24.1.9 NAT Reflection

Started by danderson, June 18, 2024, 11:36:18 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
June 18, 2024, 11:36:18 PM Last Edit: June 18, 2024, 11:38:11 PM by danderson
Since 24.1.9 update,   Reflection for 1:1 seems to not be working, prior my internal clients hitting the NAT address would get the correct server, now they are landing on the firewall. I.e. https lands on the opnsense login page instead of the box that I want and that was working previously.

This is for 1 to 1 NAT rules that im having issues with since the upgrade.
June 19, 2024, 09:48:59 AM #1
After update to 24.1.9 1:1 Nat outbound was not working anymore, the outbound rule over a specific ip was deleted.
June 19, 2024, 10:46:50 AM #2
How do you got this working again? Help very much appreciated :)
June 19, 2024, 10:49:39 AM #3
do you mean me? i recover the rules from a backup config file, for the outbound NAT.
June 19, 2024, 10:52:09 AM #4
Probably something to do with this:

o firewall: migrate one-to-one NAT to MVC/API
June 19, 2024, 10:54:24 AM #5
Yes I exactly also think, that this is the cause.
I also started a topic in the German forum. I restored a snapshot of my OPNsense (it runs within Proxmox).
I´m just curious what new rule is needed to get it working again with the new version.

see: https://forum.opnsense.org/index.php?topic=41119.0
June 19, 2024, 10:56:37 AM #6
Thanks, we will take a look now.


Cheers,
Franco
June 19, 2024, 10:58:49 AM #7
Thanks for investigating Franco. I will wait with any further update :)
June 19, 2024, 11:14:36 AM #8
Can someone with snapshot capability give me a diff of the good 24.1.8 and bad 24.1.9 file /tmp/rules.debug ?

# diff -u old.file new.file


Thanks,
Franco
June 19, 2024, 12:05:46 PM #9 Last Edit: June 19, 2024, 12:09:03 PM by Monviech
This is most likely only a problem when using the automatic reflection options. When configuring manual NAT reflection for everything, I imply that the setup should remain non effected.

Example:

https://docs.opnsense.org/manual/how-tos/nat_reflection.html#one-to-one-nat-reflection

If something has changed here with the new update, please ping me too so I can adjust this tutorial.
Hardware:
DEC740
June 19, 2024, 01:57:50 PM #10
To me it looks like the "NAT reflection" for each rule got lost in the migration, so editing the rule to enable it should bring it back?

If that's the case we can't bring the lost setting back with a patch, but we can prevent this from happening to anyone else still on a version below 24.1.9.


Cheers,
Franco
June 19, 2024, 02:22:52 PM #11
I'll hotfix this later today.

https://github.com/opnsense/core/commit/324f5351

(no use applying this one, just for reference)
June 19, 2024, 02:45:48 PM #12
Hmm, more importantly this was omitted from the dialog...

https://github.com/opnsense/core/commit/bde656669

# onsense-patch bde656669

In order to set it back to what it was supposed to do.


Cheers,
Franco
June 19, 2024, 04:14:29 PM #13
can confirm this fixed my 1:1 NAT Reflection issues.

Quote from: franco on June 19, 2024, 02:45:48 PM
Hmm, more importantly this was omitted from the dialog...

https://github.com/opnsense/core/commit/bde656669

# onsense-patch bde656669

In order to set it back to what it was supposed to do.


Cheers,
Franco
June 19, 2024, 04:16:59 PM #14
Neat, thanks for confirming!
Print
Go Up Pages1 2
User actions