Letsencrypt expired, and dns errors


#101

in Freebsd , MAIB, how to I check the above info???


#102

@cwilkins

I was wondering whether you have above info? Can you kindly share where exactly you have enabled all NAT Reflection in pfSense? I have since enabled on opnSense at Firewall advanced setting all three options for Nat Reflection…


#103

with OpenWRT, I can see clearly , as you mentioned, NAT Reflection plays a role to make it work… here are tcpdump snip from openWRT DMZ and WAN and MAIB interface…

@TorWrt:# tcpdump -ni eth0.140 port 53 and host 192.168.140.253

07:07:15.853367 IP 192.168.140.253.43210 > 76.10.176.225.53: Flags [S], seq 1829535474, win 29200, options [mss 1460,sackOK,TS val 1144143621 ecr 0,nop,wscale 7], length 0
07:07:15.853624 IP 192.168.140.1.43210 > 192.168.140.253.53: Flags [S],seq 1829535474 win 29200, options [mss 1460,sackOK,TS val 1144143621 ecr 0,nop,wscale 7], length 0

07:07:15.853826 IP 192.168.140.253.53 > 192.168.140.1.43210: Flags [S.], seq 2131716951, ack 1829535475, win 28960, options [mss 1460,sackOK,TS val 1144143621 ecr 1144143621,nop,wscale 7], length 0
07:07:15.853881 IP 76.10.176.225.53 > 192.168.140.253.43210: Flags [S.], seq 2131716951, ack 1829535475, win 28960, options [mss 1460,sackOK,TS val 1144143621 ecr 1144143621,nop,wscale 7], length 0
07:07:15.853952 IP 192.168.140.253.43210 > 76.10.176.225.53: Flags [.], ack 1, win 229, options [nop,nop,TS val 1144143621 ecr 1144143621], length 0
07:07:15.854002 IP 192.168.140.1.43210 > 192.168.140.253.53: Flags [.], ack 1, win 229, options [nop,nop,TS val 1144143621 ecr 1144143621], length 0

07:07:15.857449 IP 192.168.140.253.43210 > 76.10.176.225.53: Flags [F.], seq 1, ack 1, win 229, options [nop,nop,TS val 1144143622 ecr 1144143621], length 0
07:07:15.857487 IP 192.168.140.1.43210 > 192.168.140.253.53: Flags [F.], seq 1, ack 1, win 229, options [nop,nop,TS val 1144143622 ecr 1144143621], length 0

07:07:15.857690 IP 192.168.140.253.53 > 192.168.140.1.43210: Flags [F.], seq 1, ack 2, win 227, options [nop,nop,TS val 1144143622 ecr 1144143622], length 0
07:07:15.857742 IP 76.10.176.225.53 > 192.168.140.253.43210: Flags [F.], seq 1, ack 2, win 227, options [nop,nop,TS val 1144143622 ecr 1144143622], length 0

07:07:15.857824 IP 192.168.140.253.43210 > 76.10.176.225.53: Flags [.], ack 2, win 229, options [nop,nop,TS val 1144143622 ecr 1144143622], length 0
07:07:15.857874 IP 192.168.140.1.43210 > 192.168.140.253.53: Flags [.], ack 2, win 229, options [nop,nop,TS val 1144143622 ecr 1144143622], length 0

07:07:17.555888 IP 192.168.140.253.27726 > 192.203.230.10.53: 40886% [1au] NS? . (28)
07:07:17.556064 IP 192.168.140.253.53311 > 192.203.230.10.53: 20231% [1au] A? aspmx.l.google.com. (47)
07:07:17.556170 IP 192.168.140.253.10260 > 192.203.230.10.53: 57585% [1au] AAAA? aspmx.l.google.com. (47)


#104

@TorWrt:# tcpdump -ni pppoe-wan port 53

07:07:17.556020 IP 76.10.176.225.27726 > 192.203.230.10.53: 40886% [1au] NS? . (28)
07:07:17.556147 IP 76.10.176.225.53311 > 192.203.230.10.53: 20231% [1au] A? aspmx.l.google.com. (47)
07:07:17.556244 IP 76.10.176.225.10260 > 192.203.230.10.53: 57585% [1au] AAAA? aspmx.l.google.com. (47)


