Scheduled NAT using local tags problem

[bsdkilla]

I wish to have a Port Forward to be active only for a specific time range, unfortunately this is not possible in OpnSense, but it does offer time Schedules on regular Firewall Rules.

So my thought was to setup a Firewall rule on the VLAN to "local tag" the traffic I am interested in.  This works and I can see the tag applied when viewing the Live View log.

Second step is to create the Port Forward on WAN and have it match the "local tag" set by the rule above from the VLAN.  However this does not work.

It seems that the processing order of NAT then afterwards Firewall Rules applies globally across all interfaces, eg:

VLAN & WAN
1)   NAT
2)   Firewall Rules

Which means the idea of tagging via a rule then using it to match on the Port Forward is not going to work.

I was expecting it to apply locally across each Interface, eg:

VLAN
1)   NAT
2)   Firewall Rules  <-- rule sets local tag
WAN
3)   NAT  <-- port forward matches local tag
4)   Firewall Rules


Can anyone clarify this or have any suggestion on how this could be made to work?

[guest18661]

I am also wanting a way to schedule NAT rules. I have a port forward on port 80 that I want to be handled by haproxy most of the time, but for a short period of time once a week I'd like to allow connection to an internal server.

Right now I have to do this manually by enabling a NAT rule for a few minutes and then disabling it when I'm done. I'd really like to be able to schedule this somehow, but I can't see how to do it.

Is there some command line option I could use cron with or is there any chance of adopting schedules on the port forwards?

[franco]

You do not need to schedule NAT, you simply schedule rule access to the NAT entry point. E.g. in port forwards you have an associated pass rule which you have to change to manual in advanced settings of the port forward and then you can add your own (scheduled) pass rule.

Or you schedule a block rule in front of your associated automatic pass rule.


Cheers,
Franco

[forca]

@franco

is it meanwhile possible to add a schedule for nat-rules (port forwarding)?
cause, I need a tmp (dynamic) nat-rule, that does redirect do a specific dns (in separated vlan) for some days or some hours in a day, otherwise (normal operating) it is using a "normal" dns (without any nat-redirects).

How can I do this? because the your mentioned above way would not work here

[onsense]

I"m also looking a way to use schedules on NAT. So far I'm trying to play with tags but without luck. I would appreciate if someone has a hint, below is what I expected to work.

Code: [Select]

rdr on re0 inet proto {tcp udp} from {any} to {any} tagged proxy -> 127.0.0.1 port 1080
...
# pass in log on re1 inet proto {tcp udp} from {10.1.1.15} to !$bogons keep state tag proxy # [FIN](Schedule1)

re0 is WAN
re1 is some LAN

[forca]

another way to go, would be (even if ugly), to go via API, e.g. like here:
https://docs.opnsense.org/development/api/plugins/firewall.html

so I can now read (get) this one nat-rule via curl-call. So it should be possible on schedule add/delete this one nat-rule...

but it seems to be very ugly and not reliable.

Another question, if you consider the config.xml and an firewall(filter) rule with an activated schedule inside, we do see an such definition:

Code: [Select]

<sched>tst_tmp_rule1</sched>
If I would now inject this line into a nat-rule rule (e.g. by hijacking the /conf/config.xml), would the schedule work for my nat-rule?