Letsencrypt expired, and dns errors


#94

now, question is, what difference between openWRT and openSense (pfSense) that make MAIB works fine in DMZ with openwrt, but not with opnSense???


#95

it looks like that my openWRT Port Forwarding all have “nat loop back” enabled, which is NAT Reflection…


#96

now, i probably , need proper NAT reflection to work on opensense…


#97

after enabling NAT Reflectin in openSense…
@box:~$ sudo /home/devnull/mailinabox/management/status_checks.py

System

:heavy_multiplication_x: SSH Login (ssh) is running but is not publicly accessible at 76.10.176.225:22.
:heavy_multiplication_x: Public DNS (nsd4) is not running (port 53).
:heavy_multiplication_x: Incoming Mail (SMTP/postfix) is running but is not publicly accessible at 76.10.176.225:25.
:heavy_multiplication_x: Outgoing Mail (SMTP 587/postfix) is running but is not publicly accessible at 76.10.176.225:587.
:heavy_multiplication_x: IMAPS (dovecot) is running but is not publicly accessible at 76.10.176.225:993.
:heavy_multiplication_x: Mail Filters (Sieve/dovecot) is running but is not publicly accessible at 76.10.176.225:4190.
:heavy_multiplication_x: HTTP Web (nginx) is running but is not publicly accessible at 76.10.176.225:80.
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
:heavy_multiplication_x: HTTPS Web (nginx) is running but is not publicly accessible at 76.10.176.225:443.
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
✓ SSH disallows password-based login.
✓ System software is up to date.
? Mail-in-a-Box version check disabled by privacy setting.
✓ System administrator address exists as a mail alias. [administrator@box.f2f10.com ↦ co-traveler@f2f10.com]
✓ The disk has 164.30 GB space remaining.
✓ System memory is 97% free.

Network

✓ Firewall is active.
✓ Outbound mail (SMTP port 25) is not blocked.
✓ IP address is not blacklisted by zen.spamhaus.org.

box.f2f10.com

:heavy_multiplication_x: Nameserver glue records are incorrect. The ns1.box.f2f10.com and ns2.box.f2f10.com nameservers must be configured
at your domain name registrar as having the IP address 76.10.176.225. They currently report addresses of [Not **
** Set]/[Not Set].
It may take several hours for public DNS to update after a change.
:heavy_multiplication_x: This domain must resolve to your box’s IP address (76.10.176.225) in public DNS but it currently resolves to [Not
Set]. It may take several hours for public DNS to update after a change. This problem may result from other issues
listed above.
✓ Reverse DNS is set correctly at ISP. [76.10.176.225 ↦ box.f2f10.com]
✓ Hostmaster contact address exists as a mail alias. [hostmaster@box.f2f10.com ↦ administrator@box.f2f10.com]
✓ Domain’s email is directed to this domain. [box.f2f10.com has no MX record, which is ok]
✓ Postmaster contact address exists as a mail alias. [postmaster@box.f2f10.com ↦ administrator@box.f2f10.com]
✓ Domain is not blacklisted by dbl.spamhaus.org.
✓ TLS (SSL) certificate is signed & valid. The certificate expires in 89 days on 03/23/18.

f2f10.com

:heavy_multiplication_x: The nameservers set on this domain are incorrect. They are currently [Not Set]. Use your domain name registrar’s
control panel to set the nameservers to ns1.box.f2f10.com; ns2.box.f2f10.com.
:heavy_multiplication_x: This domain’s DNS MX record is not set. It should be ‘10 box.f2f10.com’. Mail will not be delivered to this box.
It may take several hours for public DNS to update after a change. This problem may result from other issues
listed here.
✓ Domain is not blacklisted by dbl.spamhaus.org.
:heavy_multiplication_x: This domain should resolve to your box’s IP address (A 76.10.176.225) if you would like the box to serve webmail
or a website on this domain. The domain currently resolves to [Not Set] in public DNS. It may take several hours
for public DNS to update after a change. This problem may result from other issues listed here.
? This domain’s DNSSEC DS record is not set. The DS record is optional. The DS record activates DNSSEC. To set a DS
record, you must follow the instructions provided by your domain name registrar and provide to them this
information:

Key Tag: 60585
Key Flags: KSK
Algorithm: 7 / RSASHA1-NSEC3-SHA1
Digest Type: 2 / SHA-256
Digest: 2052282b2999d0937749f7d2241d7acf6bbc4504ae9045a9020d7abffc2b5ab3
Public Key:

AwEAAdMypof8r0AsRFZBRWDmW6/DFdDAr5uyYYslbb3x2c5PWST8nrZQU3+Pr8q/KafBTrlrLFOiE2LLHkXqmdwYmM/ChEjblutn4n9lUVua2ni90RRif+/qdzJpk5d1zJXsNuTvYv7O41Ikk9kVhvRgKW+2surM8Q6IEiKdvtAdBKinZVDwRJvpXvebRBnZ5GYV58e+Khf6YCTUC1PGXck5ULsTHy0MBUtAvyZ/qFRo2B7d17lfoNw9cK10at8AGSvr2WZNEUkWiaaf2yF+zNoHgmB41P8pUfGxPGCS/4G/zDWvUMX8RrBwJj63XGUVHR/AAnrhedh7q/1h2ayD1blM5+k=

