Source IP is always changing to OPNSense's interface

Started by Voix, October 18, 2024, 06:50:56 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 18, 2024, 06:50:56 PM
Hi all,

I have the opnsense v.24.7.6 with Internet, LAN and DMZ (with vlan) interfaces.
LAN IP: 10.1.1.0/24
DMZ IP: 10.1.2.0/24

When I reach out the server in DMZ with ssh and issue "w" command, it shows address of router's DMZ interface  (10.1.2.1), but not my computer's IP.

At the same time I have no NAT between these interfaces.
"Firewall: NAT: Outbound" is set to Hybrid outbound NA, but there are only rules for Internet interface.

Could you please advise, what could be the reason of the issue?
October 18, 2024, 06:52:19 PM #1
Do you have a gateway set on the DMZ interface? That would (IIRC) lead OPNsense to configure outbound NAT if automatic or hybrid is active.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 18, 2024, 06:55:22 PM #2
No, GWs are only in Internet and in tailscale interfaces.
October 18, 2024, 07:01:32 PM #3
You can use

Code Select
pfctl -s nat

to check what is actually in effect.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 18, 2024, 07:11:45 PM #4
vlan5 - Vlan on DMZ
vlan10 - To ISP (different port)
igc0 - LAN

Code Select

# pfctl -s nat
nat-anchor "miniupnpd" all
no nat proto carp all
nat on tailscale0 inet from <SiteAnet> to any -> (tailscale0:0) port 1024:65535
nat on vlan0.10 inet from <ocserv_clients> to any -> (vlan0.10:0) port 1024:65535
nat on vlan0.10 inet from <SiteBnet> to any -> (vlan0.10:0) port 1024:65535
nat on vlan0.10 inet from (igc0:network) to any port = isakmp -> (vlan0.10:0) static-port
nat on vlan0.10 inet from (lo0:network) to any port = isakmp -> (vlan0.10:0) static-port
nat on vlan0.10 inet from (wg0:network) to any port = isakmp -> (vlan0.10:0) static-port
nat on vlan0.10 inet from (vlan05:network) to any port = isakmp -> (vlan0.10:0) static-port
nat on vlan0.10 inet from 127.0.0.0/8 to any port = isakmp -> (vlan0.10:0) static-port
nat on vlan0.10 inet from (igc0:network) to any -> (vlan0.10:0) port 1024:65535
nat on vlan0.10 inet from (lo0:network) to any -> (vlan0.10:0) port 1024:65535
nat on vlan0.10 inet from (wg0:network) to any -> (vlan0.10:0) port 1024:65535
nat on vlan0.10 inet from (vlan05:network) to any -> (vlan0.10:0) port 1024:65535
nat on vlan0.10 inet from 127.0.0.0/8 to any -> (vlan0.10:0) port 1024:65535
no rdr proto carp all
no rdr on igc0 proto tcp from any to (igc0) port = ssh
no rdr on igc0 proto tcp from any to (igc0) port = http
no rdr on igc0 proto tcp from any to (igc0) port = https
rdr-anchor "miniupnpd" all
binat-anchor "miniupnpd" all


I can't see smth fishy here
October 18, 2024, 07:14:24 PM #5
I don't know miniupnpd, honestly - try to disable it?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 18, 2024, 07:24:36 PM #6
Did it, the lines disappeared from the output above, but didn't help: still see RTR's IP by 'w'
October 18, 2024, 07:25:47 PM #7
tcpdump the connection on both interfaces and watch what happens.  :)
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 18, 2024, 07:39:54 PM #8
Thank you!

It actually helped to find the issue.
The problem was not in the OPNSense at all :)
Print
Go Up Pages1
User actions