[SOLVED]I've beat my head against the wall: How do I do NO-NAT but HAVE FW rules

[lrosenman]

I need NO-NAT, but the ability to have firewall rules.  I've looked at past posts, and BELIEVE I've done everything right, but if pf is enabled, it does NOT pass traffic.  If I disable pf it works fine.

HELP.

attached is the current state

[chemlud]

Hmmm, Firewall -> Settings -> Advances has

Code: [Select]

If you only want to disable NAT, and not firewall rules, visit the Outbound NAT page.
..and Firewall -> NAT -> Outbound says

Code: [Select]

Disable outbound NAT rule generation
(outbound NAT is disabled)

[lrosenman]

I have that set, and it does NOT pass traffic.

[Patrick M. Hausen]

If you do not NAT, devices on both (or more) sides of your OPNsense need to have appropriate routes configured.

[lrosenman]

um this is a standard routing thing, with globally routable IP's. 

NOTE: If I just turn PF off, it routes JUST FINE.

I've been doing IPv4 networking for >30 years, and I've tried a thousand(estimate) things.

with PF enabled it doesn't work, with PF disabled it routes like it's supposed to.

[Patrick M. Hausen]

Then post a live log entry of a blocked packet and the corresponding firewall rule that should have passed it, please.

[lrosenman]

I posted the ENTIRE config, and NOTHING passes OUT. says blocked by default deny rule.

[Patrick M. Hausen]

Please post the live log entry of a single blocked packet and a screenshot of the single firewall rule supposed to pass it - how am I supposed to make sense of a bunch of XML by staring at it?

[lrosenman]

anything that goes OUT to the WAN gets denied by default deny rule.

ANYTHING

and there are out rules for all interfaces with ANY ANY and all protocols, etc.

[Patrick M. Hausen]

Most of the time you need IN rules to pass traffic.

The first packet of any given flow arrives at an interface. That's IN from the firewall's point of view. Once that gets passed by the rule, a state is set up to pass packets in the matching return direction until the flow terminates.

[lrosenman]

there are those too.  and the established etc TCP sessions should allow it.

LITERALLY NOTHING GOES OUT FROM THE LAN TO THE WAN WITH PF ON. 

I'VE BEEN DOING THIS FOR A LONG TIME.

https://www.lerctr.org/~ler/wan_rules.png
https://www.lerctr.org/~ler/LAN_rules.png

[Patrick M. Hausen]

"Reject private networks" in your interface settings?

You still have not shown a live log entry of a rejected packet.

[lrosenman]

Um, these are *NOT* private IP's.  (192.147.25.0/24, 216.82.192.224/28)

and I don't have one currently and if I turn PF back on, I will *LOSE* access to it, as it's in a colo
20 miles away.

[lrosenman]

@franco any comments here?

[AdSchellevis]

first try to disable reply-to : Firewall: Settings: Advanced --> Disable reply-to

If that doesn't work, try not to comment in capitals (shouting unlikely brings you closer to a solution    ) and do as @pmhausen suggested, collect relevant details using live log. Traffic capture is usually also a good tool to see where traffic is heading (download the pcap in wireshark for more details)

Best regards,

Ad