Routing without NAT

[psuter]

hi
i'm trying to gat an opnsense router to route traffic between two networks without NAT. to test this i have set up a opnsense VM with one interface connected to our network (172.16.16.0/24) and the LAN interface (192.168.1.1/24) connected to an internal network between this VM and a second vm which is running ubuntu.

then whent to Firwall:NAT:Outbound and changed the mode to Manual and made sure there are no rules..

i then set up a route on my real PC to route traffic to 192.168.1.0 via 172.16.16.92 (the ip of my opnsense WAN interface).

last but not least i've added a any-to-any firewall roule for my WAN interface (the lan interface already has the standard LanNet-to-any rule)

i could then ping my PC from the ubuntu VM just fine, but i can't ping the other way around. so when i try to ping 192.168.1.100 (the ubuntu vm) from my real pc, i get no reply. a tracert shows that it really routes via the opnsense vm but doesn't get further from there.

now when i go to Firewall:Settings:Advacned:Mischellaneous and tick the "Disable all packet filtering", pings work both ways. However, i would like to be able to filter traffic in the future, so i don't want to disable packet filtering.

what am I missing?

[psuter]

Time for a little self-reply :) I researched some more and found the Transparent Bridge Howto here: https://wiki.opnsense.org/manual/how-tos/transparent_bridge.html

however, that's not what I want.. i want to be able to serve ip's via DHCP on my LAN network and in the future have more networks on the LAN Side as well.. but anyway, at least i got some inspiration to try a Floating Rule for once..

And indeed, when I add a floating rule that allows "in" traffic on the WAN interface with destination "LAN net" to pass, i can Ping my "internal" ubuntu machine. However, i can't ssh to the machine. I see the tcp packets coming in on the machine, but i can't establish a ssh connection.

When i then change my floating rule to allow instead of "in" traffic, the traffic in both directions on the WAN interface, i can ssh to my machine.

So doing this I've achieved what i wanted so far, but I don't understand it! Why is that floating rule needed? Why can I Ping (and get a Pong back) but not SSH with the first floating rule but not ssh?

If anyone can shed some light into that i'd greatly appreciate that.. i like to understand what I'm doing ;)

cheers
Pascal

[psuter]

.. one more thing i have found out:
The floating rule only works if I enable the Quick setting, so if it is matched before the interface rules are matched OR if i disable the Quick setting AND disable the WAN rule which allows all incomming traffic to anywhere.

my suspicion is, that the WAN rule actually matches my traffic but it seems to route it to some strange place where it can't continue, while the floating rule routs it to the correct network.

i still don't understand why that is.. In both rules i have set the Gateway (under advanced features) to default..

[vikozo]

Hello
i just do not understand what is the difference in Routing and NATing!
maybe somebody could enlight me.
how to you do the decision to use Routing or NATing?

have a nice day
vinc

[hbc]

Hello
i just do not understand what is the difference in Routing and NATing!
maybe somebody could enlight me.
how to you do the decision to use Routing or NATing?

If you have just public ip addresses that are valid in internet, you will not use NAT, but can directly route them to internet or address your local servers from extern. Or if you have more internal networks in RFC1918 address space, you will do routing and just NAT at your WAN device - else you would have NAT cascades.

With routing, you can reach every single device/ip without the need to do port forwardings. That is the advantage of ipv6. More addresses, possibility to assign public routeable ipv6 addresses to devices and you just need an allow rule on your firewall - no portforwarding.

[vikozo]

Ok thanks for your feedback.
as i do have a  /30 "Range" i do not need NAT.
have a nice day
vinc