in Freebsd , MAIB, how to I check the above info???
I was wondering whether you have above info? Can you kindly share where exactly you have enabled all NAT Reflection in pfSense? I have since enabled on opnSense at Firewall advanced setting all three options for Nat Reflectionā¦
with OpenWRT, I can see clearly , as you mentioned, NAT Reflection plays a role to make it workā¦ here are tcpdump snip from openWRT DMZ and WAN and MAIB interfaceā¦
@TorWrt:# tcpdump -ni eth0.140 port 53 and host 192.168.140.253
07:07:15.853367 IP 192.168.140.253.43210 > 76.10.176.225.53: Flags [S], seq 1829535474, win 29200, options [mss 1460,sackOK,TS val 1144143621 ecr 0,nop,wscale 7], length 0
07:07:15.853624 IP 192.168.140.1.43210 > 192.168.140.253.53: Flags [S],seq 1829535474 win 29200, options [mss 1460,sackOK,TS val 1144143621 ecr 0,nop,wscale 7], length 0
07:07:15.853826 IP 192.168.140.253.53 > 192.168.140.1.43210: Flags [S.], seq 2131716951, ack 1829535475, win 28960, options [mss 1460,sackOK,TS val 1144143621 ecr 1144143621,nop,wscale 7], length 0
07:07:15.853881 IP 76.10.176.225.53 > 192.168.140.253.43210: Flags [S.], seq 2131716951, ack 1829535475, win 28960, options [mss 1460,sackOK,TS val 1144143621 ecr 1144143621,nop,wscale 7], length 0
07:07:15.853952 IP 192.168.140.253.43210 > 76.10.176.225.53: Flags [.], ack 1, win 229, options [nop,nop,TS val 1144143621 ecr 1144143621], length 0
07:07:15.854002 IP 192.168.140.1.43210 > 192.168.140.253.53: Flags [.], ack 1, win 229, options [nop,nop,TS val 1144143621 ecr 1144143621], length 0
07:07:15.857449 IP 192.168.140.253.43210 > 76.10.176.225.53: Flags [F.], seq 1, ack 1, win 229, options [nop,nop,TS val 1144143622 ecr 1144143621], length 0
07:07:15.857487 IP 192.168.140.1.43210 > 192.168.140.253.53: Flags [F.], seq 1, ack 1, win 229, options [nop,nop,TS val 1144143622 ecr 1144143621], length 0
07:07:15.857690 IP 192.168.140.253.53 > 192.168.140.1.43210: Flags [F.], seq 1, ack 2, win 227, options [nop,nop,TS val 1144143622 ecr 1144143622], length 0
07:07:15.857742 IP 76.10.176.225.53 > 192.168.140.253.43210: Flags [F.], seq 1, ack 2, win 227, options [nop,nop,TS val 1144143622 ecr 1144143622], length 0
07:07:15.857824 IP 192.168.140.253.43210 > 76.10.176.225.53: Flags [.], ack 2, win 229, options [nop,nop,TS val 1144143622 ecr 1144143622], length 0
07:07:15.857874 IP 192.168.140.1.43210 > 192.168.140.253.53: Flags [.], ack 2, win 229, options [nop,nop,TS val 1144143622 ecr 1144143622], length 0
07:07:17.555888 IP 192.168.140.253.27726 > 192.203.230.10.53: 40886% [1au] NS? . (28)
07:07:17.556064 IP 192.168.140.253.53311 > 192.203.230.10.53: 20231% [1au] A? aspmx.l.google.com. (47)
07:07:17.556170 IP 192.168.140.253.10260 > 192.203.230.10.53: 57585% [1au] AAAA? aspmx.l.google.com. (47)
@TorWrt:# tcpdump -ni pppoe-wan port 53
07:07:17.556020 IP 76.10.176.225.27726 > 192.203.230.10.53: 40886% [1au] NS? . (28)
07:07:17.556147 IP 76.10.176.225.53311 > 192.203.230.10.53: 20231% [1au] A? aspmx.l.google.com. (47)
07:07:17.556244 IP 76.10.176.225.10260 > 192.203.230.10.53: 57585% [1au] AAAA? aspmx.l.google.com. (47)
@box:~# tcpdump -ni eth0 not host 192.168.110.153
07:07:15.855389 IP 192.168.140.253.43210 > 76.10.176.225.53: Flags [S], seq 1829535474, win 29200, options [mss 1460,sackOK,TS val 1144143621 ecr 0,nop,wscale 7], length 0
