vlan) interfaces.
LAN IP: 10.1.1.0/24
DMZ IP: 10.1.2.0/24

When I reach out the server in DMZ with ssh and issue "w" command, it shows address of router's DMZ interface  (10.1.2.1), but not my computer's IP.

At the same time I have no NAT between these interfaces.
"Firewall: NAT: Outbound" is set to Hybrid outbound NA, but there are only rules for Internet interface.

Could you please advise, what could be the reason of the issue?
Logged

Patrick M. Hausen

  • Hero Member
  • *****
  • Posts: 6807
  • Karma: 572
    • View Profile
Re: Source IP is always changing to OPNSense's interface
« Reply #1 on: October 18, 2024, 06:52:19 pm »
Do you have a gateway set on the DMZ interface? That would (IIRC) lead OPNsense to configure outbound NAT if automatic or hybrid is active.
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)

Voix

  • Newbie
  • *
  • Posts: 5
  • Karma: 0
    • View Profile
Re: Source IP is always changing to OPNSense's interface
« Reply #2 on: October 18, 2024, 06:55:22 pm »
No, GWs are only in Internet and in tailscale interfaces.
Logged

Patrick M. Hausen

  • Hero Member
  • *****
  • Posts: 6807
  • Karma: 572
    • View Profile
Re: Source IP is always changing to OPNSense's interface
« Reply #3 on: October 18, 2024, 07:01:32 pm »
You can use

Code: [Select]
pfctl -s nat
to check what is actually in effect.
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)

Voix

  • Newbie
  • *
  • Posts: 5
  • Karma: 0
    • View Profile
Re: Source IP is always changing to OPNSense's interface
« Reply #4 on: October 18, 2024, 07:11:45 pm »
vlan5 - Vlan on DMZ
vlan10 - To ISP (different port)
igc0 - LAN

Code: [Select]
# pfctl -s nat
nat-anchor "miniupnpd" all
no nat proto carp all
nat on tailscale0 inet from <SiteAnet> to any -> (tailscale0:0) port 1024:65535
nat on vlan0.10 inet from <ocserv_clients> to any -> (vlan0.10:0) port 1024:65535
nat on vlan0.10 inet from <SiteBnet> to any -> (vlan0.10:0) port 1024:65535
nat on vlan0.10 inet from (igc0:network) to any port = isakmp -> (vlan0.10:0) static-port
nat on vlan0.10 inet from (lo0:network) to any port = isakmp -> (vlan0.10:0) static-port
nat on vlan0.10 inet from (wg0:network) to any port = isakmp -> (vlan0.10:0) static-port
nat on vlan0.10 inet from (vlan05:network) to any port = isakmp -> (vlan0.10:0) static-port
nat on vlan0.10 inet from 127.0.0.0/8 to any port = isakmp -> (vlan0.10:0) static-port
nat on vlan0.10 inet from (igc0:network) to any -> (vlan0.10:0) port 1024:65535
nat on vlan0.10 inet from (lo0:network) to any -> (vlan0.10:0) port 1024:65535
nat on vlan0.10 inet from (wg0:network) to any -> (vlan0.10:0) port 1024:65535
nat on vlan0.10 inet from (vlan05:network) to any -> (vlan0.10:0) port 1024:65535
nat on vlan0.10 inet from 127.0.0.0/8 to any -> (vlan0.10:0) port 1024:65535
no rdr proto carp all
no rdr on igc0 proto tcp from any to (igc0) port = ssh
no rdr on igc0 proto tcp from any to (igc0) port = http
no rdr on igc0 proto tcp from any to (igc0) port = https
rdr-anchor "miniupnpd" all
binat-anchor "miniupnpd" all

I can't see smth fishy here
Logged

Patrick M. Hausen

  • Hero Member
  • *****
  • Posts: 6807
  • Karma: 572
    • View Profile
Re: Source IP is always changing to OPNSense's interface
« Reply #5 on: October 18, 2024, 07:14:24 pm »
I don't know miniupnpd, honestly - try to disable it?
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)

Voix

  • Newbie
  • *
  • Posts: 5
  • Karma: 0
    • View Profile
Re: Source IP is always changing to OPNSense's interface
« Reply #6 on: October 18, 2024, 07:24:36 pm »
Did it, the lines disappeared from the output above, but didn't help: still see RTR's IP by 'w'
Logged

Patrick M. Hausen

  • Hero Member
  • *****
  • Posts: 6807
  • Karma: 572
    • View Profile
Re: Source IP is always changing to OPNSense's interface
« Reply #7 on: October 18, 2024, 07:25:47 pm »
tcpdump the connection on both interfaces and watch what happens.  :)
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)

Voix

  • Newbie
  • *
  • Posts: 5
  • Karma: 0
    • View Profile
Re: Source IP is always changing to OPNSense's interface
« Reply #8 on: October 18, 2024, 07:39:54 pm »
Thank you!

It actually helped to find the issue.
The problem was not in the OPNSense at all :)
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • English Forums »
  • 24.7 Production Series »
  • Source IP is always changing to OPNSense's interface
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2