Bulk/Record Format:
f2f10.com. 3600 IN DS 60585 7 2 2052282b2999d0937749f7d2241d7acf6bbc4504ae9045a9020d7abffc2b5ab3


Status Checks Incorrect
#98

It looks like that it’s not resolved issue yet even with NAT Reflection enabled on OpnSense, while NAT Loopback works fine with OpenWRT…???////

Anyone with OpnSense + MAIB setting that works? Thanks in advance…


#99

with NAT Reflectin enabled, it seems that my email client from internal network can access MAIB with no issues. Therefore I don’t need to enable Split DNS for that for now. However, MAIB status check still doesn’t work…


#100

Ok, on openwrt, I have the following configuration in Firewall and with NAT Loopback enabled for incoming port forwarding…

config redirect
option target 'DNAT’
option src 'wan’
option dest 'dmz’
option proto 'tcp udp’
option src_dport '53’
option dest_port '53’
option name 'dns’
option dest_ip ‘192.168.140.253’

@TorWrt# iptables-save | grep NAT
-A zone_dmz_postrouting -s 192.168.140.0/24 -d 192.168.140.253/32 -p tcp -m tcp --dport 25 -m comment –comment “mx (reflection)” -j SNAT --to-source 192.168.140.1
-A zone_dmz_postrouting -s 192.168.140.0/24 -d 192.168.140.253/32 -p tcp -m tcp --dport 443 -m comment --comment “web-email (reflection)” -j SNAT --to-source 192.168.140.1
-A zone_dmz_postrouting -s 192.168.140.0/24 -d 192.168.140.253/32 -p tcp -m tcp --dport 80 -m comment --comment “webmail80-let’sencrypt (reflection)” -j SNAT --to-source 192.168.140.1
-A zone_dmz_postrouting -s 192.168.140.0/24 -d 192.168.140.253/32 -p tcp -m tcp --dport 53 -m comment –comment “dns (reflection)” -j SNAT --to-source 192.168.140.1
-A zone_dmz_postrouting -s 192.168.140.0/24 -d 192.168.140.253/32 -p udp -m udp --dport 53 -m comment –comment “dns (reflection)” -j SNAT --to-source 192.168.140.1

-A zone_dmz_prerouting -s 192.168.140.0/24 -d 76.10.176.225/32 -p tcp -m tcp --dport 25 -m comment --comment “mx (reflection)” -j DNAT --to-destination 192.168.140.253:25
-A zone_dmz_prerouting -s 192.168.140.0/24 -d 76.10.176.225/32 -p tcp -m tcp --dport 443 -m comment –comment “web-email (reflection)” -j DNAT --to-destination 192.168.140.253:443
-A zone_dmz_prerouting -s 192.168.140.0/24 -d 76.10.176.225/32 -p tcp -m tcp --dport 80 -m comment –comment “webmail80-let’sencrypt (reflection)” -j DNAT --to-destination 192.168.140.253:80
-A zone_dmz_prerouting -s 192.168.140.0/24 -d 76.10.176.225/32 -p tcp -m tcp --dport 53 -m comment –comment “dns (reflection)” -j DNAT --to-destination 192.168.140.253:53
-A zone_dmz_prerouting -s 192.168.140.0/24 -d 76.10.176.225/32 -p udp -m udp --dport 53 -m comment –comment “dns (reflection)” -j DNAT --to-destination 192.168.140.253:53

-A zone_wan_prerouting -p tcp -m tcp --dport 25 -m comment --comment mx -j DNAT --to-destination 192.168.140.253:25
-A zone_wan_prerouting -p tcp -m tcp --dport 443 -m comment --comment web-email -j DNAT --to-destination 192.168.140.253:443
-A zone_wan_prerouting -p tcp -m tcp --dport 80 -m comment --comment “webmail80-let’sencrypt” -j DNAT --to-destination 192.168.140.253:80
-A zone_wan_prerouting -p tcp -m tcp --dport 53 -m comment --comment dns -j DNAT --to-destination 192.168.140.253:53
-A zone_wan_prerouting -p udp -m udp --dport 53 -m comment --comment dns -j DNAT --to-destination 192.168.140.253:53

-A zone_dmz_forward -m conntrack --ctstate DNAT -m comment --comment “Accept port forwards” -j ACCEPT
-A zone_dmz_input -m conntrack --ctstate DNAT -m comment --comment “Accept port redirections” -j ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment “Accept port forwards” -j ACCEPT
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment “Accept port redirections” -j ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment “Accept port forwards” -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment “Accept port redirections” -j ACCEPTstrong text


#101

in Freebsd , MAIB, how to I check the above info???


