Does a virtual-ip with firewall rule -this firewall- not work?

Started by RamSense, June 21, 2023, 05:30:19 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
June 21, 2023, 05:30:19 PM Last Edit: June 21, 2023, 08:39:51 PM by RamSense
I have nginx installed op opnsense with: firewall - rules - wan - destination "this firewall" port 80 and one with port 443.
This works with the opnsense-router/ISP ip and with ipv6, but I have added a virtual-ip (VIP) ipv4 and ipv6 to opnsense, this firewall rule does not work for the VIP ipv4?
Is that normal behavior? I would have expected it to work since virtual ip bind to the wan?

I have made a workaround for this by adding a firewall-NAT-portforward rule- with destination "Virtual ip" and port 80 and one for port 443 both to Redirect target IP [Opnsense LAN ip / 192.168.1.1], that works...
But is that how it should be?

Anybody else with this behavior? or knows how to fix this with VIP ipv4?
Deciso DEC850v2
June 22, 2023, 04:32:42 AM #1 Last Edit: June 22, 2023, 04:39:48 AM by zan
Should work the same.
"This firewall" is just an alias to "self" keyword in pf, means all addresses on all interfaces (all VIPs and tunnel local addresses included).
June 22, 2023, 07:22:04 AM #2 Last Edit: June 22, 2023, 05:36:43 PM by RamSense
thnx, yes that is what I expected also. But it does not work with the nginx plugin for VIP ipv4.
I only get nginx to work when I add a Nat portforward rule for this VIP to 192.168.1.1 (port 80 and 443).

Is this how the nginx plugin works or is this a bug in nginx plugin / opsense?

N.B. problem still exists after updating to the latest nginx with:
OPNsense 23.1.10_1-amd64
FreeBSD 13.1-RELEASE-p7
OpenSSL 1.1.1u 30 May 2023
Deciso DEC850v2
Print
Go Up Pages1
User actions