#105

@box:~# tcpdump -ni eth0 not host 192.168.110.153

07:07:15.855389 IP 192.168.140.253.43210 > 76.10.176.225.53: Flags [S], seq 1829535474, win 29200, options [mss 1460,sackOK,TS val 1144143621 ecr 0,nop,wscale 7], length 0
07:07:15.855439 IP 192.168.140.253.35998 > 76.10.176.225.25: Flags [S], seq 2153696641, win 29200, options [mss 1460,sackOK,TS val 1144143621 ecr 0,nop,wscale 7], length 0
07:07:15.855654 IP 192.168.140.253.42748 > 76.10.176.225.22: Flags [S], seq 3530740831, win 29200, options [mss 1460,sackOK,TS val 1144143621 ecr 0,nop,wscale 7], length 0

07:07:15.855724 IP 192.168.140.1.43210 > 192.168.140.253.53: Flags [S], seq 1829535474, win 29200, options [mss 1460,sackOK,TS val 1144143621 ecr 0,nop,wscale 7], length 0
07:07:15.855758 IP 192.168.140.253.53 > 192.168.140.1.43210: Flags [S.], seq 2131716951, ack 1829535475, win 28960, options [mss 1460,sackOK,TS val 1144143621 ecr 1144143621,nop,wscale 7], length 0
07:07:15.855834 IP 192.168.140.1.35998 > 192.168.140.253.25: Flags [S], seq 2153696641, win 29200, options [mss 1460,sackOK,TS val 1144143621 ecr 0,nop,wscale 7], length 0

