NAT exposing private addresses on WAN

[bakerjw]

We have a fairly complex routed test network and are attempting to use opnsense to provide a NAT connection to a  production network. I have simplified our implementation as much as possible.

We have a subnet for management purposes - 192.168.255.0/24 gateway 192.168.255.1
We are attempting to  NAT to network 123.123.123.0/24
Our opnsense server interfaces are:
LAN 192.168.255.25/24 gateway 192.168.255.1
WAN 123.123.123.27/24 gateway 123.123.123.1

for testing, I have...
A system on the 192.168.255.0/24 subnet at 192.168.255.22/24 gateway 192.168.255.1.
A system on the production network 123.123.123.237/24 gateway 123.123.123.1

Using the VM at 192.168.255.22, I ping 123.123.123.237.
On 123.123.123.237, Wireshark shows ICMP traffic coming from 192.168.255.22.

I am not sure why opnsense is not natting the address. I am using the automatic rules.
I am sure this is something simple that I overlooked.
Guidance?
Thanks

[Patrick M. Hausen]

Automatic rules only NAT the directly connected networks. Everything internal that is reached via some router needs a manual NAT rule. You can switch the NAT mode to "hybrid" for that to keep the automatic rules. I prefer full manual. Your choice.

[Saarbremer]

I don't get it. You use OPNsense to connect to networks but their default route is via .1 - a different router. So what is OPNsense's job here?

[bakerjw]

Our test network is isolated from all other networks and only contains private IP address subnets.
Every subnet gateway ends with .1 as this is the router interface defined for each of them.
Our router has a static route to direct destination IPs of 123.123.123.0/24 to the opnsense LAN interface.
Certain devices running on our test subnets require access to a single production public subnet.
e.g. 192.168.255.0/24 --> NAT --> 123.123.123.0/24

Stripping it down as simply as possible. Consider 1 single subnet.
opnsense is at 192.168.255.25/24
A test VM is at 192.168.255.22/24 and has a gateway of 192.168.255.25(opnsense LAN interface)
The test VM sends a ping to 123.123.123.237
123.123.123.237 observes an ICMP packet coming from 192.168.255.22 on the 123.123.123.0 subnet.
The IP address of the test VM should be natted and should have the WAN interface IP.

[Saarbremer]

Two Qs:
* What is your outbound NAT configuration from the firewall in OPNsense? Especially regarding the mode and the NAT rules. 
* You made sure, that packet filter is running and firewalling works as expected?

[bakerjw]

The Firewall | NAT | Outbound rules were automatically created.

Automatic rules
       Interface   Source Networks   Source Port   Destination   Destination Port   NAT Address   NAT Port   Static Port   Description
      LAN   Loopback networks, 127.0.0.0/8   *   *   500   LAN   *   YES   Auto created rule for ISAKMP
      LAN   Loopback networks, 127.0.0.0/8   *   *   *   LAN   *   NO   Auto created rule
      WAN   Loopback networks, 127.0.0.0/8   *   *   500   WAN   *   YES   Auto created rule for ISAKMP
      WAN   Loopback networks, 127.0.0.0/8   *   *   *   WAN   *   NO   Auto created rule

I am going to have to plead ignorance on whether the packet filtering is running or not.

[Saarbremer]

In the firewall settings you can disable packet filtering globally. But I guess that's not the case here.

But your NAT rules look incorrect.

They apply on loopack networks only. You may want to define your NAT rules manually according to your network settings.

The target interface is the interface where outgoing traffic needs to be NAT'ted. That is usually the WAN interface. NAT on LAN is not required - unless you explicitly need it. But in your case, I guess WAN is sufficient. Make sure alle affected network ranges are indicated.