[SOLVED] NAT doesn't work

Started by emilicus, December 29, 2015, 05:50:46 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 29, 2015, 05:50:46 PM Last Edit: January 09, 2016, 12:30:32 AM by franco
Hello all,
just installed latest version of OPNsense on Xen host.

Just replaced a pfsense installation with the new OPNsense one.

Internet browing is OK, OpenVPN access to my lan from internt is ok, so the base setup must be ok.

What is puzzles me is NAT rules. I cannot get it to work at all. The rules are very basic and i've already tried out all the combinations of Source/Destination interfaces i can think off but without results.

Firewall logs said the traffic is permitted (pass) but after this step, nothing... so it must be something wrong in NAT rule - at least i think...

Could someone post a step-by-step howto in order to setup a very simple firewall/nat rule?
ie to open a https port from wan to a single address on lan?

Sorry for this stupid question.

Many thanks
December 29, 2015, 11:16:16 PM #1 Last Edit: December 29, 2015, 11:18:33 PM by fraenki
Hi emilicus,

QuoteWhat is puzzles me is NAT rules. I cannot get it to work at all. The rules are very basic and i've already tried out all the combinations of Source/Destination interfaces i can think off but without results.

you said that browsing and OpenVPN access is working, so NAT seems not totally broken to me.
Maybe you could post some screenshot(s) of the NAT/firewall rules you've created that aren't working. I'm not really sure that I understand what you want to achieve, maybe you could add some details to your problem description (and an full example).

FWIW, in such situations I tend to use some tcpdump on OPNsense to see where the packets get stuck, i.e.
Code Select
tcpdump -i em0_vlan123 -s 1500 -n -X host 10.1.2.3 and port 80
where em0_vlan123 is the interface (you'll likely check more than one interface) and 10.1.2.3 is the destination host and port accordingly.

Regards
- Frank
December 29, 2015, 11:21:48 PM #2


Quote from: fraenki on December 29, 2015, 11:16:16 PM


QuoteWhat is puzzles me is NAT rules. I cannot get it to work at all. The rules are very basic and i've already tried out all the combinations of Source/Destination interfaces i can think off but without results.

you said that browsing and OpenVPN access is working, so NAT seems not totally broken to me.

Do you browse the web using a private IPv4 address, or using IPv6?
December 30, 2015, 02:13:42 AM #3
I have found that before and beat it to death. I found the answer finally. It's only Xenserver (maybe Xen too). Common FreeBSD 10 and above issue. I found in pfsense the exact same thing.   Here is a thread that explains more. I switched hypervisors due to this. Works on others (VMware/hyperv/virtualbox etc.).

https://forum.pfsense.org/index.php?topic=88467.0
December 30, 2015, 09:04:28 AM #4
Thank you very much cdburgess75.
I'll try the topic you've posted and eventually i'll report back to the list.
December 30, 2015, 06:07:21 PM #5 Last Edit: December 30, 2015, 09:33:10 PM by emilicus
Hello i would like to report that after disabling cheksum on both opnSense domU and opnSense Vifs, the issue was SOLVED.

The FreeBSD checksum bug seems to be solved a month ago, so i hope to see the patches applied in next release of opnSense.

Thanks to all for the support

Print
Go Up Pages1
User actions