07:07:15.855859 IP 192.168.140.253.25 > 192.168.140.1.35998: Flags [S.], seq 626321212, ack 2153696642, win 28960, options [mss 1460,sackOK,TS val 1144143621 ecr 1144143621,nop,wscale 7], length 0
07:07:15.857242 IP 192.168.140.253.48994 > 76.10.176.225.4190: Flags [S], seq 1838901197, win 29200, options [mss 1460,sackOK,TS val 1144143621 ecr 0,nop,wscale 7], length 0
07:07:15.857653 IP 192.168.140.1.36120 > 192.168.140.253.80: Flags [S], seq 257899850, win 29200, options [mss 1460,sackOK,TS val 1144143621 ecr 0,nop,wscale 7], length 0
07:07:15.857874 IP 192.168.140.253.36120 > 76.10.176.225.80: Flags [F.], seq 257899851, ack 3771511862, win 229, options [nop,nop,TS val 1144143621 ecr 1144143621], length 0
07:07:15.858206 IP 192.168.140.253.35998 > 76.10.176.225.25: Flags [F.], seq 2153696642, ack 626321213, win 229, options [nop,nop,TS val 1144143622 ecr 1144143621], length 0
07:07:15.859446 IP 192.168.140.253.43210 > 76.10.176.225.53: Flags [F.], seq 1829535475, ack 2131716952, win 229, options [nop,nop,TS val 1144143622 ecr 1144143621], length 0
07:07:15.859575 IP 192.168.140.1.43210 > 192.168.140.253.53: Flags [F.], seq 1, ack 1, win 229, options [nop,nop,TS val 1144143622 ecr 1144143621], length 0
07:07:15.859855 IP 192.168.140.253.43210 > 76.10.176.225.53: Flags [.], ack 2, win 229, options [nop,nop,TS val 1144143622 ecr 1144143622], length 0
07:07:15.862070 IP 192.168.140.253.25 > 192.168.140.1.35998: Flags [.], ack 2, win 227, options [nop,nop,TS val 1144143623 ecr 1144143622], length 0
07:07:15.862171 IP 76.10.176.225.25 > 192.168.140.253.35998: Flags [.], ack 1, win 227, options [nop,nop,TS val 1144143623 ecr 1144143622], length 0
07:07:15.862619 IP 192.168.140.253.37286 > 76.10.176.225.443: Flags [S], seq 3530240289, win 29200, options [mss 1460,sackOK,TS val 1144143623 ecr 0,nop,wscale 7], length 0
07:07:15.862773 IP 192.168.140.1.37286 > 192.168.140.253.443: Flags [S], seq 3530240289, win 29200, options [mss 1460,sackOK,TS val 1144143623 ecr 0,nop,wscale 7], length 0
07:07:15.862822 IP 192.168.140.253.443 > 192.168.140.1.37286: Flags [S.], seq 1890689828, ack 3530240290, win 28960, options [mss 1460,sackOK,TS val 1144143623 ecr 1144143623,nop,wscale 7], length 0
07:07:15.862923 IP 76.10.176.225.443 > 192.168.140.253.37286: Flags [S.], seq 1890689828, ack 3530240290, win 28960, options [mss 1460,sackOK,TS val 1144143623 ecr 1144143623,nop,wscale 7], length 0
07:07:15.862950 IP 192.168.140.253.37286 > 76.10.176.225.443: Flags [.], ack 1, win 229, options [nop,nop,TS val 1144143623 ecr 1144143623], length 0
07:07:15.863047 IP 192.168.140.1.37286 > 192.168.140.253.443: Flags [.], ack 1, win 229, options [nop,nop,TS val 1144143623 ecr 1144143623], length 0
07:07:15.864184 IP 192.168.140.253.37286 > 76.10.176.225.443: Flags [F.], seq 1, ack 1, win 229, options [nop,nop,TS val 1144143623 ecr 1144143623], length 0
07:07:15.864262 IP 192.168.140.1.37286 > 192.168.140.253.443: Flags [F.], seq 1, ack 1, win 229, options [nop,nop,TS val 1144143623 ecr 1144143623], length 0
07:07:15.864316 IP 192.168.140.253.443 > 192.168.140.1.37286: Flags [F.], seq 1, ack 2, win 227, options [nop,nop,TS val 1144143623 ecr 1144143623], length 0
07:07:15.864415 IP 76.10.176.225.443 > 192.168.140.253.37286: Flags [F.], seq 1, ack 2, win 227, options [nop,nop,TS val 1144143623 ecr 1144143623], length 0
07:07:15.864436 IP 192.168.140.253.37286 > 76.10.176.225.443: Flags [.], ack 2, win 229, options [nop,nop,TS val 1144143623 ecr 1144143623], length 0
07:07:15.864530 IP 192.168.140.1.37286 > 192.168.140.253.443: Flags [.], ack 2, win 229, options [nop,nop,TS val 1144143623 ecr 1144143623], length 0
07:07:15.878892 IP 192.168.140.253.25 > 192.168.140.1.35998: Flags [P.], seq 1:98, ack 2, win 227, options [nop,nop,TS val 1144143627 ecr 1144143622], length 97: SMTP: 220 box.f2f10.com ESMTP Hi, I’m a Mail-in-a-Box (Ubuntu/Postfix; see https://mailinabox.email/)
07:07:15.879127 IP 76.10.176.225.25 > 192.168.140.253.35998: Flags [P.], seq 1:98, ack 1, win 227, options [nop,nop,TS val 1144143627 ecr 1144143622], length 97: SMTP: 220 box.f2f10.com ESMTP Hi, I’m a Mail-in-a-Box (Ubuntu/Postfix; see https://mailinabox.email/)
07:07:15.879159 IP 192.168.140.253.35998 > 76.10.176.225.25: Flags [R], seq 2153696643, win 0, length 0
07:07:15.879222 IP 192.168.140.253.25 > 192.168.140.1.35998: Flags [F.], seq 98, ack 2, win 227, options [nop,nop,TS val 1144143627 ecr 1144143622], length 0
07:07:15.879240 IP 192.168.140.1.35998 > 192.168.140.253.25: Flags [R], seq 2153696643, win 0, length 0
07:07:15.879302 IP 76.10.176.225.25 > 192.168.140.253.35998: Flags [F.], seq 98, ack 1, win 227, options [nop,nop,TS val 1144143627 ecr 1144143622], length 0
07:07:15.879321 IP 192.168.140.253.35998 > 76.10.176.225.25: Flags [R], seq 2153696643, win 0, length 0
07:07:15.879430 IP 192.168.140.1.35998 > 192.168.140.253.25: Flags [R], seq 2153696643, win 0, length 0
07:07:16.854160 IP 192.168.140.253.42748 > 76.10.176.225.22: Flags [S], seq 3530740831, win 29200, options [mss 1460,sackOK,TS val 1144143871 ecr 0,nop,wscale 7], length 0

07:07:17.557926 IP 192.168.140.253.53311 > 192.203.230.10.53: 20231% [1au] A? aspmx.l.google.com. (47)
07:07:17.557926 IP 192.168.140.253.27726 > 192.203.230.10.53: 40886% [1au] NS? . (28)
07:07:17.558017 IP 192.168.140.253.10260 > 192.203.230.10.53: 57585% [1au] AAAA? aspmx.l.google.com. (47)