#102

@cwilkins

I was wondering whether you have above info? Can you kindly share where exactly you have enabled all NAT Reflection in pfSense? I have since enabled on opnSense at Firewall advanced setting all three options for Nat Reflection…


#103

with OpenWRT, I can see clearly , as you mentioned, NAT Reflection plays a role to make it work… here are tcpdump snip from openWRT DMZ and WAN and MAIB interface…

@TorWrt:# tcpdump -ni eth0.140 port 53 and host 192.168.140.253

07:07:15.853367 IP 192.168.140.253.43210 > 76.10.176.225.53: Flags [S], seq 1829535474, win 29200, options [mss 1460,sackOK,TS val 1144143621 ecr 0,nop,wscale 7], length 0
07:07:15.853624 IP 192.168.140.1.43210 > 192.168.140.253.53: Flags [S],seq 1829535474 win 29200, options [mss 1460,sackOK,TS val 1144143621 ecr 0,nop,wscale 7], length 0

07:07:15.853826 IP 192.168.140.253.53 > 192.168.140.1.43210: Flags [S.], seq 2131716951, ack 1829535475, win 28960, options [mss 1460,sackOK,TS val 1144143621 ecr 1144143621,nop,wscale 7], length 0
07:07:15.853881 IP 76.10.176.225.53 > 192.168.140.253.43210: Flags [S.], seq 2131716951, ack 1829535475, win 28960, options [mss 1460,sackOK,TS val 1144143621 ecr 1144143621,nop,wscale 7], length 0
07:07:15.853952 IP 192.168.140.253.43210 > 76.10.176.225.53: Flags [.], ack 1, win 229, options [nop,nop,TS val 1144143621 ecr 1144143621], length 0
07:07:15.854002 IP 192.168.140.1.43210 > 192.168.140.253.53: Flags [.], ack 1, win 229, options [nop,nop,TS val 1144143621 ecr 1144143621], length 0

07:07:15.857449 IP 192.168.140.253.43210 > 76.10.176.225.53: Flags [F.], seq 1, ack 1, win 229, options [nop,nop,TS val 1144143622 ecr 1144143621], length 0
07:07:15.857487 IP 192.168.140.1.43210 > 192.168.140.253.53: Flags [F.], seq 1, ack 1, win 229, options [nop,nop,TS val 1144143622 ecr 1144143621], length 0

07:07:15.857690 IP 192.168.140.253.53 > 192.168.140.1.43210: Flags [F.], seq 1, ack 2, win 227, options [nop,nop,TS val 1144143622 ecr 1144143622], length 0
07:07:15.857742 IP 76.10.176.225.53 > 192.168.140.253.43210: Flags [F.], seq 1, ack 2, win 227, options [nop,nop,TS val 1144143622 ecr 1144143622], length 0

07:07:15.857824 IP 192.168.140.253.43210 > 76.10.176.225.53: Flags [.], ack 2, win 229, options [nop,nop,TS val 1144143622 ecr 1144143622], length 0
07:07:15.857874 IP 192.168.140.1.43210 > 192.168.140.253.53: Flags [.], ack 2, win 229, options [nop,nop,TS val 1144143622 ecr 1144143622], length 0

07:07:17.555888 IP 192.168.140.253.27726 > 192.203.230.10.53: 40886% [1au] NS? . (28)
07:07:17.556064 IP 192.168.140.253.53311 > 192.203.230.10.53: 20231% [1au] A? aspmx.l.google.com. (47)
07:07:17.556170 IP 192.168.140.253.10260 > 192.203.230.10.53: 57585% [1au] AAAA? aspmx.l.google.com. (47)


#104

@TorWrt:# tcpdump -ni pppoe-wan port 53

07:07:17.556020 IP 76.10.176.225.27726 > 192.203.230.10.53: 40886% [1au] NS? . (28)
07:07:17.556147 IP 76.10.176.225.53311 > 192.203.230.10.53: 20231% [1au] A? aspmx.l.google.com. (47)
07:07:17.556244 IP 76.10.176.225.10260 > 192.203.230.10.53: 57585% [1au] AAAA? aspmx.l.google.com. (47)


#105

@box:~# tcpdump -ni eth0 not host 192.168.110.153

07:07:15.855389 IP 192.168.140.253.43210 > 76.10.176.225.53: Flags [S], seq 1829535474, win 29200, options [mss 1460,sackOK,TS val 1144143621 ecr 0,nop,wscale 7], length 0
07:07:15.855439 IP 192.168.140.253.35998 > 76.10.176.225.25: Flags [S], seq 2153696641, win 29200, options [mss 1460,sackOK,TS val 1144143621 ecr 0,nop,wscale 7], length 0
07:07:15.855654 IP 192.168.140.253.42748 > 76.10.176.225.22: Flags [S], seq 3530740831, win 29200, options [mss 1460,sackOK,TS val 1144143621 ecr 0,nop,wscale 7], length 0

07:07:15.855724 IP 192.168.140.1.43210 > 192.168.140.253.53: Flags [S], seq 1829535474, win 29200, options [mss 1460,sackOK,TS val 1144143621 ecr 0,nop,wscale 7], length 0
07:07:15.855758 IP 192.168.140.253.53 > 192.168.140.1.43210: Flags [S.], seq 2131716951, ack 1829535475, win 28960, options [mss 1460,sackOK,TS val 1144143621 ecr 1144143621,nop,wscale 7], length 0
07:07:15.855834 IP 192.168.140.1.35998 > 192.168.140.253.25: Flags [S], seq 2153696641, win 29200, options [mss 1460,sackOK,TS val 1144143621 ecr 0,nop,wscale 7], length 0

