Routing while NAT port forwarding [Solved]

Started by Saarbremer, October 31, 2023, 05:04:37 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 31, 2023, 05:04:37 PM Last Edit: October 31, 2023, 05:06:38 PM by tron80
Hi,

I have an issue understanding something, however I must admit that my expectations might be wrong.

Test setup is:

  • OPNSense Box 1 (Router 1) has LAN 10.0.1.1/24, WAN is public ISP provided, static IP
  • OPNSense Box 2 (Router 2) has WAN 10.0.1.99 and LAN 10.0.64.1/24. Router2's WAN is in fact connected to the router 1's LAN network.
  • Router 1 does not know about 10.0.64.0/24, no route to that network configured.
  • Router 2 is configured statically on WAN and LAN, no DHCP Client involved on WAN. Configured 10.0.1.1 as default upstream gateway. Router 2 uses outbound NAT.

My Expectation 1: [passed]
TCP to public internet or services in Router 1's LAN are successful from Router 2's LAN. OPNsense outputs traffic to Router 1's LAN without the gatway via layer 2

My Expectation 2: [failed]
I can enable port forwarding on Router 2 to allow services from behind Router 2 to be exposed to Router 1's LAN.

So, I created a port forwarding and allowed an associated firewall rule. Observation: No access to exposed service via forwarded port from clients in Router 1's LAN 10.0.1.0/24.

Observing the live view in both OPNsenses it turned out that

  • first the client in 10.0.1.0/24 connects to the forwarded port and the traffic is forwarded correctly.
  • answers are sent to the default GW of Router 2, i.e. Router 1 which issues a state rule violation in live traffic view
  • After disabling the default GW, it works as expected, traffic goes directly back to the client via layer 2

I would have thought that the default GW should not be part of the equation no matter if I just use outbound NAT or port forwarding. The destination IP is in the WAN networks range and should not require a gateway. Did I miss something?
October 31, 2023, 05:06:29 PM #1
After additional digging I find the reason:

The IPv4 Upstream Gateway setting on the WAN interface page was set to the actual gateway instead of "Auto-Detect". Selecting Auto-Detect covered my use case completely.

Sorry for bothering.
October 31, 2023, 05:09:56 PM #2 Last Edit: October 31, 2023, 05:11:53 PM by Monviech
That's because as soon as a gateway is set there is a reply-to created that forces all traffic to return to the IP of the default gateway.

https://forum.opnsense.org/index.php?topic=36406.0
Hardware:
DEC740
February 10, 2024, 10:22:09 PM #3 Last Edit: February 10, 2024, 10:23:41 PM by WilliDriver
This was an accidental post, and i can't figure out how to delete it. I'm terribly sorry
Print
Go Up Pages1
User actions