#106

here are same capture at DMZ and WAN on opnSense and MAIB… which doesn’t get NAT Reflection working in order to get a flow back like this 192.168.140.1 (DMZ interface ip as reflection ip–>192.168.140.253


#107

This should get something like this (from openWRT) back, it didn’t…
07:07:15.853624 IP 192.168.140.1.43210 > 192.168.140.253.53: Flags [S], seq 1829535474, win 29200

@trumpwall:~ # tcpdump -ni em0_vlan140 port 53 and host 192.168.140.253
07:39:13.173819 IP 192.168.140.253.43408 > 76.10.176.225.53: Flags [S], seq 333284484, win 29200, options [mss 1460,sackOK,TS val 1144622951 ecr 0,nop,wscale 7], length 0
07:39:14.173989 IP 192.168.140.253.43408 > 76.10.176.225.53: Flags [S], seq 333284484, win 29200, options [mss 1460,sackOK,TS val 1144623201 ecr 0,nop,wscale 7], length 0

07:39:14.202192 IP 192.168.140.253.50594 > 193.108.91.16.53: 55407% [1au] AAAA? ocsp.int-x3.letsencrypt.org. (56)
07:39:14.202235 IP 192.168.140.253.62307 > 193.108.91.16.53: 56438% [1au] A? ocsp.int-x3.letsencrypt.org. (56)
07:39:14.208366 IP 193.108.91.16.53 > 192.168.140.253.50594: 55407*- 1/0/1 CNAME ocsp.int-x3.letsencrypt.org.edgesuite.net. (111)
07:39:14.208499 IP 193.108.91.16.53 > 192.168.140.253.62307: 56438*- 1/0/1 CNAME ocsp.int-x3.letsencrypt.org.edgesuite.net. (111)
07:39:14.209260 IP 192.168.140.253.19694 > 206.248.168.151.53: 17199% [1au] AAAA? a771.dscq.akamai.net. (49)
07:39:14.209404 IP 192.168.140.253.37320 > 206.248.168.151.53: 36630% [1au] A? a771.dscq.akamai.net. (49)
07:39:14.215275 IP 206.248.168.151.53 > 192.168.140.253.19694: 17199*- 2/0/1 AAAA 2001:4958:300:480::b896:9d4a, AAAA 2001:4958:300:480::b896:9d4b (105)
07:39:14.215489 IP 206.248.168.151.53 > 192.168.140.253.37320: 36630*- 2/0/1 A 206.248.168.137, A 206.248.168.139 (81)
07:39:14.904317 IP 192.168.140.253.8373 > 192.5.5.241.53: 35912% [1au] AAAA? aspmx.l.google.com. (47)
07:39:14.904358 IP 192.168.140.253.13161 > 192.5.5.241.53: 62096% [1au] NS? . (28)
07:39:14.904373 IP 192.168.140.253.11197 > 192.5.5.241.53: 26943% [1au] A? aspmx.l.google.com. (47)


#108

@trumpwall:~ # tcpdump -ni pppoe0 port 53

07:39:13.173835 IP 76.10.176.225.56965 > 192.168.140.253.53: Flags [S], seq 333284484, win 29200, options [mss 1460,sackOK,TS val 1144622951 ecr 0,nop,wscale 7], length 0
07:39:14.173994 IP 76.10.176.225.56965 > 192.168.140.253.53: Flags [S], seq 333284484, win 29200, options [mss 1460,sackOK,TS val 1144623201 ecr 0,nop,wscale 7], length 0