07:07:15.855859 IP 192.168.140.253.25 > 192.168.140.1.35998: Flags [S.], seq 626321212, ack 2153696642, win 28960, options [mss 1460,sackOK,TS val 1144143621 ecr 1144143621,nop,wscale 7], length 0
07:07:15.857242 IP 192.168.140.253.48994 > 76.10.176.225.4190: Flags [S], seq 1838901197, win 29200, options [mss 1460,sackOK,TS val 1144143621 ecr 0,nop,wscale 7], length 0
07:07:15.857653 IP 192.168.140.1.36120 > 192.168.140.253.80: Flags [S], seq 257899850, win 29200, options [mss 1460,sackOK,TS val 1144143621 ecr 0,nop,wscale 7], length 0
07:07:15.857874 IP 192.168.140.253.36120 > 76.10.176.225.80: Flags [F.], seq 257899851, ack 3771511862, win 229, options [nop,nop,TS val 1144143621 ecr 1144143621], length 0
07:07:15.858206 IP 192.168.140.253.35998 > 76.10.176.225.25: Flags [F.], seq 2153696642, ack 626321213, win 229, options [nop,nop,TS val 1144143622 ecr 1144143621], length 0
07:07:15.859446 IP 192.168.140.253.43210 > 76.10.176.225.53: Flags [F.], seq 1829535475, ack 2131716952, win 229, options [nop,nop,TS val 1144143622 ecr 1144143621], length 0
07:07:15.859575 IP 192.168.140.1.43210 > 192.168.140.253.53: Flags [F.], seq 1, ack 1, win 229, options [nop,nop,TS val 1144143622 ecr 1144143621], length 0
07:07:15.859855 IP 192.168.140.253.43210 > 76.10.176.225.53: Flags [.], ack 2, win 229, options [nop,nop,TS val 1144143622 ecr 1144143622], length 0
07:07:15.862070 IP 192.168.140.253.25 > 192.168.140.1.35998: Flags [.], ack 2, win 227, options [nop,nop,TS val 1144143623 ecr 1144143622], length 0
07:07:15.862171 IP 76.10.176.225.25 > 192.168.140.253.35998: Flags [.], ack 1, win 227, options [nop,nop,TS val 1144143623 ecr 1144143622], length 0
07:07:15.862619 IP 192.168.140.253.37286 > 76.10.176.225.443: Flags [S], seq 3530240289, win 29200, options [mss 1460,sackOK,TS val 1144143623 ecr 0,nop,wscale 7], length 0
07:07:15.862773 IP 192.168.140.1.37286 > 192.168.140.253.443: Flags [S], seq 3530240289, win 29200, options [mss 1460,sackOK,TS val 1144143623 ecr 0,nop,wscale 7], length 0
07:07:15.862822 IP 192.168.140.253.443 > 192.168.140.1.37286: Flags [S.], seq 1890689828, ack 3530240290, win 28960, options [mss 1460,sackOK,TS val 1144143623 ecr 1144143623,nop,wscale 7], length 0
07:07:15.862923 IP 76.10.176.225.443 > 192.168.140.253.37286: Flags [S.], seq 1890689828, ack 3530240290, win 28960, options [mss 1460,sackOK,TS val 1144143623 ecr 1144143623,nop,wscale 7], length 0
07:07:15.862950 IP 192.168.140.253.37286 > 76.10.176.225.443: Flags [.], ack 1, win 229, options [nop,nop,TS val 1144143623 ecr 1144143623], length 0
07:07:15.863047 IP 192.168.140.1.37286 > 192.168.140.253.443: Flags [.], ack 1, win 229, options [nop,nop,TS val 1144143623 ecr 1144143623], length 0
07:07:15.864184 IP 192.168.140.253.37286 > 76.10.176.225.443: Flags [F.], seq 1, ack 1, win 229, options [nop,nop,TS val 1144143623 ecr 1144143623], length 0
07:07:15.864262 IP 192.168.140.1.37286 > 192.168.140.253.443: Flags [F.], seq 1, ack 1, win 229, options [nop,nop,TS val 1144143623 ecr 1144143623], length 0
07:07:15.864316 IP 192.168.140.253.443 > 192.168.140.1.37286: Flags [F.], seq 1, ack 2, win 227, options [nop,nop,TS val 1144143623 ecr 1144143623], length 0
07:07:15.864415 IP 76.10.176.225.443 > 192.168.140.253.37286: Flags [F.], seq 1, ack 2, win 227, options [nop,nop,TS val 1144143623 ecr 1144143623], length 0
07:07:15.864436 IP 192.168.140.253.37286 > 76.10.176.225.443: Flags [.], ack 2, win 229, options [nop,nop,TS val 1144143623 ecr 1144143623], length 0
07:07:15.864530 IP 192.168.140.1.37286 > 192.168.140.253.443: Flags [.], ack 2, win 229, options [nop,nop,TS val 1144143623 ecr 1144143623], length 0
07:07:15.878892 IP 192.168.140.253.25 > 192.168.140.1.35998: Flags [P.], seq 1:98, ack 2, win 227, options [nop,nop,TS val 1144143627 ecr 1144143622], length 97: SMTP: 220 box.f2f10.com ESMTP Hi, I’m a Mail-in-a-Box (Ubuntu/Postfix; see https://mailinabox.email/)
07:07:15.879127 IP 76.10.176.225.25 > 192.168.140.253.35998: Flags [P.], seq 1:98, ack 1, win 227, options [nop,nop,TS val 1144143627 ecr 1144143622], length 97: SMTP: 220 box.f2f10.com ESMTP Hi, I’m a Mail-in-a-Box (Ubuntu/Postfix; see https://mailinabox.email/)
07:07:15.879159 IP 192.168.140.253.35998 > 76.10.176.225.25: Flags [R], seq 2153696643, win 0, length 0
07:07:15.879222 IP 192.168.140.253.25 > 192.168.140.1.35998: Flags [F.], seq 98, ack 2, win 227, options [nop,nop,TS val 1144143627 ecr 1144143622], length 0
07:07:15.879240 IP 192.168.140.1.35998 > 192.168.140.253.25: Flags [R], seq 2153696643, win 0, length 0
07:07:15.879302 IP 76.10.176.225.25 > 192.168.140.253.35998: Flags [F.], seq 98, ack 1, win 227, options [nop,nop,TS val 1144143627 ecr 1144143622], length 0
07:07:15.879321 IP 192.168.140.253.35998 > 76.10.176.225.25: Flags [R], seq 2153696643, win 0, length 0
07:07:15.879430 IP 192.168.140.1.35998 > 192.168.140.253.25: Flags [R], seq 2153696643, win 0, length 0
07:07:16.854160 IP 192.168.140.253.42748 > 76.10.176.225.22: Flags [S], seq 3530740831, win 29200, options [mss 1460,sackOK,TS val 1144143871 ecr 0,nop,wscale 7], length 0

