IP Alias not working in NAT Rule.

Started by The_Sage, January 08, 2019, 06:25:49 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 08, 2019, 06:25:49 AM Last Edit: January 09, 2019, 05:13:08 AM by The_Sage
Hello all.
I have a NAT rule that works as expected ..

WAN    TCP    *    *    WAN Address    80 (HTTP)    192.168.0.254    80 (HTTP)   ::  (WORKS) :D

If I include a source IP Alias, (so NAT only works from the source IP Alias) the NAT does NOT work.

WAN    TCP    SourceIPs    * WAN Address    80 (HTTP)    192.168.0.254    80 (HTTP) ::   (doesnt work)  >:(

Here is the log of the packets dropping
filterlog: 11,,,0,pppoe0,match,block,in,4,0x0,,117,834,0,DF,6,tcp,52,5.x.x.x,124.x.x.x,30518,80,0,S,501560329,,64240,,mss;nop;wscale;nop;nop;sackOK

live view says Blocked by default deny rule

However, if use an IP address, the same one that came from the Alias, the NAT works
WAN    TCP    59.X.X.X    * WAN Address    80 (HTTP)    192.168.0.254    80 (HTTP)  ::  (WORKS ) ;D

How should I accomplish this?
What is the best way to go about NATing only from a certain IP address?

NB. SourceIP Alias is a Hosts Alias with 2 entries, 2 of my Public IP addesses
January 12, 2019, 12:03:01 AM #1
This is now working. Updated to 18.7.10 firmware.
January 12, 2019, 01:59:35 PM #2
Sounds strange, maybe the reboot did it?


Cheers,
Franco
January 14, 2019, 08:33:10 AM #3
I have a few strange things like this happen over the years. To infrequent to reproduce, but very annoying non the less.

Thanks
January 14, 2019, 09:09:48 AM #4
Quote from: franco on January 12, 2019, 01:59:35 PM
Sounds strange, maybe the reboot did it?


Cheers,
Franco

Hi, Franco!
It might be the same bug "born" when the aliases code was optimized, appeared only once, in a single sub-subversion of OPNsense, don't quite remember well which one, but recently (2-3 month ago). It happened to me as well, web and ftp services went down until I changed from aliases to actual ports (for me it was port translation).

The behavior was that no matter which port was the internal alias port directing to, the redirection was always to the external/ public(shed) alias port.

There are a few posts here in the forum, and a bug report on ghithub about that, + the OP having said that he upgraded OPNsense, it might relate.
January 16, 2019, 09:28:06 AM #5
Just spent 2 hours trying to get rules for No NAT Squid going .... using Alias ... Guess what. i thought the issue was fixed. But I changed it to IP address and it work straight away.
Will report back findings later.

Will try later.  >:(     :'(
January 16, 2019, 09:59:42 AM #6 Last Edit: January 18, 2019, 01:49:23 AM by The_Sage
FYI -     OPNsense 18.7.10-amd64
After I get it to work with IP, I changed it back to Alias IP's (5 IP's) (Also tried an Alias with 1 IP to see if was trying to do an ALL comparison) No connection.

Reboot

Confirmed. aliases DO NOT work with the following rules.

LAN (This is before BLOCK 80 and 443 to force using Squid)
IPV4 TCP/UDP Alias * * 80 *
IPV4 TCP/UDP Alias * * 443 *


NAT (This is to NOT NAT to Squid The IP's in the Alias)
LAN TCP/UDP !Alias * * 80 127.0.0.1 3128
LAN TCP/UDP !Alias * * 443 127.0.0.1 3129

I am testing with a Play station 4 "Test Internet Connection."

If I replace the Alias with an IP it works.
With alias it Fails.

So it is NOT a reboot.

I have made an issue here https://github.com/opnsense/core/issues/3137
Print
Go Up Pages1
User actions