07:39:14.202221 IP 76.10.176.225.57189 > 193.108.91.16.53: 55407% [1au] AAAA? ocsp.int-x3.letsencrypt.org. (56)
07:39:14.202249 IP 76.10.176.225.19919 > 193.108.91.16.53: 56438% [1au] A? ocsp.int-x3.letsencrypt.org. (56)
07:39:14.208349 IP 193.108.91.16.53 > 76.10.176.225.57189: 55407*- 1/0/1 CNAME ocsp.int-x3.letsencrypt.org.edgesuite.net. (111)
07:39:14.208484 IP 193.108.91.16.53 > 76.10.176.225.19919: 56438*- 1/0/1 CNAME ocsp.int-x3.letsencrypt.org.edgesuite.net. (111)
07:39:14.209284 IP 76.10.176.225.55974 > 206.248.168.151.53: 17199% [1au] AAAA? a771.dscq.akamai.net. (49)
07:39:14.209419 IP 76.10.176.225.52244 > 206.248.168.151.53: 36630% [1au] A? a771.dscq.akamai.net. (49)
07:39:14.215243 IP 206.248.168.151.53 > 76.10.176.225.55974: 17199*- 2/0/1 AAAA 2001:4958:300:480::b896:9d4a, AAAA 2001:4958:300:480::b896:9d4b (105)
07:39:14.215486 IP 206.248.168.151.53 > 76.10.176.225.52244: 36630*- 2/0/1 A 206.248.168.137, A 206.248.168.139 (81)
07:39:14.904345 IP 76.10.176.225.15523 > 192.5.5.241.53: 35912% [1au] AAAA? aspmx.l.google.com. (47)
07:39:14.904369 IP 76.10.176.225.12810 > 192.5.5.241.53: 62096% [1au] NS? . (28)
07:39:14.904386 IP 76.10.176.225.38776 > 192.5.5.241.53: 26943% [1au] A? aspmx.l.google.com. (47)


#109

This should get something like this (like on OpenWRT) back, however, it doesn’t get.
07:07:15.855724 IP 192.168.140.1.43210 > 192.168.140.253.53: Flags [S], seq 1829535474, win 29200,

@box:~# tcpdump -ni eth0 not host 192.168.110.153

07:39:13.173939 IP 192.168.140.253.42940 > 76.10.176.225.22: Flags [S], seq 1442085650, win 29200, options [mss 1460,sackOK,TS val 1144622950 ecr 0,nop,wscale 7], length 0
07:39:13.174087 IP 192.168.140.253.43408 > 76.10.176.225.53: Flags [S], seq 333284484, win 29200, options [mss 1460,sackOK,TS val 1144622951 ecr 0,nop,wscale 7], length 0
07:39:13.174898 IP 192.168.140.253.36200 > 76.10.176.225.25: Flags [S], seq 1430162419, win 29200, options [mss 1460,sackOK,TS val 1144622951 ecr 0,nop,wscale 7], length 0
07:39:13.175082 IP 192.168.140.253.34332 > 76.10.176.225.993: Flags [S], seq 117790337, win 29200, options [mss 1460,sackOK,TS val 1144622951 ecr 0,nop,wscale 7], length 0
07:39:13.175340 IP 192.168.140.253.49190 > 76.10.176.225.4190: Flags [S], seq 3326247109, win 29200, options [mss 1460,sackOK,TS val 1144622951 ecr 0,nop,wscale 7], length 0
07:39:13.175397 IP 192.168.140.253.49452 > 76.10.176.225.587: Flags [S], seq 3641682949, win 29200, options [mss 1460,sackOK,TS val 1144622951 ecr 0,nop,wscale 7], length 0
07:39:13.175929 IP 192.168.140.253.36314 > 76.10.176.225.80: Flags [S], seq 2546834857, win 29200, options [mss 1460,sackOK,TS val 1144622951 ecr 0,nop,wscale 7], length 0
07:39:13.176225 IP 192.168.140.253.37478 > 76.10.176.225.443: Flags [S], seq 3315619753, win 29200, options [mss 1460,sackOK,TS val 1144622951 ecr 0,nop,wscale 7], length 0
07:39:14.170150 IP 192.168.140.253.42940 > 76.10.176.225.22: Flags [S], seq 1442085650, win 29200, options [mss 1460,sackOK,TS val 1144623200 ecr 0,nop,wscale 7], length 0
07:39:14.174087 IP 192.168.140.253.37478 > 76.10.176.225.443: Flags [S], seq 3315619753, win 29200, options [mss 1460,sackOK,TS val 1144623201 ecr 0,nop,wscale 7], length 0
07:39:14.174087 IP 192.168.140.253.36200 > 76.10.176.225.25: Flags [S], seq 1430162419, win 29200, options [mss 1460,sackOK,TS val 1144623201 ecr 0,nop,wscale 7], length 0
07:39:14.174117 IP 192.168.140.253.49452 > 76.10.176.225.587: Flags [S], seq 3641682949, win 29200, options [mss 1460,sackOK,TS val 1144623201 ecr 0,nop,wscale 7], length 0
07:39:14.174117 IP 192.168.140.253.49190 > 76.10.176.225.4190: Flags [S], seq 3326247109, win 29200, options [mss 1460,sackOK,TS val 1144623201 ecr 0,nop,wscale 7], length 0
07:39:14.174118 IP 192.168.140.253.36314 > 76.10.176.225.80: Flags [S], seq 2546834857, win 29200, options [mss 1460,sackOK,TS val 1144623201 ecr 0,nop,wscale 7], length 0
07:39:14.174132 IP 192.168.140.253.34332 > 76.10.176.225.993: Flags [S], seq 117790337, win 29200, options [mss 1460,sackOK,TS val 1144623201 ecr 0,nop,wscale 7], length 0
07:39:14.174132 IP 192.168.140.253.43408 > 76.10.176.225.53: Flags [S], seq 333284484, win 29200, options [mss 1460,sackOK,TS val 1144623201 ecr 0,nop,wscale 7], length 0