07:07:15.855439 IP 192.168.140.253.35998 > 76.10.176.225.25: Flags [S], seq 2153696641, win 29200, options [mss 1460,sackOK,TS val 1144143621 ecr 0,nop,wscale 7], length 0
07:07:15.855654 IP 192.168.140.253.42748 > 76.10.176.225.22: Flags [S], seq 3530740831, win 29200, options [mss 1460,sackOK,TS val 1144143621 ecr 0,nop,wscale 7], length 0
07:07:15.855724 IP 192.168.140.1.43210 > 192.168.140.253.53: Flags [S], seq 1829535474, win 29200, options [mss 1460,sackOK,TS val 1144143621 ecr 0,nop,wscale 7], length 0
07:07:15.855758 IP 192.168.140.253.53 > 192.168.140.1.43210: Flags [S.], seq 2131716951, ack 1829535475, win 28960, options [mss 1460,sackOK,TS val 1144143621 ecr 1144143621,nop,wscale 7], length 0
07:07:15.855834 IP 192.168.140.1.35998 > 192.168.140.253.25: Flags [S], seq 2153696641, win 29200, options [mss 1460,sackOK,TS val 1144143621 ecr 0,nop,wscale 7], length 0
07:07:15.855859 IP 192.168.140.253.25 > 192.168.140.1.35998: Flags [S.], seq 626321212, ack 2153696642, win 28960, options [mss 1460,sackOK,TS val 1144143621 ecr 1144143621,nop,wscale 7], length 0
07:07:15.857242 IP 192.168.140.253.48994 > 76.10.176.225.4190: Flags [S], seq 1838901197, win 29200, options [mss 1460,sackOK,TS val 1144143621 ecr 0,nop,wscale 7], length 0
07:07:15.857653 IP 192.168.140.1.36120 > 192.168.140.253.80: Flags [S], seq 257899850, win 29200, options [mss 1460,sackOK,TS val 1144143621 ecr 0,nop,wscale 7], length 0
07:07:15.857874 IP 192.168.140.253.36120 > 76.10.176.225.80: Flags [F.], seq 257899851, ack 3771511862, win 229, options [nop,nop,TS val 1144143621 ecr 1144143621], length 0
07:07:15.858206 IP 192.168.140.253.35998 > 76.10.176.225.25: Flags [F.], seq 2153696642, ack 626321213, win 229, options [nop,nop,TS val 1144143622 ecr 1144143621], length 0
07:07:15.859446 IP 192.168.140.253.43210 > 76.10.176.225.53: Flags [F.], seq 1829535475, ack 2131716952, win 229, options [nop,nop,TS val 1144143622 ecr 1144143621], length 0
07:07:15.859575 IP 192.168.140.1.43210 > 192.168.140.253.53: Flags [F.], seq 1, ack 1, win 229, options [nop,nop,TS val 1144143622 ecr 1144143621], length 0
07:07:15.859855 IP 192.168.140.253.43210 > 76.10.176.225.53: Flags [.], ack 2, win 229, options [nop,nop,TS val 1144143622 ecr 1144143622], length 0
07:07:15.862070 IP 192.168.140.253.25 > 192.168.140.1.35998: Flags [.], ack 2, win 227, options [nop,nop,TS val 1144143623 ecr 1144143622], length 0
07:07:15.862171 IP 76.10.176.225.25 > 192.168.140.253.35998: Flags [.], ack 1, win 227, options [nop,nop,TS val 1144143623 ecr 1144143622], length 0
07:07:15.862619 IP 192.168.140.253.37286 > 76.10.176.225.443: Flags [S], seq 3530240289, win 29200, options [mss 1460,sackOK,TS val 1144143623 ecr 0,nop,wscale 7], length 0
07:07:15.862773 IP 192.168.140.1.37286 > 192.168.140.253.443: Flags [S], seq 3530240289, win 29200, options [mss 1460,sackOK,TS val 1144143623 ecr 0,nop,wscale 7], length 0
07:07:15.862822 IP 192.168.140.253.443 > 192.168.140.1.37286: Flags [S.], seq 1890689828, ack 3530240290, win 28960, options [mss 1460,sackOK,TS val 1144143623 ecr 1144143623,nop,wscale 7], length 0
07:07:15.862923 IP 76.10.176.225.443 > 192.168.140.253.37286: Flags [S.], seq 1890689828, ack 3530240290, win 28960, options [mss 1460,sackOK,TS val 1144143623 ecr 1144143623,nop,wscale 7], length 0