07:07:17.557926 IP 192.168.140.253.53311 > 192.203.230.10.53: 20231% [1au] A? aspmx.l.google.com. (47)
07:07:17.557926 IP 192.168.140.253.27726 > 192.203.230.10.53: 40886% [1au] NS? . (28)
07:07:17.558017 IP 192.168.140.253.10260 > 192.203.230.10.53: 57585% [1au] AAAA? aspmx.l.google.com. (47)


#106

here are same capture at DMZ and WAN on opnSense and MAIB… which doesn’t get NAT Reflection working in order to get a flow back like this 192.168.140.1 (DMZ interface ip as reflection ip–>192.168.140.253


#107

This should get something like this (from openWRT) back, it didn’t…
07:07:15.853624 IP 192.168.140.1.43210 > 192.168.140.253.53: Flags [S], seq 1829535474, win 29200

@trumpwall:~ # tcpdump -ni em0_vlan140 port 53 and host 192.168.140.253
07:39:13.173819 IP 192.168.140.253.43408 > 76.10.176.225.53: Flags [S], seq 333284484, win 29200, options [mss 1460,sackOK,TS val 1144622951 ecr 0,nop,wscale 7], length 0
07:39:14.173989 IP 192.168.140.253.43408 > 76.10.176.225.53: Flags [S], seq 333284484, win 29200, options [mss 1460,sackOK,TS val 1144623201 ecr 0,nop,wscale 7], length 0

07:39:14.202192 IP 192.168.140.253.50594 > 193.108.91.16.53: 55407% [1au] AAAA? ocsp.int-x3.letsencrypt.org. (56)
07:39:14.202235 IP 192.168.140.253.62307 > 193.108.91.16.53: 56438% [1au] A? ocsp.int-x3.letsencrypt.org. (56)
07:39:14.208366 IP 193.108.91.16.53 > 192.168.140.253.50594: 55407*- 1/0/1 CNAME ocsp.int-x3.letsencrypt.org.edgesuite.net. (111)
07:39:14.208499 IP 193.108.91.16.53 > 192.168.140.253.62307: 56438*- 1/0/1 CNAME ocsp.int-x3.letsencrypt.org.edgesuite.net. (111)
07:39:14.209260 IP 192.168.140.253.19694 > 206.248.168.151.53: 17199% [1au] AAAA? a771.dscq.akamai.net. (49)
07:39:14.209404 IP 192.168.140.253.37320 > 206.248.168.151.53: 36630% [1au] A? a771.dscq.akamai.net. (49)
07:39:14.215275 IP 206.248.168.151.53 > 192.168.140.253.19694: 17199*- 2/0/1 AAAA 2001:4958:300:480::b896:9d4a, AAAA 2001:4958:300:480::b896:9d4b (105)
07:39:14.215489 IP 206.248.168.151.53 > 192.168.140.253.37320: 36630*- 2/0/1 A 206.248.168.137, A 206.248.168.139 (81)
07:39:14.904317 IP 192.168.140.253.8373 > 192.5.5.241.53: 35912% [1au] AAAA? aspmx.l.google.com. (47)
07:39:14.904358 IP 192.168.140.253.13161 > 192.5.5.241.53: 62096% [1au] NS? . (28)
07:39:14.904373 IP 192.168.140.253.11197 > 192.5.5.241.53: 26943% [1au] A? aspmx.l.google.com. (47)


