I think I have discovered a bug with NAT and firewall

Started by chall88, January 13, 2025, 10:08:37 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
January 13, 2025, 10:08:37 PM Last Edit: January 13, 2025, 10:36:57 PM by chall88
I could not get NAT to work.

I did eventually get it to work by selecting 'pass' in the NAT rule for the traffic.

The 'add associated firewall rule' and 'none' + manually creating the firewall rule never worked in any of the config permutations I tried. 

What is concerning to me is that when I tell NAT to pass, and firewall to explicitly block, it passes the traffic. Things that are added as 'pass' in NAT rules are not visible in the firewall rules. It seems like there are two seperate firewalls (one not visible in the gui), and they dont care about each other. 

TLDR port forwarding nat does not seem to care AT ALL about what is in the firewall rules table, even if it is the thing that made the rules. Only implicit pass with NAT seems to work.

I tried this on current on both business and community and it's the same behavior

OPNsense 24.7.11_2-amd64
OPNsense 24.10.1-amd64
January 13, 2025, 10:43:51 PM #1
One simple trap/mistake/unintuitive setting might be that NAT rules are applied before firewall rules. So if you decide not to use "pass" and an explicit firewall rule instead then if your NAT port forwarding is e.g.

Interface: WAN
Source: any
Destination: WAN address
Destination port: HTTP
Redirect target: Internal_Host

then your Firewall rule needs to be:

Interface: WAN
Source: any
Destination: Internal_Host (!!!)
Destination port: HTTP
Action: allow


Looks pretty weird to me, too, when you come from a different product like in my case Sidewinder.

HTH
Patrick
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
January 13, 2025, 10:49:10 PM #2 Last Edit: January 13, 2025, 10:56:33 PM by chall88
Yeah I had pretty much intuited that the NAT rules and firewall rules are two seperate rules tables with the translation happening "pre-ingestion"

But I can still set my NAT to pass, and my firewall to block, and it passes the traffic, which tells me it's just bypassing the firewall part.

NAT doesn't seem to care at all about the firewall rules, even when it makes them. It also wont pass the traffic at all until I set the nat rule to pass.

The association seems broken
January 13, 2025, 11:05:41 PM #3
If you set the NAT rule to "pass" that overrides any firewall rule you might have. NAT before firewall ...

So change that to associated or not associated firewall rule (or "none", this is all just about single step creation of rules) and then create a rule like I outlined.

I honestly just learned a couple of weeks ago. This is not broken but a real POLA violation - to that I agree.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
January 13, 2025, 11:56:29 PM #4 Last Edit: January 13, 2025, 11:58:48 PM by chall88
Quote from: Patrick M. Hausen on January 13, 2025, 11:05:41 PMIf you set the NAT rule to "pass" that overrides any firewall rule you might have. NAT before firewall ...

So change that to associated or not associated firewall rule (or "none", this is all just about single step creation of rules) and then create a rule like I outlined.

I honestly just learned a couple of weeks ago. This is not broken but a real POLA violation - to that I agree.

That's where I started. That doesn't work. The only way to make it work is to use pass. Im not asking for help in making firewall rules or nat rules, im trying to report a bug.
January 13, 2025, 11:59:59 PM #5
It does work without "pass". I have it alive and kicking right here. No bug.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
January 14, 2025, 12:07:24 AM #6 Last Edit: January 14, 2025, 12:21:32 AM by chall88
Quote from: Patrick M. Hausen on January 13, 2025, 11:59:59 PMIt does work without "pass". I have it alive and kicking right here. No bug.

Why with a firewall rule for allow port to translated destination can i flip it back and forth between pass and unassociated/associated and watch it break and unbreak?

The only other thing I can think that would be breaking this would be some automagical stuff happening with ports 80 and 443 related to the web GUI, where my NATed traffic destined for lan network ips is essentially getting hijacked

It works with pass, it doesnt work without
January 14, 2025, 12:48:54 AM #7
Move the UI from port 443 to something different and disable the HTTP --> HTTPS redirection for the UI. These are mandatory if you want any public services on HTTP/HTTPS. Also - not entirely sure but I have it that way on all of my systems - disable the global "anti-lockout" function.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
January 14, 2025, 01:05:33 AM #8 Last Edit: January 14, 2025, 01:09:38 AM by chall88
Quote from: Patrick M. Hausen on January 14, 2025, 12:48:54 AMMove the UI from port 443 to something different and disable the HTTP --> HTTPS redirection for the UI. These are mandatory if you want any public services on HTTP/HTTPS. Also - not entirely sure but I have it that way on all of my systems - disable the global "anti-lockout" function.