07:07:15.862950 IP 192.168.140.253.37286 > 76.10.176.225.443: Flags [.], ack 1, win 229, options [nop,nop,TS val 1144143623 ecr 1144143623], length 0
07:07:15.863047 IP 192.168.140.1.37286 > 192.168.140.253.443: Flags [.], ack 1, win 229, options [nop,nop,TS val 1144143623 ecr 1144143623], length 0
07:07:15.864184 IP 192.168.140.253.37286 > 76.10.176.225.443: Flags [F.], seq 1, ack 1, win 229, options [nop,nop,TS val 1144143623 ecr 1144143623], length 0
07:07:15.864262 IP 192.168.140.1.37286 > 192.168.140.253.443: Flags [F.], seq 1, ack 1, win 229, options [nop,nop,TS val 1144143623 ecr 1144143623], length 0
07:07:15.864316 IP 192.168.140.253.443 > 192.168.140.1.37286: Flags [F.], seq 1, ack 2, win 227, options [nop,nop,TS val 1144143623 ecr 1144143623], length 0
07:07:15.864415 IP 76.10.176.225.443 > 192.168.140.253.37286: Flags [F.], seq 1, ack 2, win 227, options [nop,nop,TS val 1144143623 ecr 1144143623], length 0
07:07:15.864436 IP 192.168.140.253.37286 > 76.10.176.225.443: Flags [.], ack 2, win 229, options [nop,nop,TS val 1144143623 ecr 1144143623], length 0
07:07:15.864530 IP 192.168.140.1.37286 > 192.168.140.253.443: Flags [.], ack 2, win 229, options [nop,nop,TS val 1144143623 ecr 1144143623], length 0
07:07:15.878892 IP 192.168.140.253.25 > 192.168.140.1.35998: Flags [P.], seq 1:98, ack 2, win 227, options [nop,nop,TS val 1144143627 ecr 1144143622], length 97: SMTP: 220 box.f2f10.com ESMTP Hi, Iām a Mail-in-a-Box (Ubuntu/Postfix; see https://mailinabox.email/)
07:07:15.879127 IP 76.10.176.225.25 > 192.168.140.253.35998: Flags [P.], seq 1:98, ack 1, win 227, options [nop,nop,TS val 1144143627 ecr 1144143622], length 97: SMTP: 220 box.f2f10.com ESMTP Hi, Iām a Mail-in-a-Box (Ubuntu/Postfix; see https://mailinabox.email/)
07:07:15.879159 IP 192.168.140.253.35998 > 76.10.176.225.25: Flags [R], seq 2153696643, win 0, length 0
07:07:15.879222 IP 192.168.140.253.25 > 192.168.140.1.35998: Flags [F.], seq 98, ack 2, win 227, options [nop,nop,TS val 1144143627 ecr 1144143622], length 0
07:07:15.879240 IP 192.168.140.1.35998 > 192.168.140.253.25: Flags [R], seq 2153696643, win 0, length 0
07:07:15.879302 IP 76.10.176.225.25 > 192.168.140.253.35998: Flags [F.], seq 98, ack 1, win 227, options [nop,nop,TS val 1144143627 ecr 1144143622], length 0
07:07:15.879321 IP 192.168.140.253.35998 > 76.10.176.225.25: Flags [R], seq 2153696643, win 0, length 0
07:07:15.879430 IP 192.168.140.1.35998 > 192.168.140.253.25: Flags [R], seq 2153696643, win 0, length 0
07:07:16.854160 IP 192.168.140.253.42748 > 76.10.176.225.22: Flags [S], seq 3530740831, win 29200, options [mss 1460,sackOK,TS val 1144143871 ecr 0,nop,wscale 7], length 0
07:07:17.557926 IP 192.168.140.253.53311 > 192.203.230.10.53: 20231% [1au] A? aspmx.l.google.com. (47)
07:07:17.557926 IP 192.168.140.253.27726 > 192.203.230.10.53: 40886% [1au] NS? . (28)
07:07:17.558017 IP 192.168.140.253.10260 > 192.203.230.10.53: 57585% [1au] AAAA? aspmx.l.google.com. (47)
here are same capture at DMZ and WAN on opnSense and MAIBā¦ which doesnāt get NAT Reflection working in order to get a flow back like this 192.168.140.1 (DMZ interface ip as reflection ipā>192.168.140.253
This should get something like this (from openWRT) back, it didnātā¦
07:07:15.853624 IP 192.168.140.1.43210 > 192.168.140.253.53: Flags [S], seq 1829535474, win 29200
@trumpwall:~ # tcpdump -ni em0_vlan140 port 53 and host 192.168.140.253