#108

@trumpwall:~ # tcpdump -ni pppoe0 port 53

07:39:13.173835 IP 76.10.176.225.56965 > 192.168.140.253.53: Flags [S], seq 333284484, win 29200, options [mss 1460,sackOK,TS val 1144622951 ecr 0,nop,wscale 7], length 0
07:39:14.173994 IP 76.10.176.225.56965 > 192.168.140.253.53: Flags [S], seq 333284484, win 29200, options [mss 1460,sackOK,TS val 1144623201 ecr 0,nop,wscale 7], length 0

07:39:14.202221 IP 76.10.176.225.57189 > 193.108.91.16.53: 55407% [1au] AAAA? ocsp.int-x3.letsencrypt.org. (56)
07:39:14.202249 IP 76.10.176.225.19919 > 193.108.91.16.53: 56438% [1au] A? ocsp.int-x3.letsencrypt.org. (56)
07:39:14.208349 IP 193.108.91.16.53 > 76.10.176.225.57189: 55407*- 1/0/1 CNAME ocsp.int-x3.letsencrypt.org.edgesuite.net. (111)
07:39:14.208484 IP 193.108.91.16.53 > 76.10.176.225.19919: 56438*- 1/0/1 CNAME ocsp.int-x3.letsencrypt.org.edgesuite.net. (111)
07:39:14.209284 IP 76.10.176.225.55974 > 206.248.168.151.53: 17199% [1au] AAAA? a771.dscq.akamai.net. (49)
07:39:14.209419 IP 76.10.176.225.52244 > 206.248.168.151.53: 36630% [1au] A? a771.dscq.akamai.net. (49)
07:39:14.215243 IP 206.248.168.151.53 > 76.10.176.225.55974: 17199*- 2/0/1 AAAA 2001:4958:300:480::b896:9d4a, AAAA 2001:4958:300:480::b896:9d4b (105)
07:39:14.215486 IP 206.248.168.151.53 > 76.10.176.225.52244: 36630*- 2/0/1 A 206.248.168.137, A 206.248.168.139 (81)
07:39:14.904345 IP 76.10.176.225.15523 > 192.5.5.241.53: 35912% [1au] AAAA? aspmx.l.google.com. (47)
07:39:14.904369 IP 76.10.176.225.12810 > 192.5.5.241.53: 62096% [1au] NS? . (28)
07:39:14.904386 IP 76.10.176.225.38776 > 192.5.5.241.53: 26943% [1au] A? aspmx.l.google.com. (47)


#109

This should get something like this (like on OpenWRT) back, however, it doesn’t get.
07:07:15.855724 IP 192.168.140.1.43210 > 192.168.140.253.53: Flags [S], seq 1829535474, win 29200,

@box:~# tcpdump -ni eth0 not host 192.168.110.153

07:39:13.173939 IP 192.168.140.253.42940 > 76.10.176.225.22: Flags [S], seq 1442085650, win 29200, options [mss 1460,sackOK,TS val 1144622950 ecr 0,nop,wscale 7], length 0
07:39:13.174087 IP 192.168.140.253.43408 > 76.10.176.225.53: Flags [S], seq 333284484, win 29200, options [mss 1460,sackOK,TS val 1144622951 ecr 0,nop,wscale 7], length 0
07:39:13.174898 IP 192.168.140.253.36200 > 76.10.176.225.25: Flags [S], seq 1430162419, win 29200, options [mss 1460,sackOK,TS val 1144622951 ecr 0,nop,wscale 7], length 0
07:39:13.175082 IP 192.168.140.253.34332 > 76.10.176.225.993: Flags [S], seq 117790337, win 29200, options [mss 1460,sackOK,TS val 1144622951 ecr 0,nop,wscale 7], length 0
07:39:13.175340 IP 192.168.140.253.49190 > 76.10.176.225.4190: Flags [S], seq 3326247109, win 29200, options [mss 1460,sackOK,TS val 1144622951 ecr 0,nop,wscale 7], length 0
07:39:13.175397 IP 192.168.140.253.49452 > 76.10.176.225.587: Flags [S], seq 3641682949, win 29200, options [mss 1460,sackOK,TS val 1144622951 ecr 0,nop,wscale 7], length 0
07:39:13.175929 IP 192.168.140.253.36314 > 76.10.176.225.80: Flags [S], seq 2546834857, win 29200, options [mss 1460,sackOK,TS val 1144622951 ecr 0,nop,wscale 7], length 0
07:39:13.176225 IP 192.168.140.253.37478 > 76.10.176.225.443: Flags [S], seq 3315619753, win 29200, options [mss 1460,sackOK,TS val 1144622951 ecr 0,nop,wscale 7], length 0
07:39:14.170150 IP 192.168.140.253.42940 > 76.10.176.225.22: Flags [S], seq 1442085650, win 29200, options [mss 1460,sackOK,TS val 1144623200 ecr 0,nop,wscale 7], length 0
07:39:14.174087 IP 192.168.140.253.37478 > 76.10.176.225.443: Flags [S], seq 3315619753, win 29200, options [mss 1460,sackOK,TS val 1144623201 ecr 0,nop,wscale 7], length 0
07:39:14.174087 IP 192.168.140.253.36200 > 76.10.176.225.25: Flags [S], seq 1430162419, win 29200, options [mss 1460,sackOK,TS val 1144623201 ecr 0,nop,wscale 7], length 0
07:39:14.174117 IP 192.168.140.253.49452 > 76.10.176.225.587: Flags [S], seq 3641682949, win 29200, options [mss 1460,sackOK,TS val 1144623201 ecr 0,nop,wscale 7], length 0
07:39:14.174117 IP 192.168.140.253.49190 > 76.10.176.225.4190: Flags [S], seq 3326247109, win 29200, options [mss 1460,sackOK,TS val 1144623201 ecr 0,nop,wscale 7], length 0
07:39:14.174118 IP 192.168.140.253.36314 > 76.10.176.225.80: Flags [S], seq 2546834857, win 29200, options [mss 1460,sackOK,TS val 1144623201 ecr 0,nop,wscale 7], length 0
07:39:14.174132 IP 192.168.140.253.34332 > 76.10.176.225.993: Flags [S], seq 117790337, win 29200, options [mss 1460,sackOK,TS val 1144623201 ecr 0,nop,wscale 7], length 0
07:39:14.174132 IP 192.168.140.253.43408 > 76.10.176.225.53: Flags [S], seq 333284484, win 29200, options [mss 1460,sackOK,TS val 1144623201 ecr 0,nop,wscale 7], length 0

