Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Wrong source IP used on outbound Traffic #2170

Closed
mortenstevens opened this issue Feb 5, 2018 · 6 comments
Closed

Wrong source IP used on outbound Traffic #2170

mortenstevens opened this issue Feb 5, 2018 · 6 comments
Labels
support Community support

Comments

@mortenstevens
Copy link

Hello,

Referring to https://forum.opnsense.org/index.php?topic=7132.0

This issue exists since the latest upgrade from 17.7.12 to 18.1. firewall_nat_out.php is set to "Automatic". But the firewall uses randomly one of the virtual IP addresses instead of the assigned WAN address.

Is there a fix available?

Thank you.
@fichtner fichtner added the support Community support label Feb 5, 2018
@fichtner
Copy link
Member

fichtner commented Feb 5, 2018

Hi there,

This is the new behaviour to use round-robin on all available IP addresses... it has VIPs assigned on the interface so they want to be used.

You can set outbound mode to hybrid or manual to fix the NAT behaviour to a single IP explicitly.

We will make an additional note in the original 18.1 update change long for all new upgraders from 17.7 to see.

Cheers,
Franco

@mortenstevens
Copy link
Author

Hello Franco,

Thank you. Setting outbound NAT to hybrid with a custom rule (NAT address = wan address) fixes it.

Anyway, I think it's not the best way in automatic mode to use randomly one of the virtual IP addresses by default... The round-robin option should be set specific by the user.

Best regards,

Morten

@fichtner
Copy link
Member

fichtner commented Feb 5, 2018

Hi Morten,

The automatic outbound generation has a couple of drawbacks and will likely go through more iterations. We will factor this into the next iteration, but for now we need to see how this new system works in practice apart from causing issues with previous installs where behaviour is slightly differed.

The more prevalent question for us is: how are you using the Virtual IPs on a WAN interface?

Thank you,
Franco

fichtner added a commit to opnsense/changelog that referenced this issue Feb 6, 2018
@fichtner
doc: annotate automatic outbound NAT round-robin
7985218 
PR: opnsense/core#2170
@fichtner
Copy link
Member

fichtner commented Feb 6, 2018

Hi Morten,

I've made a note in the 18.1 change log that users see while upgrading.

You can go to Firewall: Settings: Advanced and enable "Sticky outbound NAT" to get a consistent IP behaviour for your client connections. We are considering making this the default behaviour in a subsequent image release.

Cheers,
Franco

@fichtner fichtner closed this as completed Feb 6, 2018
@mortenstevens
Copy link
Author

Hello Franco,

Thank you for your support. Setting "Sticky outbound NAT" also works fine with automatic outbound NAT. It would be great to see this option turned on by default.

Best regards,

Morten

@fichtner
Copy link
Member

fichtner commented Feb 6, 2018

yay ok will do :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
support Community support
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fichtner @mortenstevens