07:39:13.173819 IP 192.168.140.253.43408 > 76.10.176.225.53: Flags [S], seq 333284484, win 29200, options [mss 1460,sackOK,TS val 1144622951 ecr 0,nop,wscale 7], length 0
07:39:14.173989 IP 192.168.140.253.43408 > 76.10.176.225.53: Flags [S], seq 333284484, win 29200, options [mss 1460,sackOK,TS val 1144623201 ecr 0,nop,wscale 7], length 0
07:39:14.202192 IP 192.168.140.253.50594 > 193.108.91.16.53: 55407% [1au] AAAA? ocsp.int-x3.letsencrypt.org. (56)
07:39:14.202235 IP 192.168.140.253.62307 > 193.108.91.16.53: 56438% [1au] A? ocsp.int-x3.letsencrypt.org. (56)
07:39:14.208366 IP 193.108.91.16.53 > 192.168.140.253.50594: 55407*- 1/0/1 CNAME ocsp.int-x3.letsencrypt.org.edgesuite.net. (111)
07:39:14.208499 IP 193.108.91.16.53 > 192.168.140.253.62307: 56438*- 1/0/1 CNAME ocsp.int-x3.letsencrypt.org.edgesuite.net. (111)
07:39:14.209260 IP 192.168.140.253.19694 > 206.248.168.151.53: 17199% [1au] AAAA? a771.dscq.akamai.net. (49)
07:39:14.209404 IP 192.168.140.253.37320 > 206.248.168.151.53: 36630% [1au] A? a771.dscq.akamai.net. (49)
07:39:14.215275 IP 206.248.168.151.53 > 192.168.140.253.19694: 17199*- 2/0/1 AAAA 2001:4958:300:480::b896:9d4a, AAAA 2001:4958:300:480::b896:9d4b (105)
07:39:14.215489 IP 206.248.168.151.53 > 192.168.140.253.37320: 36630*- 2/0/1 A 206.248.168.137, A 206.248.168.139 (81)
07:39:14.904317 IP 192.168.140.253.8373 > 192.5.5.241.53: 35912% [1au] AAAA? aspmx.l.google.com. (47)
07:39:14.904358 IP 192.168.140.253.13161 > 192.5.5.241.53: 62096% [1au] NS? . (28)
07:39:14.904373 IP 192.168.140.253.11197 > 192.5.5.241.53: 26943% [1au] A? aspmx.l.google.com. (47)
@trumpwall:~ # tcpdump -ni pppoe0 port 53
07:39:13.173835 IP 76.10.176.225.56965 > 192.168.140.253.53: Flags [S], seq 333284484, win 29200, options [mss 1460,sackOK,TS val 1144622951 ecr 0,nop,wscale 7], length 0
07:39:14.173994 IP 76.10.176.225.56965 > 192.168.140.253.53: Flags [S], seq 333284484, win 29200, options [mss 1460,sackOK,TS val 1144623201 ecr 0,nop,wscale 7], length 0
07:39:14.202221 IP 76.10.176.225.57189 > 193.108.91.16.53: 55407% [1au] AAAA? ocsp.int-x3.letsencrypt.org. (56)
07:39:14.202249 IP 76.10.176.225.19919 > 193.108.91.16.53: 56438% [1au] A? ocsp.int-x3.letsencrypt.org. (56)
07:39:14.208349 IP 193.108.91.16.53 > 76.10.176.225.57189: 55407*- 1/0/1 CNAME ocsp.int-x3.letsencrypt.org.edgesuite.net. (111)
07:39:14.208484 IP 193.108.91.16.53 > 76.10.176.225.19919: 56438*- 1/0/1 CNAME ocsp.int-x3.letsencrypt.org.edgesuite.net. (111)
07:39:14.209284 IP 76.10.176.225.55974 > 206.248.168.151.53: 17199% [1au] AAAA? a771.dscq.akamai.net. (49)
07:39:14.209419 IP 76.10.176.225.52244 > 206.248.168.151.53: 36630% [1au] A? a771.dscq.akamai.net. (49)
07:39:14.215243 IP 206.248.168.151.53 > 76.10.176.225.55974: 17199*- 2/0/1 AAAA 2001:4958:300:480::b896:9d4a, AAAA 2001:4958:300:480::b896:9d4b (105)
07:39:14.215486 IP 206.248.168.151.53 > 76.10.176.225.52244: 36630*- 2/0/1 A 206.248.168.137, A 206.248.168.139 (81)
07:39:14.904345 IP 76.10.176.225.15523 > 192.5.5.241.53: 35912% [1au] AAAA? aspmx.l.google.com. (47)
07:39:14.904369 IP 76.10.176.225.12810 > 192.5.5.241.53: 62096% [1au] NS? . (28)
07:39:14.904386 IP 76.10.176.225.38776 > 192.5.5.241.53: 26943% [1au] A? aspmx.l.google.com. (47)
This should get something like this (like on OpenWRT) back, however, it doesnāt get.
