Port Fowarding NAT Translation Configuration

[bassopt]

Hi.
I was playing with opnsense a bit last night. For the most part I managed to replicate what I had on the other sense. Except for issues with port forwarding and NAT reflection.
When I configure port forwarding I can't access either FQDN I'm forwarding (externally) or the machines internal IP addresses from my networks (rules are properly configured )

If I configure host override it works but IP address doesnt. Which is a problem because I have a tailscale tunnel configured to a remote VPS from which I need access my local IP addresses

If I disable NAT reflection on the portforwarding  rules  I can access the internal IP addresses from my internal networks and the remote tailscale VPS but not from external FQDN from within my network. I need as before to override hosts

External connections work fine with both configs

Is there any way to properly configure this? I mean... The second option works ok but adding host overrides is a bit annoying

I tried to read documentation but I found it a bit confusing tbh

Thank you :)

[bassopt]

Ok.
So I partially solved the issue by selecting my internal network interfaces as well as tailscale and WireGuard in the port forwarding rules and not only wan ( this is very different from pfsense hahaha )

But I still have a problem with one port forward rule I have for ssh with a custom port on the wan for a bit of obfuscation. Basically wan port  xxxxx to internal ip port 22. With nat reflection enable I can ssh into that machine fine from all my internal networks / vlans but not from WireGuard devices or tailscale. For example I have a vps I connect to my pfsense via tailscale and I can ssh into all my lan IPs except for the one with this rule.
If I edit the rule and select nat reflection - disable. It works fine. ( i would like to keep nat reflection on because I have a FQDN accessing that machine and would like to solve this without host override.  It also works fine if I disable the rule

I'm clueless at this point.

[bassopt]

I wish someone could help with this.

It's driving me nuts.

[Monviech (Cedrik)]

Maybe this tutorial can help you to build the proper NAT from the ground up.

https://docs.opnsense.org/manual/how-tos/nat_reflection.html

[bassopt]

Maybe this tutorial can help you to build the proper NAT from the ground up.

https://docs.opnsense.org/manual/how-tos/nat_reflection.html

I've read that countless times. Doesn't work! I think the issue is something do with tailscale no clue what could be

[bassopt]

So I did a few more tests and it seems to be an issue with tailscale alone.

If I turn on nat reflection on port forwarding rules I can no long access  anything on that host ip except for ping from the tailscale clients / machines except for ping. No ssh noting...all the other hosts on my lan and vlans that don't have a a port forwarding rule , it works fine.

[bassopt]

Sounds quite incredible that no one here, apart from pointing me to the obvious documentation , doesn't have any thoughts of what might be wrong with my issue.
Note that in pfsense I had the exact config and it all works fine. I know tailscale is not officially supported by opnsense but there's not reason for a port forwarding rule with nat reflection on to kill acesss to that machine from it.
Anyway...

P.S why does a port forward rule needs a separate floating rule anyway ? I really don't understan

[Monviech (Cedrik)]

Well you say it does not work, but this is a complex issue.

You have to do some troubleshooting with tcpdump and follow the flow of the packets from source to target and back. Then you can pinpoint where it takes the wrong route, or gets lost.

When you know the exact spot, you can tweak the configuration in order to make it work.

-----

Regarding the port forward and the floating rule, look at this paket flow diagram:

https://forum.opnsense.org/index.php?topic=36326

The NAT rule matches first (Thats your port forwarding)
Afterwards you need a firewall rule to allow that traffic. You can do that with either a floating rule that has multiple interfaces selected (the same as in the port forwarding rule), or you create seperate rules manually on each interface that allow that traffic.

[bassopt]

Well you say it does not work, but this is a complex issue.

You have to do some troubleshooting with tcpdump and follow the flow of the packets from source to target and back. Then you can pinpoint where it takes the wrong route, or gets lost.

When you know the exact spot, you can tweak the configuration in order to make it work.

-----

Regarding the port forward and the floating rule, look at this paket flow diagram:

https://forum.opnsense.org/index.php?topic=36326

The NAT rule matches first (Thats your port forwarding)
Afterwards you need a firewall rule to allow that traffic. You can do that with either a floating rule that has multiple interfaces selected (the same as in the port forwarding rule), or you create seperate rules manually on each interface that allow that traffic.

the all show basically the same execpt that nat reflection is on all packets show tcp 0 in the end

This is nat reflection on
IPv4, length 74: 10.50.3.1.61906 > 10.50.3.243.22: tcp 0
IPv4, length 74: 10.50.3.243.22 > 10.50.3.1.64608: tcp 0

This is nat reflection off

IPv4, length 66: 10.50.3.243.22 > 10.50.3.1.59791: tcp 0
IPv4, length 1274: 10.50.3.1.59791 > 10.50.3.243.22: tcp 1208

This is the only difference.

the taiscale interface shows nothing with tcpdump and the origin on both situations shows the ip from my firewall because i assume thats how tailscale works? all traffic is seen as comming from the FW it self and not the other side of the tialscale tunnel?

Thanks.

[Monviech (Cedrik)]

Sorry I have no experience with tailscale. Maybe somebody else can help here.

[bassopt]

Sorry I have no experience with tailscale. Maybe somebody else can help here.

Thanks anyway :)
I do hope someone can help me figure this out. I moved from pfsense recently and was able to get everything working fine except for this.