Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Not able Access OPT1 through NAT

    NAT
    3
    3
    184
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      systemadmin
      last edited by

      HI Team,

      We are using PFsense firewall with 3 Interfaces, One is WAN , LAN and OPT1.
      WAN(Static IP) is directly connected to ISP switch
      LAN (192.168.25.100)
      OPT1(192.168.55.26) is a Having DHCP IP which getting a IP from another Sonicwall Firewall.

      We want to give a NAT Access to the Machine which is having IP from Sonicwall firewall.

      When we access LAN IP using NAT it is working fine, But not in OPT.

      Please find Packet capture for not working NAT rule:

      16:06:19.831390 00:26:88:cd:e3:93 > 00:0c:29:b9:ca:5d, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 111, id 27853, offset 0, flags [DF], proto TCP (6), length 52)
    xx.xx.xx.xx.37803 > yy.yy.yy.yy.85: Flags [S], cksum 0x2cfa (correct), seq 2611248001, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:06:19.831654 00:0c:29:b9:ca:5d > 00:26:88:cd:e3:93, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 63, id 17105, offset 0, flags [DF], proto TCP (6), length 40)
    yy.yy.yy.yy.85 > xx.xx.xx.xx.37803: Flags [R.], cksum 0x68aa (correct), seq 0, ack 2611248002, win 0, length 0
16:06:19.835850 00:26:88:cd:e3:93 > 00:0c:29:b9:ca:5d, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 111, id 27854, offset 0, flags [DF], proto TCP (6), length 52)
    xx.xx.xx.xx.21098 > yy.yy.yy.yy.85: Flags [S], cksum 0x276a (correct), seq 2809509505, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:06:19.836006 00:0c:29:b9:ca:5d > 00:26:88:cd:e3:93, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 63, id 17106, offset 0, flags [DF], proto TCP (6), length 40)
    yy.yy.yy.yy.85 > xx.xx.xx.xx.21098: Flags [R.], cksum 0x631a (correct), seq 0, ack 2809509506, win 0, length 0
16:06:20.099150 00:26:88:cd:e3:93 > 00:0c:29:b9:ca:5d, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 112, id 27855, offset 0, flags [DF], proto TCP (6), length 52)
    xx.xx.xx.xx.52829 > yy.yy.yy.yy.85: Flags [S], cksum 0xf30a (correct), seq 4063437871, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:06:20.099379 00:0c:29:b9:ca:5d > 00:26:88:cd:e3:93, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 63, id 17155, offset 0, flags [DF], proto TCP (6), length 40)
    yy.yy.yy.yy.85 > xx.xx.xx.xx.52829: Flags [R.], cksum 0x2ebb (correct), seq 0, ack 4063437872, win 0, length 0
16:06:20.590562 00:26:88:cd:e3:93 > 00:0c:29:b9:ca:5d, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 111, id 27858, offset 0, flags [DF], proto TCP (6), length 52)
    xx.xx.xx.xx.53144 > yy.yy.yy.yy.85: Flags [S], cksum 0xf10c (correct), seq 2611248001, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:06:20.590785 00:0c:29:b9:ca:5d > 00:26:88:cd:e3:93, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 63, id 17246, offset 0, flags [DF], proto TCP (6), length 40)
    yy.yy.yy.yy.85 > xx.xx.xx.xx.53144: Flags [R.], cksum 0x2cbd (correct), seq 0, ack 2611248002, win 0, length 0
16:06:20.597721 00:26:88:cd:e3:93 > 00:0c:29:b9:ca:5d, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 112, id 27857, offset 0, flags [DF], proto TCP (6), length 52)
    xx.xx.xx.xx.25483 > yy.yy.yy.yy.85: Flags [S], cksum 0x1649 (correct), seq 2809509505, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:06:20.597829 00:0c:29:b9:ca:5d > 00:26:88:cd:e3:93, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 63, id 17248, offset 0, flags [DF], proto TCP (6), length 40)
    yy.yy.yy.yy.85 > xx.xx.xx.xx.25483: Flags [R.], cksum 0x51f9 (correct), seq 0, ack 2809509506, win 0, length 0
16:06:20.862104 00:26:88:cd:e3:93 > 00:0c:29:b9:ca:5d, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 112, id 27860, offset 0, flags [DF], proto TCP (6), length 52)
    xx.xx.xx.xx.50741 > yy.yy.yy.yy.85: Flags [S], cksum 0xfb32 (correct), seq 4063437871, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:06:20.862358 00:0c:29:b9:ca:5d > 00:26:88:cd:e3:93, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 63, id 17305, offset 0, flags [DF], proto TCP (6), length 40)
    yy.yy.yy.yy.85 > xx.xx.xx.xx.50741: Flags [R.], cksum 0x36e3 (correct), seq 0, ack 4063437872, win 0, length 0
16:06:21.340703 00:26:88:cd:e3:93 > 00:0c:29:b9:ca:5d, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 111, id 27862, offset 0, flags [DF], proto TCP (6), length 52)
    xx.xx.xx.xx.10938 > yy.yy.yy.yy.85: Flags [S], cksum 0x95eb (correct), seq 2611248001, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:06:21.340916 00:0c:29:b9:ca:5d > 00:26:88:cd:e3:93, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 63, id 17353, offset 0, flags [DF], proto TCP (6), length 40)
    yy.yy.yy.yy.85 > xx.xx.xx.xx.10938: Flags [R.], cksum 0xd19b (correct), seq 0, ack 2611248002, win 0, length 0
16:06:21.358488 00:26:88:cd:e3:93 > 00:0c:29:b9:ca:5d, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 111, id 27863, offset 0, flags [DF], proto TCP (6), length 52)
