Routing only. NO NAT

Started by guest7876, May 28, 2018, 09:34:42 AM

Previous topic - Next topic
currently running 18.1 on a number of OpnSense boxes in our offices and headquarters.

how do i disable NAT and turn OpnSense into a routing platform ONLY but leave the firewall turned on?

we have a number of Vlans at each site and none overlap with any other sites.

we use Juniper SRX's at the edge of the network and since they do the NAT , we would like to disable NAT on OpnSense.

Hi there,

You can set outbound NAT to manual and delete all rules that are still listed.


Cheers,
Franco

Hi Franco,

never could get it to work. opnsense wouldnt pass the traffic.

i did what you suggested ,wouldnt pass traffic. rebooted , still wouldnt pass traffic.

disabled the firewall, wouldnt pass traffic afterwards, rebooted, still wouldnt pass traffic.

i could ssh into the opnsense box and get a shell and ping and traceroute all over the internet but wouldnt pass traffic from *ANY* of my vlans.

i could ssh into the opnsense box from my Juniper SRX on the edge of our networks on the wan side.

there were no rules under nat even after i disabled it.

i even added a static route with the SRX as the gateway, no difference.


@franco. can you test this please and figure out why its not working??


I'm not sure what you're asking?

@franco

following your directions above , it doesnt pass any traffic. even with or without the firewall enabled.

even tried a reboot and still doesnt pass traffic.

from ssh on the opnsense box, i can ping the internet and traceroute and everything but ANYTHING behind the opnsense box ,cant see the internet at all.

how do we figure out why it doesnt pass traffic?


well we may have to move our organization BACK to pfsense since we can turn it into a routing platform with a firewall since we CANT make it work on Opnsense and ive noticed others that cant either.

my work HAD planned to donate a Bunch of $$ to you to further development but if we cant even get this what seems like should be simple problem solved theres no point and would end up wasting the money migrating the config back to pfsense.

Double NAT in our organization is causing some grief so the ball is in your court guys.

and of Note we are on 18.7 on all our Opnsense firewalls.

Let's check some settings:

* Your WAN interface should be set up and have an IP and a gateway
* Your VLAN interfaces should be set up and have an IP, but no gateways
* You should have a default gateway set up under "System: Gateways: Single" that can reach the internet (the WAN interface gateway)
* Under "Firewall: Settings: Advanced" "Network Address Translation" all options should be unchecked, "Disable all packet filtering. " should be unchecked
* Under "Firewall: NAT: Outbound" Manual outbound NAT rule generation should be selected and you should remove any rules
* Under "Firewall: Rules: (your VLAN interfaces)" you should add an allow rule matching everything*
* Under "Firewall: Rules: your WAN interface" you should add allow rules matching inbound traffic as required

(You possibly don't want to allow all traffic from your VLAN interfaces but I'm trying to keep things simple for now)

You could check "Disable all packet filtering" and then not have any firewall rules - if you really want a plain router with no filtering at all.

If you're still having trouble and don't see any settings matching that, can you try some tracerts?

This may be a stupid question, but have you made sure you don't have some sort of port security feature on your switch preventing your opnsense router from being able to work properly sending with various different source addresses? if that was the case that would prevent pfsense working too, but maybe you have setup a new test environment for opnsense so it seemed worth checking.

Quote from: HuntingDMouse on August 08, 2018, 10:22:07 AMmy work HAD planned to donate a Bunch of $$ to you to further development but if we cant even get this what seems like should be simple problem solved theres no point and would end up wasting the money migrating the config back to pfsense.

What's this got to do with debugging the case? You've reverted to enforcing stereotypes this community has worked hard to leave behind. There is no place for talk like this here and I kindly ask you to stop.


Cheers,
Franco

Quote from: HuntingDMouse on May 31, 2018, 08:10:16 AM
Hi Franco,

never could get it to work. opnsense wouldnt pass the traffic.

i did what you suggested ,wouldnt pass traffic. rebooted , still wouldnt pass traffic.

disabled the firewall, wouldnt pass traffic afterwards, rebooted, still wouldnt pass traffic.

i could ssh into the opnsense box and get a shell and ping and traceroute all over the internet but wouldnt pass traffic from *ANY* of my vlans.

i could ssh into the opnsense box from my Juniper SRX on the edge of our networks on the wan side.

there were no rules under nat even after i disabled it.

i even added a static route with the SRX as the gateway, no difference.


Confirm this is working. I have my normal live router and my test router. My test router gets it's WAN address from my live router. Settings as above:


LAN on Live router can ping LAN on Slave ( Slave LAN is 10.*.*.* Test LAN is 192.168.1.0/24 ) LAN on Slave can Ping LAN on 10.*.*0/24


Packets from LAN on slave attempting to ping google can be see on the Live LAN Opnsense Interface showing their Un-natted address of 192.168.1.*


No doubt if I set up the rules on the Live router they would pass through to the internet.


If you are using Private Networks on the WAN interface don't forget to turn off the block private Networks switch.
OPNsense 24.7 - Qotom Q355G4 - ISP - Squirrel 1Gbps.

Team Rebellion Member

ill have to start fresh and import just tidbits of the config at a time and see if i can make this fly. in the lab it never has worked.

i will start with the suggestions above and see what happens.


each of our sites have 10 vlans behind the opnsense router

our setup is like this:

Internet->Juniper SRX340 Firewall->Opnsense->10 vlans.

we have Static IP's plus VPN's on the Junipers. were just trying to eliminate that extra NAT that we dont need.


Quote from: nallar on August 08, 2018, 01:14:29 PM
Let's check some settings:

* Your WAN interface should be set up and have an IP and a gateway
* Your VLAN interfaces should be set up and have an IP, but no gateways
* You should have a default gateway set up under "System: Gateways: Single" that can reach the internet (the WAN interface gateway)
* Under "Firewall: Settings: Advanced" "Network Address Translation" all options should be unchecked, "Disable all packet filtering. " should be unchecked
* Under "Firewall: NAT: Outbound" Manual outbound NAT rule generation should be selected and you should remove any rules
* Under "Firewall: Rules: (your VLAN interfaces)" you should add an allow rule matching everything*
* Under "Firewall: Rules: your WAN interface" you should add allow rules matching inbound traffic as required

(You possibly don't want to allow all traffic from your VLAN interfaces but I'm trying to keep things simple for now)

You could check "Disable all packet filtering" and then not have any firewall rules - if you really want a plain router with no filtering at all.

If you're still having trouble and don't see any settings matching that, can you try some tracerts?

This may be a stupid question, but have you made sure you don't have some sort of port security feature on your switch preventing your opnsense router from being able to work properly sending with various different source addresses? if that was the case that would prevent pfsense working too, but maybe you have setup a new test environment for opnsense so it seemed worth checking.

thank you for the suggestions above.

ill blow the config off the test box in the lab and reload opnsense with a bare install and try this again. we have the exact setup in the lab that we do in production.

no 802.1x or layer 3 routing going on in the switches. we run Lagg trunks between the Juniper SRX on the wan side of the opnsense box and also on the Lan side to switches. the security policy on the SRX is setup to accept ALL subnets and NAT what it needs to and shovel what it needs to down the VPN rabbit holes.

Ran into a similar issue and found to get this working I had to do two things. First was to learn how to write the firewall rules (DUH) but when you are tired your mind does weird things. Since I had multiple networks on the inside I had to set the rule to any instead of the Lan Network.

The other was that the NAT setting needed to be Disable outbound NAT rule generation and not Manual as noted.