07:07:15.855724 IP 192.168.140.1.43210 > 192.168.140.253.53: Flags [S], seq 1829535474, win 29200,
@box:~# tcpdump -ni eth0 not host 192.168.110.153
07:39:13.173939 IP 192.168.140.253.42940 > 76.10.176.225.22: Flags [S], seq 1442085650, win 29200, options [mss 1460,sackOK,TS val 1144622950 ecr 0,nop,wscale 7], length 0
07:39:13.174087 IP 192.168.140.253.43408 > 76.10.176.225.53: Flags [S], seq 333284484, win 29200, options [mss 1460,sackOK,TS val 1144622951 ecr 0,nop,wscale 7], length 0
07:39:13.174898 IP 192.168.140.253.36200 > 76.10.176.225.25: Flags [S], seq 1430162419, win 29200, options [mss 1460,sackOK,TS val 1144622951 ecr 0,nop,wscale 7], length 0
07:39:13.175082 IP 192.168.140.253.34332 > 76.10.176.225.993: Flags [S], seq 117790337, win 29200, options [mss 1460,sackOK,TS val 1144622951 ecr 0,nop,wscale 7], length 0
07:39:13.175340 IP 192.168.140.253.49190 > 76.10.176.225.4190: Flags [S], seq 3326247109, win 29200, options [mss 1460,sackOK,TS val 1144622951 ecr 0,nop,wscale 7], length 0
07:39:13.175397 IP 192.168.140.253.49452 > 76.10.176.225.587: Flags [S], seq 3641682949, win 29200, options [mss 1460,sackOK,TS val 1144622951 ecr 0,nop,wscale 7], length 0
07:39:13.175929 IP 192.168.140.253.36314 > 76.10.176.225.80: Flags [S], seq 2546834857, win 29200, options [mss 1460,sackOK,TS val 1144622951 ecr 0,nop,wscale 7], length 0
07:39:13.176225 IP 192.168.140.253.37478 > 76.10.176.225.443: Flags [S], seq 3315619753, win 29200, options [mss 1460,sackOK,TS val 1144622951 ecr 0,nop,wscale 7], length 0
07:39:14.170150 IP 192.168.140.253.42940 > 76.10.176.225.22: Flags [S], seq 1442085650, win 29200, options [mss 1460,sackOK,TS val 1144623200 ecr 0,nop,wscale 7], length 0
07:39:14.174087 IP 192.168.140.253.37478 > 76.10.176.225.443: Flags [S], seq 3315619753, win 29200, options [mss 1460,sackOK,TS val 1144623201 ecr 0,nop,wscale 7], length 0
07:39:14.174087 IP 192.168.140.253.36200 > 76.10.176.225.25: Flags [S], seq 1430162419, win 29200, options [mss 1460,sackOK,TS val 1144623201 ecr 0,nop,wscale 7], length 0
07:39:14.174117 IP 192.168.140.253.49452 > 76.10.176.225.587: Flags [S], seq 3641682949, win 29200, options [mss 1460,sackOK,TS val 1144623201 ecr 0,nop,wscale 7], length 0
07:39:14.174117 IP 192.168.140.253.49190 > 76.10.176.225.4190: Flags [S], seq 3326247109, win 29200, options [mss 1460,sackOK,TS val 1144623201 ecr 0,nop,wscale 7], length 0
07:39:14.174118 IP 192.168.140.253.36314 > 76.10.176.225.80: Flags [S], seq 2546834857, win 29200, options [mss 1460,sackOK,TS val 1144623201 ecr 0,nop,wscale 7], length 0
07:39:14.174132 IP 192.168.140.253.34332 > 76.10.176.225.993: Flags [S], seq 117790337, win 29200, options [mss 1460,sackOK,TS val 1144623201 ecr 0,nop,wscale 7], length 0
07:39:14.174132 IP 192.168.140.253.43408 > 76.10.176.225.53: Flags [S], seq 333284484, win 29200, options [mss 1460,sackOK,TS val 1144623201 ecr 0,nop,wscale 7], length 0
