THanks!!! @cwilkins
So ended up having to rebuild my test MiaB server, as it had some issues and I wanted a clean test box for this test for you.
But some quick observations from my old test box.
- I was able to get all of the ports opened up and visible from the outside world.
- I will not be switching to opnSense from pfSense, but they are very similar.
The new server is up and running, and I am getting the same issues that the ports are not showing open on the status page, but they are open. NAT reflection is enabled on each NAT rule, but the box still thinks the ports are closed.
@cwilkins Highly appreciate!!!
So, it’s conclusive that NAT Reflection is not working with your setup of OpnSense and MAIB?
If you could grab the rule set from opnsense you have and the one from the pfsense, we may compare of there’s any difference… It’s “nat” “rdr” “no nat” stuff.
However, my thinking is still that , for some reason, my packet 192.168.140.253–>public ip, actually arrived at DMZ, being DNATTED to 192.168.140.253–>192.168.140.253; however, things broke here. Because the packet was sent out through WAN as public ip:xxxx–>192.168.140.253, with such DST IP, it will be discarded by ISP on WAN. If should at that time, redirect DNATTED packet back to DMZ, then being SNATTED there as 192.168.140.1–>192.168.140.253.
This will behave properly as OpenWRT does, and properply your pfSense does. I don’t know any other ways tracking to see why it is not being "routed " properly back to DMZ with that DNATTED IP. I have opened bugs on OpnSense forum and support page and have yet received a solution yet.
If you find something by comparing your pfsense and opensence rules, please let me know.
I red some where that pfSense has “closed source” packge. do you know what it is? It’s a bit concerning… While, there’s a lot bad words said on line about opnSense… I am not sure which one to go later…
Again, many thanks for your effort in helping out.!!! It feels warm for sure, in such a cold weather, to get some of your help…!
BTW, you may try it out have LXC container running MAIB. It’s really convenient and fast to have virtual containers to do backup and set up new stuff…just a fyi…
Looks that way, yes. You should ask over on the OpnSense forum to see if anyone else is using it with MiaB and if there was anything they had to do to get it to work. I find it hard to believe that there is that big of a bug in OpnSense, it could just be a configuration issue or compatibility issue between the two applications.
The rules look the same to me, Once I understood the minor differences between the two interfaces I was able to recreate my rules from pfSense on OpnSense with ease.
It’s possible that pfSense is closed source, that would actually make sense as they are selling the software to companies, but that does not mean they have limited the community version of the software. I suspect based on what I have read on the split between the two, it was based around this. At the end of the day it does not affect my usage of the software, and if the developers can protect their IP better and make some money having it closed source, then go for it. Same for opnSense, if they want to keep it open sourced, the more power to them. See below for what closed source means…
For me, I started out with ClarkConnect, which is now part of ClearOS, and then moved on to pfSense. I did look at a number of different distros before I picked pfSense (opnSense was one of them) but stuck with pfSense until I switched to a Meraki firewall at home. I run pfSense now with my private servers as I know it well so troubleshooting it is easier for me. Plus the community is well documented.
Pick whichever one that works best for you and then stick with it. Don’t get caught up in the bad blood between the two different distros.[quote=“miabatf2f10, post:123, topic:2704”]
Again, many thanks for your effort in helping out.!!! It feels warm for sure, in such a cold weather, to get some of your help…!
[/quote]
You are welcome. I can’t develop (looking at lines of code makes me sick) so this is the only way I can give back to the community.
Where are you hosting your MiaB? If you are using opnSense as a firewall, do you have a private server somewhere?
@cwilkins
My opnSense is directly with DSL modem on the WAN side and I have Intel NUC GiGe port vlaned on a switch; then, one of them is DMZ, in which I have MAIB sit…
Many thanks for your effort in helping out and those inputs!!!
Oh, your DSL provider allows you to have SMTP 25 open and register a pointer record? This is not a residential class service, is it? I used to have a business class Telus DSL service at home, but then Fiber came to my area and my 15/2 connection was just too slow. I’m on 150/150 and expect to be on GiG in the next year, so the thought of going back to my old 15/2 business class DSL makes me shutter.