07:39:14.202352 IP 192.168.140.253.50594 > 193.108.91.16.53: 55407% [1au] AAAA? ocsp.int-x3.letsencrypt.org. (56)
07:39:14.202492 IP 192.168.140.253.62307 > 193.108.91.16.53: 56438% [1au] A? ocsp.int-x3.letsencrypt.org. (56)
07:39:14.208951 IP 193.108.91.16.53 > 192.168.140.253.50594: 55407*- 1/0/1 CNAME ocsp.int-x3.letsencrypt.org.edgesuite.net. (111)
07:39:14.208953 IP 193.108.91.16.53 > 192.168.140.253.62307: 56438*- 1/0/1 CNAME ocsp.int-x3.letsencrypt.org.edgesuite.net. (111)
07:39:14.209531 IP 192.168.140.253.19694 > 206.248.168.151.53: 17199% [1au] AAAA? a771.dscq.akamai.net. (49)
07:39:14.209625 IP 192.168.140.253.37320 > 206.248.168.151.53: 36630% [1au] A? a771.dscq.akamai.net. (49)
07:39:14.215854 IP 206.248.168.151.53 > 192.168.140.253.19694: 17199*- 2/0/1 AAAA 2001:4958:300:480::b896:9d4a, AAAA 2001:4958:300:480::b896:9d4b (105)
07:39:14.215856 IP 206.248.168.151.53 > 192.168.140.253.37320: 36630*- 2/0/1 A 206.248.168.137, A 206.248.168.139 (81)
07:39:14.904479 IP 192.168.140.253.13161 > 192.5.5.241.53: 62096% [1au] NS? . (28)
07:39:14.904483 IP 192.168.140.253.8373 > 192.5.5.241.53: 35912% [1au] AAAA? aspmx.l.google.com. (47)
07:39:14.904568 IP 192.168.140.253.11197 > 192.5.5.241.53: 26943% [1au] A? aspmx.l.google.com. (47)


#110

Does this Rule Set from FreeBSD (MAIB) mean the Reflection NAT is on or not? Should 192.168.140.253 here be 76.10.176.225 to catch the packet???

@trumpwall:~ # pfctl -sn

nat on pppoe0 inet from 192.168.140.0/24 to any -> 76.10.176.225 port 1024:65535
nat on pppoe0 inet from to any -> 76.10.176.225 port 1024:65535

no nat on em0_vlan140 inet proto tcp from 192.168.140.1 to 192.168.140.253 port = http
nat on em0_vlan140 inet proto tcp from 192.168.140.0/24 to 192.168.140.253 port = http -> 192.168.140.1 port 1024:65535

no nat on em0_vlan140 inet proto tcp from 192.168.140.1 to 192.168.140.253 port = smtp
nat on em0_vlan140 inet proto tcp from 192.168.140.0/24 to 192.168.140.253 port = smtp -> 192.168.140.1 port 1024:65535

no nat on em0_vlan140 inet proto tcp from 192.168.140.1 to 192.168.140.253 port = https
nat on em0_vlan140 inet proto tcp from 192.168.140.0/24 to 192.168.140.253 port = https -> 192.168.140.1 port 1024:65535

no nat on em0_vlan140 inet proto tcp from 192.168.140.1 to 192.168.140.253 port = domain
no nat on em0_vlan140 inet proto udp from 192.168.140.1 to 192.168.140.253 port = domain
nat on em0_vlan140 inet proto tcp from 192.168.140.0/24 to 192.168.140.253 port = domain -> 192.168.140.1 port 1024:65535
nat on em0_vlan140 inet proto udp from 192.168.140.0/24 to 192.168.140.253 port = domain -> 192.168.140.1 port 1024:65535