07:39:14.202352 IP 192.168.140.253.50594 > 193.108.91.16.53: 55407% [1au] AAAA? ocsp.int-x3.letsencrypt.org. (56)
07:39:14.202492 IP 192.168.140.253.62307 > 193.108.91.16.53: 56438% [1au] A? ocsp.int-x3.letsencrypt.org. (56)
07:39:14.208951 IP 193.108.91.16.53 > 192.168.140.253.50594: 55407*- 1/0/1 CNAME ocsp.int-x3.letsencrypt.org.edgesuite.net. (111)
07:39:14.208953 IP 193.108.91.16.53 > 192.168.140.253.62307: 56438*- 1/0/1 CNAME ocsp.int-x3.letsencrypt.org.edgesuite.net. (111)
07:39:14.209531 IP 192.168.140.253.19694 > 206.248.168.151.53: 17199% [1au] AAAA? a771.dscq.akamai.net. (49)
07:39:14.209625 IP 192.168.140.253.37320 > 206.248.168.151.53: 36630% [1au] A? a771.dscq.akamai.net. (49)
07:39:14.215854 IP 206.248.168.151.53 > 192.168.140.253.19694: 17199*- 2/0/1 AAAA 2001:4958:300:480::b896:9d4a, AAAA 2001:4958:300:480::b896:9d4b (105)
07:39:14.215856 IP 206.248.168.151.53 > 192.168.140.253.37320: 36630*- 2/0/1 A 206.248.168.137, A 206.248.168.139 (81)
07:39:14.904479 IP 192.168.140.253.13161 > 192.5.5.241.53: 62096% [1au] NS? . (28)
07:39:14.904483 IP 192.168.140.253.8373 > 192.5.5.241.53: 35912% [1au] AAAA? aspmx.l.google.com. (47)
07:39:14.904568 IP 192.168.140.253.11197 > 192.5.5.241.53: 26943% [1au] A? aspmx.l.google.com. (47)
Does this Rule Set from FreeBSD (MAIB) mean the Reflection NAT is on or not? Should 192.168.140.253 here be 76.10.176.225 to catch the packet???
@trumpwall:~ # pfctl -sn
nat on pppoe0 inet from 192.168.140.0/24 to any -> 76.10.176.225 port 1024:65535
nat on pppoe0 inet from to any -> 76.10.176.225 port 1024:65535
no nat on em0_vlan140 inet proto tcp from 192.168.140.1 to 192.168.140.253 port = http
nat on em0_vlan140 inet proto tcp from 192.168.140.0/24 to 192.168.140.253 port = http -> 192.168.140.1 port 1024:65535
no nat on em0_vlan140 inet proto tcp from 192.168.140.1 to 192.168.140.253 port = smtp
nat on em0_vlan140 inet proto tcp from 192.168.140.0/24 to 192.168.140.253 port = smtp -> 192.168.140.1 port 1024:65535
no nat on em0_vlan140 inet proto tcp from 192.168.140.1 to 192.168.140.253 port = https
nat on em0_vlan140 inet proto tcp from 192.168.140.0/24 to 192.168.140.253 port = https -> 192.168.140.1 port 1024:65535
no nat on em0_vlan140 inet proto tcp from 192.168.140.1 to 192.168.140.253 port = domain
no nat on em0_vlan140 inet proto udp from 192.168.140.1 to 192.168.140.253 port = domain
nat on em0_vlan140 inet proto tcp from 192.168.140.0/24 to 192.168.140.253 port = domain -> 192.168.140.1 port 1024:65535
nat on em0_vlan140 inet proto udp from 192.168.140.0/24 to 192.168.140.253 port = domain -> 192.168.140.1 port 1024:65535
no nat on em0_vlan140 inet proto tcp from 192.168.140.1 to 192.168.140.253 port = imaps
nat on em0_vlan140 inet proto tcp from 192.168.140.0/24 to 192.168.140.253 port = imaps -> 192.168.140.1 port 1024:65535
