NAT not working on 18.7.6

[antipiot]

Hello!
Facing some issues for creating and using NAT rules:

If i create a NAT rule to convert WAN:8093 to LAN:9987
My firewall will log blocked traffic to LAN:8093 wich should be authorized to LAN:9987.
All my other rules are working fine.

If i create a new NAT rule, this is reproductible.

[AdSchellevis]

can you share the following:

• The log messages blocking the traffic
• The generated rule in /tmp/rules.debug (grep for the description should probably work)
• Other rules affecting the same interface (Either floating or directly on the interface)

[antipiot]

Hello!
Plain view:

Nov 5 12:37:56	filterlog: 9,,,0,igb0,match,block,in,4,0x0,,54,7751,0,DF,17,udp,211,194.230.158.56,10.0.0.5,44911,8093,191

Rules debug:

on igb0 inet proto udp from {any} to {any} port $Teamspeak_WAN -> $NAS # Teamspeak forwarding
nat on igb0 inet proto udp from (igb0:network) to $NAS -> igb0 port 1024:65535 # Teamspeak forwarding

Some of the working NAT are:
nat on igb0 inet proto tcp from (igb0:network) to $ipcam port {80} -> igb0 port 1024:65535
nat on igb0 inet proto tcp from (igb0:network) to $desktop port {3389} -> igb0 port 1024:65535

Hope it helps :-)

[AdSchellevis]

can you use the live view? it shows a bit more info

[antipiot]

yes:

As you can see, the port after NAT hitting the firewall is wrong. should be 9987

[AdSchellevis]

could it be that the alias changed at some point in time? it looks like the rule is only created initially.

[antipiot]

I did some testing when i noticed this rule was not working and have changed / deleted / recreated aliases.

Also when i modify the NAT rule for: WAN:9987 to LAN:9987
And apply: i still log traffic on port 8093 and none on 9987

[AdSchellevis]

I would suspect something similar to this in your rules.debug (as has mine):

pass in quick on em1 inet proto tcp from {any} to $NAS port $Teamspeak_WAN label "USER_RULE: NAT my_rule" # 34dae5d9adcb498c997c0c7666394999

Which in my case is the correct rule, remember the target filter should match the post-nat target.

I have some cleanups for this code, which I will commit later, but in my test cases there always seems to be a pass rule

[antipiot]

Anything i can do? as for now i cant even create new rules?

[AdSchellevis]

Maybe you have another config related issue, I can't really help you with that.

[RasmusKvanderLoo]

I have my NAT rule working using ip and port numbers only (no aliases)??!!

[AdSchellevis]

@RasmusKvanderLoo and your point is?

[antipiot]

I have my NAT rule working using ip and port numbers only (no aliases)??!!

I tried this aswell:
Same result: for a nat rule WAN:8888 -> LAN:7777 ill see traffic hitting firewall with LAN:8888
If i create a rule with WAN:8888 -> LAN:8888 it's indeed working as there's no PAT

[antipiot]

If anybody there is on 18.7.6:

Could you try to create a NAT to so i'll know this is only related to my system?

[AdSchellevis]

@antipiot found it, the target port seems to be missing in the generated rule, I really overlooked something here.

[antipiot]

@antipiot found it, the target port seems to be missing in the generated rule, I really overlooked something here.

Great! thanks for your help!

[AdSchellevis]

@antipiot can you try eb42fac ?

opnsense-patch eb42fac

filter reload needed after patch (/usr/local/etc/rc.filter_configure)

[antipiot]

Patch fix the NAT problem.
Thanks you very much.
Tried to create a new rule and it's working aswell indeed

[fichtner]

I'll pull this into 18.7.7 for tomorrow then. Thanks for the quick fix and feedback! ❤️

[antipiot]

I'll pull this into 18.7.7 for tomorrow then. Thanks for the quick fix and feedback! ❤️

Thanks to you! :-)