no nat on em0_vlan140 inet proto tcp from 192.168.140.1 to 192.168.140.253 port = imaps
nat on em0_vlan140 inet proto tcp from 192.168.140.0/24 to 192.168.140.253 port = imaps -> 192.168.140.1 port 1024:65535

no nat on em0_vlan140 inet proto tcp from 192.168.140.1 to 192.168.140.253 port = submission
nat on em0_vlan140 inet proto tcp from 192.168.140.0/24 to 192.168.140.253 port = submission -> 192.168.140.1 port 1024:65535

rdr on pppoe0 inet proto tcp from any to (pppoe0) port = http -> 192.168.140.253
rrdr on em0_vlan140 inet proto tcp from any to (pppoe0) port = http -> 192.168.140.253

rdr on pppoe0 inet proto tcp from any to (pppoe0) port = smtp -> 192.168.140.253
rdr on em0_vlan140 inet proto tcp from any to (pppoe0) port = smtp -> 192.168.140.253

rdr on pppoe0 inet proto tcp from any to (pppoe0) port = https -> 192.168.140.253
rdr on em0_vlan140 inet proto tcp from any to (pppoe0) port = https -> 192.168.140.253

rdr on pppoe0 inet proto tcp from any to (pppoe0) port = domain -> 192.168.140.253
rdr on pppoe0 inet proto udp from any to (pppoe0) port = domain -> 192.168.140.253
rdr on em0_vlan140 inet proto tcp from any to (pppoe0) port = domain -> 192.168.140.253
rdr on em0_vlan140 inet proto udp from any to (pppoe0) port = domain -> 192.168.140.253

rdr on pppoe0 inet proto tcp from any to (pppoe0) port = imaps -> 192.168.140.253
rdr on em0_vlan140 inet proto tcp from any to (pppoe0) port = imaps -> 192.168.140.253

rdr on pppoe0 inet proto tcp from any to (pppoe0) port = submission -> 192.168.140.253
rdr on em0_vlan140 inet proto tcp from any to (pppoe0) port = submission -> 192.168.140.253


#111

so, OpenSense clearly didn’t get the same results as OpenWRT did, such as this…missing second portion of changing Source IP and Dest IP and putting packet back… Is it a configuration issue or bug?

@TorWrt:# tcpdump -ni eth0.140 port 53 and host 192.168.140.253
07:07:15.853367 IP 192.168.140.253.43210 > 76.10.176.225.53: Flags [S], seq 1829535474, win 29200, options [mss 1460,sackOK,TS val 1144143621 ecr 0,nop,wscale 7], length 0
07:07:15.853624 IP 192.168.140.1.43210 > 192.168.140.253.53: Flags [S],seq 1829535474 win 29200, options [mss 1460,sackOK,TS val 1144143621 ecr 0,nop,wscale 7], length 0


#112

These two are critical in doing reflection nat…
@TorWrt# iptables-save | grep NAT
-A zone_dmz_prerouting -s 192.168.140.0/24 -d 76.10.176.225/32 -p tcp -m tcp --dport 53 -m comment --comment “dns (reflection)” -j DNAT --to-destination 192.168.140.253:53
-A zone_dmz_prerouting -s 192.168.140.0/24 -d 76.10.176.225/32 -p udp -m udp --dport 53 -m comment --comment “dns (reflection)” -j DNAT --to-destination 192.168.140.253:53

-A zone_dmz_postrouting -s 192.168.140.0/24 -d 192.168.140.253/32 -p tcp -m tcp --dport 53 -m comment --comment “dns (reflection)” -j SNAT --to-source 192.168.140.1
-A zone_dmz_postrouting -s 192.168.140.0/24 -d 192.168.140.253/32 -p udp -m udp --dport 53 -m comment --comment “dns (reflection)” -j SNAT --to-source 192.168.140.1


#113

On openSense, we are missing this, like that on openWRT ???

