Outbound Nat Rewrite - how to monitor in logs?

[Greelan]

Destination NAT happens after the filter rule. The packet has to get into OPNsense before it is NATed

[allebone]

I still dont understand how this can work.

The only DNS rule I have allowed is as such:

IPv4 TCP/UDP    (Lan clients Alias)   *    192.168.2.22    53 (DNS)    *    *    lredirectrule DNS53Pihole

So for example a client would have 8.8.8.8 as its DNS server. in this case the packet is rewritten to go to 192.168.2.22.
Once its rewritten, the only DNS rule is the one above. Logging has no effect as its too late.

What rule are you proposing I add above this rule in order to log the client trying to access 8.8.8.8 on port 53, and is it pass, block, or reject?

[Greelan]

You have a “allow LAN to any” filter rule on the LAN interface right?

[allebone]

Yes it is the last rule in the table.

[Greelan]

Is logging turned on for the filter rule that you put in your post above? That filter rule is what is automatically created to work with the NAT rule, and is essentially what I was saying you should log (I forgot that an outbound NAT rule on an internal interface automatically creates a corresponding filter rule)

[allebone]

Ok I will try and report back.

[allebone]

Im afraid it does not work. I even tried making a rule and placing it as the very first rule in my firewall as such:

IPv4 TCP/UDP    *    *    *    53 (DNS)    *    *    

It had no effect and this makes me think that the nat rewrite rules are processed before the firewall rule on that interface. Otherwise it should have been allowed out to 8.8.8.8.

The only logs I see are as example:
lan      Jun 24 16:04:02   192.168.2.2:61891   192.168.2.22:53   udp   nat rule   
lan      Jun 24 16:04:02   192.168.2.16:54209   192.168.2.22:53   udp      
lan      Jun 24 16:04:02   192.168.2.2:25605   192.168.2.22:53   udp   nat rule   
lan      Jun 24 16:04:02   192.168.2.16:54208   192.168.2.22:53   udp

[allebone]

I think outbound nat is done first if you check this post its first in the list:

https://forum.opnsense.org/index.php?topic=11233.0

[allebone]

I checked that debug file by ssh to my firewall and indeed outbound nat is processed first. The lan rules are listed afterwards in that file. So making firewall rules has no effect.

[Greelan]

Hmm. Can you post the full content of your NAT rule, rather than just the summary? Wonder if it is written correctly

[allebone]

The screenshot is on page one. The debug log lists this:

(snipped)

# NAT Redirects
no nat proto carp all
no rdr proto carp all
# [prio: 100]
nat log on em1 inet from !$AllowQueryDNSServers to 192.168.2.22/32 port 53 -> (em1:0) port 1024:65535 # DNSOutRewrite
nat log on em1 inet from !$AllowQueryDNSServers to 192.168.2.22/32 port 853 -> (em1:0) port 1024:65535 # DNSOutRewrite853
nat on pppoe0 inet from (wireguard:network) to any -> (pppoe0:0) port 1024:65535 # Allow WG Clients to NAT
# [prio: 200]

[Greelan]

I meant what is the full content when you edit the NAT rule in the GUI? And what does the source alias represent?

[allebone]

Here are the images:

[allebone]

I mean it does log when the rule runs, it just does not show the destination that was attempted to be accessed. im thinking the functionality is not exposed in opnsense and would need a change to allow it in the code (if even possible I dont know).

[Greelan]

So here is where I am confused. That rule only operates where the original destination IP is .22. Is that your pihole? If so the destination should be inverted, and the translation/target address changed to the pihole address

So the logging is working as expected at the moment