The admin guu is living on 33400. But there are automagical redirects and such related to http and https that may be interfering

I will try shutting off the redirects and disable the antilockout rules tommorrow and see if that's whats creating the difference in functionality we're seeing
January 14, 2025, 01:59:04 AM #9
The anti-lockout setting creates a FW rule (allowing 22, 80, 443 on self) AND a NAT port forward rule preventing redirection of these ports.
Only on one interface though, LAN or opt1 (or WAN as fallback if no other interface exists).
The easiest way to find which interface is used is to look at FW > NAT > Port Forward.

The ports are adjusted when the web GUI is moved to an alternate port.

I've played with SSH port forward recently (backup install) and since I like to doublecheck with the logs, I enabled FW rule creation (not pass) and logging.
Everything worked as intended, even with the anti-lockout rules which didn't get in the way because they are on LAN.

You're doing HTTPS port forwarding on WAN?
January 14, 2025, 02:16:13 AM #10
Quote from: EricPerl on January 14, 2025, 01:59:04 AMThe anti-lockout setting creates a FW rule (allowing 22, 80, 443 on self) AND a NAT port forward rule preventing redirection of these ports.
Only on one interface though, LAN or opt1 (or WAN as fallback if no other interface exists).
The easiest way to find which interface is used is to look at FW > NAT > Port Forward.

The ports are adjusted when the web GUI is moved to an alternate port.

I've played with SSH port forward recently (backup install) and since I like to doublecheck with the logs, I enabled FW rule creation (not pass) and logging.
Everything worked as intended, even with the anti-lockout rules which didn't get in the way because they are on LAN.

You're doing HTTPS port forwarding on WAN?


I'll have to double check when I get back into the office tomorrow, it's got to be some kind of tangledness going on with these 22 80 and 443 ports

The way I am accessing the GUI from wan is basically forwarding 33400 wan to 33400 lan with nat set to pass

It's not on the real internet though, it's just in its own VLAN while I'm provisioning it
January 14, 2025, 02:57:23 AM #11
The backup install I used to test also has its WAN in a VLAN off the main OPN so similar setup.

This said, I'm a little confused by what you are trying to do.
You're trying to port forward 33400, yet you indicated that it's the OPN web GUI port.
If all you want to do is access the Web GUI from WAN while on your private network, you just need a FW rule.
January 14, 2025, 03:18:50 AM #12
33400 wouldnt work with just a fw allow on wan

33400 wouldnt work with nat + add associated rule

33400 would work with only nat pass. The same was true of 80 and 443. No work with associated rule, work with pass. Thats when I made this thread and the other guy tried to teach me how to make some rules ...

I have 4 other ports I am NATing to a proxy 80 443 5334 and 5335

The web gui was just my canary in the coal mine, and easy test.

Im my home virtual instance I just shut off the listener for the webgui on wan, and the webgui redirect rules, and disabled the antilockout rules and the nat + create associated rule function seems to work now. I think it was just making a speghetti mess with all the ports I was trying to use because they are all assosciated with webgui redirect and lockout things.... just automagically populated stuff in the way looking like a bug
January 14, 2025, 03:30:06 AM #13
Your easy test is to access the web GUI from WAN by redirecting to an internal proxy that pointed back at the web GUI on LAN?
I'm not really sure what you were testing but that seems convoluted.

A simple FW rule was sufficient in my case, as expected.
January 14, 2025, 03:32:39 AM #14 Last Edit: January 14, 2025, 03:38:48 AM by chall88
Quote from: EricPerl on January 14, 2025, 03:30:06 AMYour easy test is to access the web GUI from WAN by redirecting to an internal proxy that pointed back at the web GUI on LAN?
I'm not really sure what you were testing but that seems convoluted.

A simple FW rule was sufficient in my case, as expected.

Testing NAT by using NAT to access the gui on wan

Really not that complicated a concept

The proxy those other 4 ports go yo is an nginx proxy for internal lan services. It has nothing at all to do with the web gui aside from using 80 and 443, which seem to have been part of the automagical mess.

Like i said turning off the wan listener, the redirects, and antilockout rule has NAT behaving like it should be now
Print
Go Up Pages1 2
User actions