If you do stick with opnSense and get it to work, please come back and let us know.
my DSL provider is with TekSavvy (reselling Bell’s and Rogers’). for extra $5/month (…about rent cost of cloud server with Digital Ocean, but I get my privacy more), I have a static IP and all ports are allowed…they do reverse dns as well…residential service…
I will try a bit more on opnSense. If it’s still not working, I may have to fall back to pfSense or IPcop or IPfire, maybe my old good openWRT…Will update here…Thanks a lot…
Tried opnSense new ver 18.1.2 and this NAT Reflection still not works… I now switched back to pfSense 2.4.1.2 with Pure NAT and it works like what it is on OpenWRT…
I checked the rdr rules on console and I don’t see any difference between both distro…
Not sure why… opnSense interface do look clean.
I am really surprised to see this is still not working. I do like the interface on opnSense better than pfSense.
yes, I thought this opnSense to pfSense, is almost like CentOS to RedHat… It looks and functions like same except GUI interface… but, it handles NAT Reflection with problem…seems weird…
@cwilkins
Hi my friend,
I have to add a DMZ-DMZ rule to get all working. My MAIB is on DMZ. Do you have same setting? This was on opnSense but MAIB was not working out with that “RDR” thing…
thanks
No I have my MiaB in my LAN. Show me or send me a picture of your WAN rules so I can compare them to mine so we can see where the issue is.
Sorry I should have ask for your NAT rules.
Only thing I see missing is port 995. Mine is attached above. I use a firewall alias to make it cleaner.
I assume X.X.140.253 is your lan? What error are you getting in MiaB’s status page?
that’s neat to use Alias…!
My MAIB is in DMZ 192.168.140.0/24 network and it’s ip is 192.168.140.253…The error would be same as I spotted at very beginining. When I do “sudo /home/devnull/mailinabox/management/status_checks.py”, top output is with that DMZ-DMZ rule on, bottom is with that disabled.
sudo /home/devnull/mailinabox/management/status_checks.py
System
✓ All system services are running.
✓ SSH disallows password-based login.
✓ System software is up to date.
? Mail-in-a-Box version check disabled by privacy setting.
✓ System administrator address exists as a mail alias. [
✓ The disk has 155.73 GB space remaining.
✓ System memory is 97% free.
Network
✓ Firewall is active.
✓ Outbound mail (SMTP port 25) is not blocked.
✓ IP address is not blacklisted by zen.spamhaus.org.
box.f2f10.com
✓ Nameserver glue records are correct at registrar. [ns1/ns2.box.f2f10.com ↦ 76.10.176.225]
✓ Domain resolves to box’s IP address. [box.f2f10.com ↦ 76.10.176.225]
✓ Reverse DNS is set correctly at ISP. [76.10.176.225 ↦ box.f2f10.com]
✓ The DANE TLSA record for incoming mail is correct (_25._tcp.box.f2f10.com).
✓ Hostmaster contact address exists as a mail alias. [hostmaster@box.f2f10.com ↦ administrator@box.f2f10.com]
✓ Domain’s email is directed to this domain. [box.f2f10.com ↦ 10 box.f2f10.com]
✓ Postmaster contact address exists as a mail alias. [postmaster@box.f2f10.com ↦ administrator@box.f2f10.com]
✓ Domain is not blacklisted by dbl.spamhaus.org.
✓ TLS (SSL) certificate is signed & valid. The certificate expires in 39 days on 03/23/18.
f2f10.com
✓ Nameservers are set correctly at registrar. [ns1.box.f2f10.com; ns2.box.f2f10.com]
✓ Domain’s email is directed to this domain. [f2f10.com ↦ 10 box.f2f10.com]
✓ Domain is not blacklisted by dbl.spamhaus.org.