-A zone_dmz_prerouting -s 192.168.140.0/24 -d 76.10.176.225/32 -p udp -m udp --dport 53 -m comment --comment “dns (reflection)” -j DNAT --to-destination 192.168.140.253:53

@trumpwall:~ # pfctl -sn
no nat on em0_vlan140 inet proto tcp from 192.168.140.1 to 192.168.140.253 port = domain
no nat on em0_vlan140 inet proto udp from 192.168.140.1 to 192.168.140.253 port = domain
nat on em0_vlan140 inet proto tcp from 192.168.140.0/24 to 192.168.140.253 port = domain -> 192.168.140.1 port 1024:65535
nat on em0_vlan140 inet proto udp from 192.168.140.0/24 to 192.168.140.253 port = domain -> 192.168.140.1 port 1024:65535

It looks like it has this Pre-routing on OpenSense as well…!!! Then, this didnt’ catch or function???

rdr on pppoe0 inet proto tcp from any to (pppoe0) port = domain -> 192.168.140.253
rdr on pppoe0 inet proto udp from any to (pppoe0) port = domain -> 192.168.140.253
rdr on em0_vlan140 inet proto tcp from any to (pppoe0) port = domain -> 192.168.140.253
rdr on em0_vlan140 inet proto udp from any to (pppoe0) port = domain -> 192.168.140.253








#114

Sorry, busy weekend.

This is under System-> Advanced -> Firewall & NAT

Then it is under the heading Network Address Translation. My settings are below.


#115

@cwilkins Happy holiday to you !!!

Thanks for getting those info… I did a capture of what I have with opnsense as well. It looks like it has its Nat Reflection setting in the finalized rule set as well… Just don’t understand why it didn’t function like OpenWRT did. It seemed not being able to capture that packet and modify DNAT+SNAT and send that packet back; instead, it send out to PPPoE with DNAT only and that ships packet out to be discarded by ISP…

Here’s what I see on PPPoE tcpdump on opnSense. SNAT is not done and the packet is out to WAN…

@trumpwall:~ # tcpdump -ni pppoe0 port 53

07:39:13.173835 IP 76.10.176.225.56965> 192.168.140.253.53: Flags [S], seq 333284484, win 29200, options [mss 1460,sackOK,TS val 1144622951 ecr 0,nop,wscale 7], length 0

on opnWRT, you don’t see this traffic leaking out to WAN, as it’s been properly reflected back on DMZ already…
@TorWrt:# tcpdump -ni pppoe-wan port 53
07:07:17.556020 IP 76.10.176.225.27726 > 192.203.230.10.53: 40886% [1au] NS? . (28)
07:07:17.556147 IP 76.10.176.225.53311 > 192.203.230.10.53: 20231% [1au] A? aspmx.l.google.com. (47)
07:07:17.556244 IP 76.10.176.225.10260 > 192.203.230.10.53: 57585% [1au] AAAA? aspmx.l.google.com. (47)

I posted this on opnSense forum and bug track as well…



#116

@cwilkins

I know it’s a bit too much; but, in case you had time of testing yours with opnSense briefly, that would be great in confirming this…

Anyway, if you notice there’s something, let me know. I really appreciated that your mentioning of this NAT Reflection thing finally seems to be the root cause of this.


#117

It seems that opnSense has generated these…but, not seemed working for my case…!!!

http://www.onlamp.com/pub/a/bsd/2003/03/06/ssn_openbsd.html?page=4
As you will soon discover, this rule works for connections made from the outside to your web server, but not from your private network. This is solved by adding another rule:

#################################################################

macro definitions

ext_if = "ne2"
prv_if = "ne1"
ext_ad = "f.f.f.f/32"
prv_ad = "f.f.f.f/24"
dmz_ad = “w.w.w.w/32”

#################################################################

NAT rules: “rdr”, “nat”, “binat”

rdr on $ext_if proto tcp from any to $ext_ad port 80 ->
$dmz_ad port 8080
rdr on $prv_if proto tcp from $prv_ad to $ext_ad port 80 ->
$dmz_ad port 8080


#118

Sorry, just getting to this now. Christmas is always crazy with my family.

I’ll use one of my spare IPs and setup a test setup with opnSense if you still need me to try this. I should be able to do this later on tonight. As soon as I get it up I’ll report back with my findings.


#119

much appreciated!

thanks


#120

Ok, I have opnSense installed and have my test MiaB behind it. Still working my way through understanding all of the settings on opnSense but at the moment I am having trouble getting NAT reflection to work, but I’m also not too familiar with opnSense yet. Going to keep working on it and get back to you.