core icon indicating copy to clipboard operation
core copied to clipboard
verified publisher icon opnsense

Multiple BINAT's with same Internal not generating pf rules

Open jefferypalmer opened this issue 6 months ago • 3 comments

  • [X] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
  • [X] I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Describe the bug

Going through the upgrade steps on firewalls from v21 to v25, and multiple BINAT's stopped working around v23 maybe v24, but in short, I have two external IP's on a BGP network that BINAT to the same internal IP. This works on v21, and the UI creates the appropriate pf tables/rules for it. After upgrading to v25, it still shows in the UI but it's actually not getting generated as a pf rule anymore. There seems to be some disconnect or issue with the pf rules generation? I can do a pfctl -s tables and the second binat rule is simply not there. I have one firewall on v21 and second on v25 with the same config. We can code and debug! Just not sure where to start. Thanks

To Reproduce

Steps to reproduce the behavior: Go to 'Firewall->NAT->1:1' Create a new NAT Rule 1.1. on interface: wan 1.2. external network: virtual wan ip/32 (e.g. 1.1.1.1/32) 1.3. type: binat 1.3. source: dmz lan ip/32 (e.g. 10.10.10.100/32) 1.4. Destination: any 1.5. Nat reflection: use system default

Create a second new NAT Rule with different external IP 2.1. on interface: wan 2.2. external network: virtual wan ip/32 (e.g. 1.1.1.2/32) 2.3. type: binat 2.3. source: dmz lan ip/32 (e.g. 10.10.10.100/32) 2.4. Destination: any 2.5. Nat reflection: use system default

  1. Check pftable to see if it's created: pfctl -s tables

  2. There is no second BINAT rule in the pf table

Environment

Software version used and hardware type if relevant, e.g.:

Working: OPNsense 21 Not working: OPNsense 25.1

jefferypalmer avatar Jun 12 '25 15:06 jefferypalmer

this would lead to overlapping rules, which pf probably just chooses one from.

You would notice the rule in:

grep 10.10.10.100 /tmp/rules.debug

Then nat only shows one:

pfctl -sn | grep '10.10.10.100'

when the intention is to round-robin traffic, you should likely use an alias.

AdSchellevis avatar Jun 12 '25 16:06 AdSchellevis

Hi @AdSchellevis Thanks for your notes.

What's odd is this works perfectly on V21 but not V25, with the BINAT rules. Neither the rules nor the pfctl have the second binat rule on V25. Understood that the source selection for outbound traffic is tricky, but it actually works great for TCP traffic coming in from two different IP's to the same host. In thinking this through I think I'm going to just allocate an additional internal IP and forgo the inherent complexity created by this. In any case:

V21:
firewall-01:~ # grep 10.x.x.10 /tmp/rules.debug
binat on xn1 from 10.x.x.10 to any -> {externalIP}.2/32
binat on xn1 from 10.x.x.10 to any -> {externalIP}.1/32

firewall-01:~ # pfctl -sn | grep '10.254.0.10'
binat on xn1 inet from 10.x.x.10 to any -> {externalIP}.2
binat on xn1 inet from 10.x.x.10 to any -> {externalIP}.1

V25:
firewall-02:~ # grep 10.x.x.10 /tmp/rules.debug
binat on xn1 from 10.x.x.10 to any -> {externalIP}.2/32

firewall-02:~ # pfctl -sn | grep '10.254.0.10'
binat on xn1 inet from 10.x.x.10 to any -> {externalIP}.2

jefferypalmer avatar Jun 12 '25 17:06 jefferypalmer

on my end I can't reproduce the rules.debug being different, there's no deduplication in that code on our end. looking at the ruleset, same spec matching two targets, it does look like a suspicious rule (coming from 10.x.x.10 you simple can't tell what to expect).

AdSchellevis avatar Jun 13 '25 07:06 AdSchellevis