✓ Domain resolves to this box’s IP address. [f2f10.com ↦ 76.10.176.225]
✓ TLS (SSL) certificate is signed & valid. The certificate expires in 39 days on 03/23/18.
? This domain’s DNSSEC DS record is not set. The DS record is optional. The DS record activates DNSSEC. To set a DS record, you must follow the
instructions provided by your domain name registrar and provide to them this information:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
~$ sudo /home/devnull/mailinabox/management/status_checks.py
System
Public DNS (nsd4) is not running (port 53).
Incoming Mail (SMTP/postfix) is running but is not publicly accessible at 76.10.176.225:25.
Outgoing Mail (SMTP 587/postfix) is running but is not publicly accessible at 76.10.176.225:587.
IMAPS (dovecot) is running but is not publicly accessible at 76.10.176.225:993.
Mail Filters (Sieve/dovecot) is running but is not publicly accessible at 76.10.176.225:4190.
HTTP Web (nginx) is running but is not publicly accessible at 76.10.176.225:80.
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
HTTPS Web (nginx) is running but is not publicly accessible at 76.10.176.225:443.
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
✓ SSH disallows password-based login.
✓ System software is up to date.
? Mail-in-a-Box version check disabled by privacy setting.
✓ System administrator address exists as a mail alias. [
✓ The disk has 155.73 GB space remaining.
✓ System memory is 97% free.
Network
✓ Firewall is active.
✓ Outbound mail (SMTP port 25) is not blocked.
✓ IP address is not blacklisted by zen.spamhaus.org.
box.f2f10.com
Nameserver glue records are incorrect. The ns1.box.f2f10.com and ns2.box.f2f10.com nameservers must be configured at your domain name registrar as
having the IP address 76.10.176.225. They currently report addresses of [Not Set]/[Not Set]. It may take several hours for public DNS to update after
a change.
This domain must resolve to your box’s IP address (76.10.176.225) in public DNS but it currently resolves to [Not Set]. It may take several hours for
public DNS to update after a change. This problem may result from other issues listed above.
✓ Reverse DNS is set correctly at ISP. [76.10.176.225 ↦ box.f2f10.com]
✓ Hostmaster contact address exists as a mail alias. [hostmaster@box.f2f10.com ↦ administrator@box.f2f10.com]
✓ Domain’s email is directed to this domain. [box.f2f10.com has no MX record, which is ok]
✓ Postmaster contact address exists as a mail alias. [postmaster@box.f2f10.com ↦ administrator@box.f2f10.com]
✓ Domain is not blacklisted by dbl.spamhaus.org.
✓ TLS (SSL) certificate is signed & valid. The certificate expires in 39 days on 03/23/18.
f2f10.com
The nameservers set on this domain are incorrect. They are currently [Not Set]. Use your domain name registrar’s control panel to set the nameservers
to ns1.box.f2f10.com; ns2.box.f2f10.com.
This domain’s DNS MX record is not set. It should be ‘10 box.f2f10.com’. Mail will not be delivered to this box. It may take several hours for public
DNS to update after a change. This problem may result from other issues listed here.
✓ Domain is not blacklisted by dbl.spamhaus.org.
This domain should resolve to your box’s IP address (A 76.10.176.225) if you would like the box to serve webmail or a website on this domain. The
domain currently resolves to [Not Set] in public DNS. It may take several hours for public DNS to update after a change. This problem may result from
other issues listed here.
? This domain’s DNSSEC DS record is not set. The DS record is optional. The DS record activates DNSSEC. To set a DS record, you must follow the
instructions provided by your domain name registrar and provide to them this information:
tried, with DMZ net–DMZ address, DMZ address—DMZ net , all not working; same as effect of no such rule. Only to get it working is to have DMZ net–DMZ net… I would guess it’s allowing “nat redirect” sort of working…as MAIB is simulating a remote reach to itself by sending traffic to my PuBlic IP…I haven’t found the details of how this works …
What your LAN rules setting look like? you didn’t have a similar rule and you tried that command on MAIB with no issue?
thanks