"WAN address" in Nat and Firewall rules not correctly evaluated

Started by ufoonline, November 28, 2024, 03:45:05 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 28, 2024, 03:45:05 PM Last Edit: November 28, 2024, 03:47:50 PM by ufoonline
Hi,

I'm looking to migrate from pfSense to OPNsense.
In my setup I've several public IP address and some NAT Rules to expose service to the public.

I've manually configured a brand new OPNSense (a 1:1 of the pfSense configuration) but when I went to switch the firewall, I've just discovered that "WAN address" get translated to the interface name instead of the interface IP and it's cause to uncorrectly evaluate the IP address.

I'll write down an example scenario to make it easier to understand:
WAN IP: 131.x.x.x.9/32
WAN IP Alias 1: 131.x.x.x.10/32
WAN IP Alias x: [...]
LAN IP: 10.0.0.10/24

Example of a NAT Rule:
Interface: WAN
Proto: TCP
From: any
Destination: WAN Address
Destination port range: 10131
Redirect target ip: 10.0.0.10
Redirect target port: 1991

That rule get translated to:
Code Select
- OPNSense:
    rdr on vtnet0 inet proto tcp from any to [b](vtnet0)[/b] port = 10131 -> 10.0.0.10 port 1991
- pfSense:
    rdr on vtnet0 inet proto tcp from any to [b]131.x.x.x.9[/b] port = 10131 -> 10.0.0.10 port 1991

Same applies to firewall rules.

Changing the written rule will cause different behaviour:
- OPNSense: The NAT rule will match all WAN IPs (WAN Address and IP aliases)
- pfSense: The NAT Rule will match only the WAN Address and not IP Aliases.

Has anyone experienced this problem? Am I doing something wrong?

Thanks,
Regards
p.s. I've tried to search on the forum about that issue, but I've found only unanswered threads on older versions.
November 28, 2024, 03:58:51 PM #1
Quote from: ufoonline on November 28, 2024, 03:45:05 PM
Changing the written rule will cause different behaviour:
- OPNSense: The NAT rule will match all WAN IPs (WAN Address and IP aliases)
- pfSense: The NAT Rule will match only the WAN Address and not IP Aliases.

Has anyone experienced this problem? Am I doing something wrong?

Not a problem but working as intended. Create a manual alias to reference only a single address.

Different products, different semantics.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
November 28, 2024, 05:02:26 PM #2
Thank you for your prompt reply.
I hadn't actually checked the manual (where it is clearly specified), but the use of the word in the singular can easily mislead  ;)

Perhaps it would be a good idea to rename it to 'WAN Addresses'.

As usual, when you think something is trivial and should not be checked, Murphy is always there, just around the corner ;D 8)


Print
Go Up Pages1
User actions