no nat on em0_vlan140 inet proto tcp from 192.168.140.1 to 192.168.140.253 port = submission
nat on em0_vlan140 inet proto tcp from 192.168.140.0/24 to 192.168.140.253 port = submission -> 192.168.140.1 port 1024:65535
rdr on pppoe0 inet proto tcp from any to (pppoe0) port = http -> 192.168.140.253
rrdr on em0_vlan140 inet proto tcp from any to (pppoe0) port = http -> 192.168.140.253
rdr on pppoe0 inet proto tcp from any to (pppoe0) port = smtp -> 192.168.140.253
rdr on em0_vlan140 inet proto tcp from any to (pppoe0) port = smtp -> 192.168.140.253
rdr on pppoe0 inet proto tcp from any to (pppoe0) port = https -> 192.168.140.253
rdr on em0_vlan140 inet proto tcp from any to (pppoe0) port = https -> 192.168.140.253
rdr on pppoe0 inet proto tcp from any to (pppoe0) port = domain -> 192.168.140.253
rdr on pppoe0 inet proto udp from any to (pppoe0) port = domain -> 192.168.140.253
rdr on em0_vlan140 inet proto tcp from any to (pppoe0) port = domain -> 192.168.140.253
rdr on em0_vlan140 inet proto udp from any to (pppoe0) port = domain -> 192.168.140.253
rdr on pppoe0 inet proto tcp from any to (pppoe0) port = imaps -> 192.168.140.253
rdr on em0_vlan140 inet proto tcp from any to (pppoe0) port = imaps -> 192.168.140.253
rdr on pppoe0 inet proto tcp from any to (pppoe0) port = submission -> 192.168.140.253
rdr on em0_vlan140 inet proto tcp from any to (pppoe0) port = submission -> 192.168.140.253
so, OpenSense clearly didnāt get the same results as OpenWRT did, such as thisā¦missing second portion of changing Source IP and Dest IP and putting packet backā¦ Is it a configuration issue or bug?
@TorWrt:# tcpdump -ni eth0.140 port 53 and host 192.168.140.253
07:07:15.853367 IP 192.168.140.253.43210 > 76.10.176.225.53: Flags [S], seq 1829535474, win 29200, options [mss 1460,sackOK,TS val 1144143621 ecr 0,nop,wscale 7], length 0
07:07:15.853624 IP 192.168.140.1.43210 > 192.168.140.253.53: Flags [S],seq 1829535474 win 29200, options [mss 1460,sackOK,TS val 1144143621 ecr 0,nop,wscale 7], length 0
These two are critical in doing reflection natā¦
@TorWrt# iptables-save | grep NAT
-A zone_dmz_prerouting -s 192.168.140.0/24 -d 76.10.176.225/32 -p tcp -m tcp --dport 53 -m comment --comment ādns (reflection)ā -j DNAT --to-destination 192.168.140.253:53
-A zone_dmz_prerouting -s 192.168.140.0/24 -d 76.10.176.225/32 -p udp -m udp --dport 53 -m comment --comment ādns (reflection)ā -j DNAT --to-destination 192.168.140.253:53
-A zone_dmz_postrouting -s 192.168.140.0/24 -d 192.168.140.253/32 -p tcp -m tcp --dport 53 -m comment --comment ādns (reflection)ā -j SNAT --to-source 192.168.140.1
-A zone_dmz_postrouting -s 192.168.140.0/24 -d 192.168.140.253/32 -p udp -m udp --dport 53 -m comment --comment ādns (reflection)ā -j SNAT --to-source 192.168.140.1
On openSense, we are missing this, like that on openWRT ???
