@ -111,7 +111,7 @@ Go to :menuselection:`Firewall --> NAT --> Port Forward`
IP ``203.0.113.1`` and destination port ``443`` --> rewrite the destination IP to ``172.16.1.1`` and the destination port to ``443``.
..Note::
Due to "Add associated filter rule", the added linked firewall rule in :menuselection:`Firewall --> Rules --> Floating` will allow traffic to the destination IP ``172.16.1.1`` because NAT rules match before Firewall rules. That means the firewall receives the packet and the NAT rule converts the destination from ``203.0.113.1`` to ``172.16.1.1`` first, before passing the packet to the firewall filter. You could also set "Filter rule association: Pass", but then the resulting firewall rule would be invisible.
Due to "Add associated filter rule", the added linked firewall rule in :menuselection:`Firewall --> Rules --> Floating` will allow traffic to the destination IP ``172.16.1.1`` because NAT rules match before Firewall rules. That means the firewall receives the packet and the NAT rule converts the destination from ``203.0.113.1`` to ``172.16.1.1`` first, before passing the packet to the firewall filter. You could also set "Filter rule association: Pass", but then the resulting firewall rule would be invisible.
..Note::
In some setups (e.g. an external IP address is bound on an additional VPN interface) you need to set "Filter rule association: None" and create your own Firewall rules. One of those firewall rules should match only on the VPN interface, and in "advanced features" of that rule "reply-to" should be your VPN interface. The other firewall rule (without "reply-to") should match the remaining interfaces.
@ -224,7 +224,7 @@ Troubleshooting NAT Rules
* ``pfctl -s nat``
* "rdr" means :menuselection:`Firewall --> NAT --> Port Forward` rules.
* "nat" means :menuselection:`Firewall --> NAT --> Outbound` rules.
* You can also check the rules in the GUI in :menuselection:`Firewall --> Diagnostics --> Statistics"
* You can also check the rules in the GUI in :menuselection:`Firewall --> Diagnostics --> Statistics`
..Tip::
* Displays all NAT rules in the OPNsense debug:
@ -233,6 +233,6 @@ Troubleshooting NAT Rules
..Tip::
* Look at the default drops of the firewall live log in :menuselection:`Firewall --> Log Files --> Live View`
* Turn on logging of the NAT and Firewall rules you have created, and check if they match in :menuselection:`Firewall --> Log Files --> Live View`. NAT rules have the label "NAT" or "RDR". Firewall rules have their description as label.
* Turn on logging of the NAT and Firewall rules you have created, and check if they match in :menuselection:`Firewall --> Log Files --> Live View`. NAT rules have the label "NAT" or "RDR". Firewall rules have their description as label.
* In ":menuselection:`Firewall --> Diagnostics --> Sessions` you can check if there is a session between your internal client and your internal server, and which rule matches to it.
* Use tcpdump on the client, the opnsense and the server, and test if the traffic goes back and forth between the devices without any mistakes. Look for TCP SYN and SYN ACK. If there are only SYN then the connection isn't established and there are mistakes in your rules.
Ad Schellevis
7 months ago