Outbound NAT Issues

Started by rfeng33, November 20, 2020, 10:15:30 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 20, 2020, 10:15:30 PM
I have recently started looking at OPNSense to replace my Untangle firewall after their recently announced licensing changes.  I have LAN connectivity just fine and I can connect out to the Internet from the firewall without issue (CLI I can ping out and resolve DNS).  Any traffic from one of the 4 VLANS I have makes it to the firewall but dies. I am intending to do a CARP/HA setup so I have that configured with the proper VIP's and the proper Manual outbound nat rule to nat all traffic coming from my internal networks (I setup a group for them) and I can't get any traffic through.  When I traceroute on a machine on one of the VLANs I get the first hop as the dedicated interface IP on the VLAN and then it dies from there. 

Any suggestions on where I could start looking?  I can provide any additonal information if needed to assist in pinpointing the issue, I've just recently started playing with OPNSense so I'm sure it's probably something I have set incorrectly.
November 21, 2020, 01:22:57 PM #1
I've been playing with this a bit more.  I can't see what's going on.  I'm my Outbound NAT Manual Rules, I have the following example rules setup:

Interface:  WAN
Source:  ManagementVLAN net (my first VLAN), just for testing purposes.
Source/Destination/Destination Port: *
NAT Address (My WAN VIP for CARP)
Nat Port: *
Static Port NO

I can ping and resolve DNS just fine from the firewall itself under diagnostics, so traffic coming directly off the box is working fine.  As I haven't fully built the 2nd firewall yet, the VIP's all come up as master on this box. 

When I look at pftop I see traffic trying to come off devices on my LAN and go to external addresses out on the Net, but the state is Single: NO_TRAFFIC or NOTRAFFIC:SINGLE. 

I have 4 VLANS setup on the internal side and I can talk between them without issues from a machine on the management VLAN. 
November 21, 2020, 05:43:02 PM #2
Hi,

you have a allow Rule on your ManagementVLAN that allows ManagementVLAN to any?

regards M.
November 21, 2020, 05:55:02 PM #3
I have added rules that allows traffic from each VLAN to anywhere yes. 
November 21, 2020, 06:57:14 PM #4
then it should work, no more ideas except some sort of typo. Source, Destination? IPv4 / IPv6 Stuff?
Sorry, without looking at the system ...  :-\

November 22, 2020, 01:28:56 AM #5
Issue appears to be resolved.  For some reason the upstream Fiber shelf was caching the MAC address of the old firewall and not allowing ARP for the CARP address.  I'm up and running thanks for all your help folks!
Print
Go Up Pages1
User actions