07:39:14.202352 IP 192.168.140.253.50594 > 193.108.91.16.53: 55407% [1au] AAAA? ocsp.int-x3.letsencrypt.org. (56)
07:39:14.202492 IP 192.168.140.253.62307 > 193.108.91.16.53: 56438% [1au] A? ocsp.int-x3.letsencrypt.org. (56)
07:39:14.208951 IP 193.108.91.16.53 > 192.168.140.253.50594: 55407*- 1/0/1 CNAME ocsp.int-x3.letsencrypt.org.edgesuite.net. (111)
07:39:14.208953 IP 193.108.91.16.53 > 192.168.140.253.62307: 56438*- 1/0/1 CNAME ocsp.int-x3.letsencrypt.org.edgesuite.net. (111)
07:39:14.209531 IP 192.168.140.253.19694 > 206.248.168.151.53: 17199% [1au] AAAA? a771.dscq.akamai.net. (49)
07:39:14.209625 IP 192.168.140.253.37320 > 206.248.168.151.53: 36630% [1au] A? a771.dscq.akamai.net. (49)
07:39:14.215854 IP 206.248.168.151.53 > 192.168.140.253.19694: 17199*- 2/0/1 AAAA 2001:4958:300:480::b896:9d4a, AAAA 2001:4958:300:480::b896:9d4b (105)
07:39:14.215856 IP 206.248.168.151.53 > 192.168.140.253.37320: 36630*- 2/0/1 A 206.248.168.137, A 206.248.168.139 (81)
07:39:14.904479 IP 192.168.140.253.13161 > 192.5.5.241.53: 62096% [1au] NS? . (28)
07:39:14.904483 IP 192.168.140.253.8373 > 192.5.5.241.53: 35912% [1au] AAAA? aspmx.l.google.com. (47)
07:39:14.904568 IP 192.168.140.253.11197 > 192.5.5.241.53: 26943% [1au] A? aspmx.l.google.com. (47)


#110

Does this Rule Set from FreeBSD (MAIB) mean the Reflection NAT is on or not? Should 192.168.140.253 here be 76.10.176.225 to catch the packet???

@trumpwall:~ # pfctl -sn

nat on pppoe0 inet from 192.168.140.0/24 to any -> 76.10.176.225 port 1024:65535
nat on pppoe0 inet from to any -> 76.10.176.225 port 1024:65535

no nat on em0_vlan140 inet proto tcp from 192.168.140.1 to 192.168.140.253 port = http
nat on em0_vlan140 inet proto tcp from 192.168.140.0/24 to 192.168.140.253 port = http -> 192.168.140.1 port 1024:65535

no nat on em0_vlan140 inet proto tcp from 192.168.140.1 to 192.168.140.253 port = smtp
nat on em0_vlan140 inet proto tcp from 192.168.140.0/24 to 192.168.140.253 port = smtp -> 192.168.140.1 port 1024:65535

no nat on em0_vlan140 inet proto tcp from 192.168.140.1 to 192.168.140.253 port = https
nat on em0_vlan140 inet proto tcp from 192.168.140.0/24 to 192.168.140.253 port = https -> 192.168.140.1 port 1024:65535

no nat on em0_vlan140 inet proto tcp from 192.168.140.1 to 192.168.140.253 port = domain
no nat on em0_vlan140 inet proto udp from 192.168.140.1 to 192.168.140.253 port = domain
nat on em0_vlan140 inet proto tcp from 192.168.140.0/24 to 192.168.140.253 port = domain -> 192.168.140.1 port 1024:65535
nat on em0_vlan140 inet proto udp from 192.168.140.0/24 to 192.168.140.253 port = domain -> 192.168.140.1 port 1024:65535

