[SOLVED] Nat is not working

Started by Julien, July 27, 2016, 01:39:52 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 27, 2016, 01:39:52 PM Last Edit: July 29, 2016, 04:35:05 PM by franco
Hi Guys,
i am on OPNsense 16.7.r2-amd64 first migration from Pfsense to OPNsense.
i can't seem to have port 443 working .
between the OPNsense and the internet there is a ISP router which is forwarding the port 443 to the pfsense IP. the Pfsense is NAT the port 443 to the LAN exchange.
we turned off the Pfsense and turned on the OPNsense, the OPNsense has the same WAN/LAN as Pfsense but the port 443 is not working on the firewall.
turn the opnsense off and turn the pfsense on stuff start working.

can someone point me to the right direction ?
DEC4240 – OPNsense Owner
July 27, 2016, 06:45:50 PM #1
Hi Julien,

Does your setup use custom gateways, multi-WAN or a config.xml import from pfSense itself?

I have this up and running on my end, so there is some hidden complexity we're not seeing yet.


Cheers,
Franco
July 27, 2016, 06:49:04 PM #2
Quote from: franco on July 27, 2016, 06:45:50 PM
Hi Julien,

Does your setup use custom gateways, multi-WAN or a config.xml import from pfSense itself?

I have this up and running on my end, so there is some hidden complexity we're not seeing yet.


Cheers,
Franco
Hi Fraco,
There is no multi-wan or import.
Its a new installation.
Simple port https is forward to the exchange on the LAN
The only think I can compare is there is no VMware tools installed, and nice are vmx3 and not e1000.
I thought I'll wait until the servers are back online to get the VMware tools installed.

DEC4240 – OPNsense Owner
July 27, 2016, 10:18:21 PM #3
I am back again,
when I try to access the webserver its not load and I see the block on the firewall logs.
why its blocking it ? even there is a pass rule on the WAN side ?
is this related to the vmx3 ? VMware tools ?
DEC4240 – OPNsense Owner
July 28, 2016, 04:17:22 AM #4
How do you test it? From inside LAN (via NAT reflection)? Or from an address in the same subnet as WAN? Or from a "real" outside IP?
Check if you set any upstream gateways.
July 28, 2016, 10:22:24 AM #5
Quote from: Zeitkind on July 28, 2016, 04:17:22 AM
How do you test it? From inside LAN (via NAT reflection)? Or from an address in the same subnet as WAN? Or from a "real" outside IP?
Check if you set any upstream gateways.
thank you for your answer.
i test it from inside and outside the office.
the internet is working everything is working fine without up link i won't be online.
i need to forward port  to the exchange, do i have to nat it or just create a rule on the WAN side and forward it to the exchange ?
DEC4240 – OPNsense Owner
July 28, 2016, 08:51:44 PM #6
NAT and a rule is created by default if you did not change it there.

But: Testing from inside is never a good idea, it often fails due to various reasons. A mail or web server is normally placed into a DMZ anyway. If you test from outside - is it "really" outside? Testing from an IP address which is in the same subnet as the WAN address might fail too - had this weird problem last week, it's a strange default gateway problem I haven't sorted out yet.
Did you check the packet's flow? Does the mail server get the packets? Where are the packets dropped/lost? A simple NAT shouldn't be much of a problem..
July 28, 2016, 08:56:25 PM #7
Could this also be due to not having "Disable reply-to" enabled under Firewall: Settings: Advanced?

It would make some sense when the packets are replied to the gateway, which may answer back, or may not, depending on its setup.
July 29, 2016, 01:09:43 AM #8
I have the same with 2 installations - both with a migrated configuration of pfsene.
It worked fine before the 16.7 update.

Basically the firewall rules are not working - the interfaces are not showing up in the firewall config (e.g. LAN, WAN, etc.) - OpenVPN and IPSEC are the only listed interfaces.

Please find my screenshots attached.
July 29, 2016, 08:40:46 AM #9
This was a pfSense config.xml import from which version?

If you can please share it with us... project AT opnsense DOT org, otherwise we won't really know what happened.
July 29, 2016, 10:33:47 AM #10
It was 2.3.0 pfsense. Changed the version tag in the config.xml to 11.2 and imported it to opensense.

I'll send you the config.xml.

Luckily it's both kvm virtual machines - I'm online on the pfsense again.

Regards
July 29, 2016, 11:57:50 AM #11
thanks to franco it's now fixed!

You have to search & replace through your config.xml!

replace "<enable/>" with "<enable>1</enable>" and reimport the config...
July 29, 2016, 12:16:36 PM #12
Well, Ad found it, it's already in the repo and GUI-based workaround exist.

https://github.com/opnsense/core/commit/c17a834f0

Thanks everyone!
July 29, 2016, 04:12:17 PM #13 Last Edit: July 29, 2016, 04:34:04 PM by Julien
i managed to get this fixed.
the desination was lan adress, change it to any and everything start working.
DEC4240 – OPNsense Owner
Print
Go Up Pages1
User actions