-A zone_dmz_prerouting -s 192.168.140.0/24 -d 76.10.176.225/32 -p udp -m udp --dport 53 -m comment --comment ādns (reflection)ā -j DNAT --to-destination 192.168.140.253:53
@trumpwall:~ # pfctl -sn
no nat on em0_vlan140 inet proto tcp from 192.168.140.1 to 192.168.140.253 port = domain
no nat on em0_vlan140 inet proto udp from 192.168.140.1 to 192.168.140.253 port = domain
nat on em0_vlan140 inet proto tcp from 192.168.140.0/24 to 192.168.140.253 port = domain -> 192.168.140.1 port 1024:65535
nat on em0_vlan140 inet proto udp from 192.168.140.0/24 to 192.168.140.253 port = domain -> 192.168.140.1 port 1024:65535
It looks like it has this Pre-routing on OpenSense as wellā¦!!! Then, this didntā catch or function???
rdr on pppoe0 inet proto tcp from any to (pppoe0) port = domain -> 192.168.140.253
rdr on pppoe0 inet proto udp from any to (pppoe0) port = domain -> 192.168.140.253
rdr on em0_vlan140 inet proto tcp from any to (pppoe0) port = domain -> 192.168.140.253
rdr on em0_vlan140 inet proto udp from any to (pppoe0) port = domain -> 192.168.140.253
Sorry, busy weekend.
This is under System-> Advanced -> Firewall & NAT
Then it is under the heading Network Address Translation. My settings are below.
@cwilkins Happy holiday to you !!!
Thanks for getting those infoā¦ I did a capture of what I have with opnsense as well. It looks like it has its Nat Reflection setting in the finalized rule set as wellā¦ Just donāt understand why it didnāt function like OpenWRT did. It seemed not being able to capture that packet and modify DNAT+SNAT and send that packet back; instead, it send out to PPPoE with DNAT only and that ships packet out to be discarded by ISPā¦
Hereās what I see on PPPoE tcpdump on opnSense. SNAT is not done and the packet is out to WANā¦
@trumpwall:~ # tcpdump -ni pppoe0 port 53
07:39:13.173835 IP 76.10.176.225.56965> 192.168.140.253.53: Flags [S], seq 333284484, win 29200, options [mss 1460,sackOK,TS val 1144622951 ecr 0,nop,wscale 7], length 0
on opnWRT, you donāt see this traffic leaking out to WAN, as itās been properly reflected back on DMZ alreadyā¦
@TorWrt:# tcpdump -ni pppoe-wan port 53
07:07:17.556020 IP 76.10.176.225.27726 > 192.203.230.10.53: 40886% [1au] NS? . (28)
07:07:17.556147 IP 76.10.176.225.53311 > 192.203.230.10.53: 20231% [1au] A? aspmx.l.google.com. (47)
07:07:17.556244 IP 76.10.176.225.10260 > 192.203.230.10.53: 57585% [1au] AAAA? aspmx.l.google.com. (47)
I posted this on opnSense forum and bug track as wellā¦
I know itās a bit too much; but, in case you had time of testing yours with opnSense briefly, that would be great in confirming thisā¦
Anyway, if you notice thereās something, let me know. I really appreciated that your mentioning of this NAT Reflection thing finally seems to be the root cause of this.
It seems that opnSense has generated theseā¦but, not seemed working for my caseā¦!!!
http://www.onlamp.com/pub/a/bsd/2003/03/06/ssn_openbsd.html?page=4
As you will soon discover, this rule works for connections made from the outside to your web server, but not from your private network. This is solved by adding another rule:
#################################################################
macro definitions
ext_if = "ne2"
prv_if = "ne1"
ext_ad = "f.f.f.f/32"
prv_ad = "f.f.f.f/24"
dmz_ad = āw.w.w.w/32ā
#################################################################
NAT rules: ārdrā, ānatā, ābinatā
rdr on $ext_if proto tcp from any to $ext_ad port 80 ->
$dmz_ad port 8080
rdr on $prv_if proto tcp from $prv_ad to $ext_ad port 80 ->
$dmz_ad port 8080
Sorry, just getting to this now. Christmas is always crazy with my family.
Iāll use one of my spare IPs and setup a test setup with opnSense if you still need me to try this. I should be able to do this later on tonight. As soon as I get it up Iāll report back with my findings.
much appreciated!
thanks
Ok, I have opnSense installed and have my test MiaB behind it. Still working my way through understanding all of the settings on opnSense but at the moment I am having trouble getting NAT reflection to work, but Iām also not too familiar with opnSense yet. Going to keep working on it and get back to you.