no nat on em0_vlan140 inet proto tcp from 192.168.140.1 to 192.168.140.253 port = imaps
nat on em0_vlan140 inet proto tcp from 192.168.140.0/24 to 192.168.140.253 port = imaps -> 192.168.140.1 port 1024:65535

no nat on em0_vlan140 inet proto tcp from 192.168.140.1 to 192.168.140.253 port = submission
nat on em0_vlan140 inet proto tcp from 192.168.140.0/24 to 192.168.140.253 port = submission -> 192.168.140.1 port 1024:65535

rdr on pppoe0 inet proto tcp from any to (pppoe0) port = http -> 192.168.140.253
rrdr on em0_vlan140 inet proto tcp from any to (pppoe0) port = http -> 192.168.140.253

rdr on pppoe0 inet proto tcp from any to (pppoe0) port = smtp -> 192.168.140.253
rdr on em0_vlan140 inet proto tcp from any to (pppoe0) port = smtp -> 192.168.140.253

rdr on pppoe0 inet proto tcp from any to (pppoe0) port = https -> 192.168.140.253
rdr on em0_vlan140 inet proto tcp from any to (pppoe0) port = https -> 192.168.140.253

rdr on pppoe0 inet proto tcp from any to (pppoe0) port = domain -> 192.168.140.253
rdr on pppoe0 inet proto udp from any to (pppoe0) port = domain -> 192.168.140.253
rdr on em0_vlan140 inet proto tcp from any to (pppoe0) port = domain -> 192.168.140.253
rdr on em0_vlan140 inet proto udp from any to (pppoe0) port = domain -> 192.168.140.253

rdr on pppoe0 inet proto tcp from any to (pppoe0) port = imaps -> 192.168.140.253
rdr on em0_vlan140 inet proto tcp from any to (pppoe0) port = imaps -> 192.168.140.253

rdr on pppoe0 inet proto tcp from any to (pppoe0) port = submission -> 192.168.140.253
rdr on em0_vlan140 inet proto tcp from any to (pppoe0) port = submission -> 192.168.140.253


#111

so, OpenSense clearly didn’t get the same results as OpenWRT did, such as this…missing second portion of changing Source IP and Dest IP and putting packet back… Is it a configuration issue or bug?

@TorWrt:# tcpdump -ni eth0.140 port 53 and host 192.168.140.253
07:07:15.853367 IP 192.168.140.253.43210 > 76.10.176.225.53: Flags [S], seq 1829535474, win 29200, options [mss 1460,sackOK,TS val 1144143621 ecr 0,nop,wscale 7], length 0
07:07:15.853624 IP 192.168.140.1.43210 > 192.168.140.253.53: Flags [S],seq 1829535474 win 29200, options [mss 1460,sackOK,TS val 1144143621 ecr 0,nop,wscale 7], length 0


#112

These two are critical in doing reflection nat…
@TorWrt# iptables-save | grep NAT
-A zone_dmz_prerouting -s 192.168.140.0/24 -d 76.10.176.225/32 -p tcp -m tcp --dport 53 -m comment --comment “dns (reflection)” -j DNAT --to-destination 192.168.140.253:53
-A zone_dmz_prerouting -s 192.168.140.0/24 -d 76.10.176.225/32 -p udp -m udp --dport 53 -m comment --comment “dns (reflection)” -j DNAT --to-destination 192.168.140.253:53

-A zone_dmz_postrouting -s 192.168.140.0/24 -d 192.168.140.253/32 -p tcp -m tcp --dport 53 -m comment --comment “dns (reflection)” -j SNAT --to-source 192.168.140.1
-A zone_dmz_postrouting -s 192.168.140.0/24 -d 192.168.140.253/32 -p udp -m udp --dport 53 -m comment --comment “dns (reflection)” -j SNAT --to-source 192.168.140.1


#113

On openSense, we are missing this, like that on openWRT ???

-A zone_dmz_prerouting -s 192.168.140.0/24 -d 76.10.176.225/32 -p udp -m udp --dport 53 -m comment --comment “dns (reflection)” -j DNAT --to-destination 192.168.140.253:53

@trumpwall:~ # pfctl -sn
no nat on em0_vlan140 inet proto tcp from 192.168.140.1 to 192.168.140.253 port = domain
no nat on em0_vlan140 inet proto udp from 192.168.140.1 to 192.168.140.253 port = domain
nat on em0_vlan140 inet proto tcp from 192.168.140.0/24 to 192.168.140.253 port = domain -> 192.168.140.1 port 1024:65535
nat on em0_vlan140 inet proto udp from 192.168.140.0/24 to 192.168.140.253 port = domain -> 192.168.140.1 port 1024:65535

It looks like it has this Pre-routing on OpenSense as well…!!! Then, this didnt’ catch or function???

rdr on pppoe0 inet proto tcp from any to (pppoe0) port = domain -> 192.168.140.253
rdr on pppoe0 inet proto udp from any to (pppoe0) port = domain -> 192.168.140.253
rdr on em0_vlan140 inet proto tcp from any to (pppoe0) port = domain -> 192.168.140.253
rdr on em0_vlan140 inet proto udp from any to (pppoe0) port = domain -> 192.168.140.253