[SOLVED] Pure NAT

Started by cnu80, March 08, 2017, 09:31:49 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 08, 2017, 09:31:49 AM Last Edit: March 08, 2017, 09:04:55 PM by cnu80
Hi,

I migrated from a Ubiquiti Edgerouter to a virtual opnsense installation. Migration was successfully, edge router is powered off  ;) .  Now i configure some additional services, like DHCP, port forwarding, dyndns ....

Port forwarding works as expected (access from Internet), but from my internal LAN I cannot connect to  the forwarded ports. I used following manual to configure the "Reflection NAT

https://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks

My setup:
* opnsense latest version
* virtual machine with one network adapter
* I use VLANs to separate DMZ,WAN,LAN, GUEST an so on. This configuration is working fine.
* My WAN connection: I use a Netgear LTE Modem in router mode. WAN Interface is a static IP4 Address (192.168.5.100) and my default gateway is 192.168.5.1 (Netgear modem). Is this a problem? Should I set the modem to "bridge mode"?

I tried to set the "Filter rule association" to "Pass" but the connection i still not possible.

What can I do to find the failure?

BR, cnu80

PS: Is it better to use several network interfaces instead of a VLAN-trunk?

March 08, 2017, 05:19:30 PM #1
I just use method 2 for the Split DNS.

That removes the extra hop of connecting to your router and back the system.

If you turned on the Pure NAT, you'd want to make sure you delete/recreate your port forwards so all the proper rules get created.

Without seeing all the rules/forwards, it's hard to figure out what's going on.
March 08, 2017, 05:45:07 PM #2
thanks for response.

I used split DNS before and it works create with stationary devices, but with my laptop and other mobile devices I have to restart applications, flush dns caches and so on to get the internal IP.

In the meantime I found the problem, but not the solution.  ;) I get from my ISP a dynamic public IP address and my modem is in router mode. From my understanding I have a double NAT.

When I create the port forward with destination "WAN-address or WAN-Network" pure nat does not work.
When I create the port forward with destination "single host" and fill in my public IP, it works.

But when my ISP change the public IP, the rule is broken again.
Is there a feature to track the public IP and change rules dynamic?

thanks
 
March 08, 2017, 06:00:05 PM #3
Double NAT would make port forwarding challenging. If you can eliminate that, it would make life a lot easier.

You can use Dynamic DNS to update a public DNS name, but I'm not aware of anything to change the rules dynamically.

Are you using Automatic Outbound NAT rules or something else than the default setting?
March 08, 2017, 09:03:39 PM #4
I switched my modem to bridge mode. Now the public address is directly bounded on the WAN-Interface.
Port forwarding and Pure-Nat are working as expected.
Print
Go Up Pages1
User actions