core
core copied to clipboard
opnsense
NAT reflection for port forward rules not created, manual rules don't work.
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
- [x] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
- [x] I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue
Describe the bug
Problem description:
NAT reflection with SNAT doesn't work, no rules are created, the rules I create won't work.
Network setup:
WAN - OPNSense - LAN1 - Router - LAN2
There's masquerade done by OPNsense (Outbound NAT for LAN2).
Port 22 on LAN2_A machine is exposed on WAN IP, port 3322 (port forwarding).
In Advanced settings, I have enabled "Reflection for port forwards", "Automatic outbound NAT for Reflection" and "Reflection for 1:1" (just in case). I expected some new automatic NAT rules to be created in "Outbound NAT", but nothing appeared there.
Troubleshooting steps:
When I connect from outside, all is fine.
When I connect from LAN2_B to WAN:3322, OPNsense only translates destination IP and returns the packet to LAN2 - so the connection doesn't work, because LAN2_A now sees the packet came from LAN2_B and tries to send SYN ACK to LAN2_B, but LAN2_B rejects this packet, because it sent SYN to WAN:3322, not to LAN2_A.
What needs to be done is SNAT in addition to DNAT, so that LAN2_A gets packet with OPNsense LAN1 address as source, and noone is confused.
This is what I assumed "Automatic reflection for Port Forwards" does - I thought it's going to create a new automatic rule in Outbound NAT - but there's no rule like this to be found! And yes, I know it will only create rule for LAN1, not for LAN2, but that would at least give me some basis for creating my own rule.
Anyway, automatic doesn't work, so I can do this manually, right? I switched Outbound NAT to Hybrid mode, and create rule:
On LAN interface, when traffic comes from LAN2 network and is destined to WAN:3322, translate to OPNsense LAN1 IP. Log it.
Nothing. Doesn't work, there's nothing in the logs.
So, new rule (I'm not sure if Outbound NAT rules are evaluated before or after DNAT, did not find this info in the documentation):
On LAN interface, when traffic comes from LAN2 network and is destined to LAN2_A:22, translate to OPNsense LAN1 IP. Log it.
Again, nothing. Doesn't work, there's nothing in the logs.
So, I have 2 questions:
- What is the rule that would/should be autogenerated? (and why it's not created?)
- What rule should be created to perform SNAT in this scenario? (i.e. what am I missing?)
To Reproduce
Steps to reproduce the behavior:
- Setup single port forward.
- Make sure "Reflection for port forwards", "Automatic outbound NAT for Reflection" and "Reflection for 1:1" is enabled.
- No profit.
Expected behavior
SNAT in addition to DNAT, so that LAN2_A gets packet with OPNsense LAN1 address as source.
Describe alternatives you considered
I switched Outbound NAT to Hybrid mode, and create rule:
On LAN interface, when traffic comes from LAN2 network and is destined to WAN:3322, translate to OPNsense LAN1 IP. Log it.
Nothing. Doesn't work, there's nothing in the logs.
So, new rule (I'm not sure if Outbound NAT rules are evaluated before or after DNAT, did not find this info in the documentation):
On LAN interface, when traffic comes from LAN2 network and is destined to LAN2_A:22, translate to OPNsense LAN1 IP. Log it.
Again, nothing. Doesn't work, there's nothing in the logs.
Relevant log files
There are no logs, I'm happy to provide tcpdump if that helps any.
Additional context
Network setup:
WAN - OPNSense - LAN1 - Router - LAN2
Environment
Proxmox VM OPNsense 21.1.10_4 (amd64, OpenSSL). VM x64 Network virtnet