    xx.xx.xx.xx.25347 > yy.yy.yy.yy.85: Flags [S], cksum 0x16d1 (correct), seq 2809509505, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:06:21.358608 00:0c:29:b9:ca:5d > 00:26:88:cd:e3:93, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 63, id 17356, offset 0, flags [DF], proto TCP (6), length 40)
    yy.yy.yy.yy.85 > xx.xx.xx.xx.25347: Flags [R.], cksum 0x5281 (correct), seq 0, ack 2809509506, win 0, length 0
16:06:21.621818 00:26:88:cd:e3:93 > 00:0c:29:b9:ca:5d, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 111, id 27864, offset 0, flags [DF], proto TCP (6), length 52)
    xx.xx.xx.xx.50590 > yy.yy.yy.yy.85: Flags [S], cksum 0xfbc9 (correct), seq 4063437871, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:06:21.622021 00:0c:29:b9:ca:5d > 00:26:88:cd:e3:93, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 63, id 17371, offset 0, flags [DF], proto TCP (6), length 40)
    yy.yy.yy.yy.85 > xx.xx.xx.xx.50590: Flags [R.], cksum 0x377a (correct), seq 0, ack 4063437872, win 0, length 0
16:06:21.875967 00:26:88:cd:e3:93 > 00:0c:29:b9:ca:5d, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 112, id 27865, offset 0, flags [DF], proto TCP (6), length 52)
    xx.xx.xx.xx.44348 > yy.yy.yy.yy.85: Flags [S], cksum 0xdf86 (correct), seq 2112081188, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:06:21.876200 00:0c:29:b9:ca:5d > 00:26:88:cd:e3:93, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 63, id 17433, offset 0, flags [DF], proto TCP (6), length 40)
    yy.yy.yy.yy.85 > xx.xx.xx.xx.44348: Flags [R.], cksum 0x1b37 (correct), seq 0, ack 2112081189, win 0, length 0
16:06:22.123792 00:26:88:cd:e3:93 > 00:0c:29:b9:ca:5d, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 111, id 27866, offset 0, flags [DF], proto TCP (6), length 52)
    xx.xx.xx.xx.41189 > yy.yy.yy.yy.85: Flags [S], cksum 0xcf7b (correct), seq 3896803109, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:06:22.123982 00:0c:29:b9:ca:5d > 00:26:88:cd:e3:93, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 63, id 17459, offset 0, flags [DF], proto TCP (6), length 40)
    yy.yy.yy.yy.85 > xx.xx.xx.xx.41189: Flags [R.], cksum 0x0b2c (correct), seq 0, ack 3896803110, win 0, length 0
16:06:22.639659 00:26:88:cd:e3:93 > 00:0c:29:b9:ca:5d, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 111, id 27867, offset 0, flags [DF], proto TCP (6), length 52)
    xx.xx.xx.xx.27545 > yy.yy.yy.yy.85: Flags [S], cksum 0x212a (correct), seq 2112081188, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:06:22.639907 00:0c:29:b9:ca:5d > 00:26:88:cd:e3:93, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 63, id 17502, offset 0, flags [DF], proto TCP (6), length 40)
    yy.yy.yy.yy.85 > xx.xx.xx.xx.27545: Flags [R.], cksum 0x5cda (correct), seq 0, ack 2112081189, win 0, length 0
16:06:22.892597 00:26:88:cd:e3:93 > 00:0c:29:b9:ca:5d, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 112, id 27869, offset 0, flags [DF], proto TCP (6), length 52)
    xx.xx.xx.xx.35571 > yy.yy.yy.yy.85: Flags [S], cksum 0xe56d (correct), seq 3896803109, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:06:22.892802 00:0c:29:b9:ca:5d > 00:26:88:cd:e3:93, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 63, id 17557, offset 0, flags [DF], proto TCP (6), length 40)
    yy.yy.yy.yy.85 > xx.xx.xx.xx.35571: Flags [R.], cksum 0x211e (correct), seq 0, ack 3896803110, win 0, length 0
16:06:23.387427 00:26:88:cd:e3:93 > 00:0c:29:b9:ca:5d, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 111, id 27872, offset 0, flags [DF], proto TCP (6), length 52)
    xx.xx.xx.xx.9446 > yy.yy.yy.yy.85: Flags [S], cksum 0x67dd (correct), seq 2112081188, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:06:23.387672 00:0c:29:b9:ca:5d > 00:26:88:cd:e3:93, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 63, id 17625, offset 0, flags [DF], proto TCP (6), length 40)
    yy.yy.yy.yy.85 > xx.xx.xx.xx.9446: Flags [R.], cksum 0xa38d (correct), seq 0, ack 2112081189, win 0, length 0
16:06:23.654548 00:26:88:cd:e3:93 > 00:0c:29:b9:ca:5d, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 111, id 27874, offset 0, flags [DF], proto TCP (6), length 52)
    xx.xx.xx.xx.17358 > yy.yy.yy.yy.85: Flags [S], cksum 0x2c93 (correct), seq 3896803109, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:06:23.654786 00:0c:29:b9:ca:5d > 00:26:88:cd:e3:93, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 63, id 17662, offset 0, flags [DF], proto TCP (6), length 40)
    yy.yy.yy.yy.85 > xx.xx.xx.xx.17358: Flags [R.], cksum 0x6843 (correct), seq 0, ack 3896803110, win 0, length 0

      Thanks

      Raghul

      V 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by johnpoz

        its a bit unclear on what is what there, since you blocking out rfc1918 address and the full address?

        But looks like dest is sending back RST!!!

        Here

            xx.xx.xx.xx.41189 > yy.yy.yy.yy.85: Flags [S]
    yy.yy.yy.yy.85 > xx.xx.xx.xx.41189: Flags [R].

        SYN sent, and RST sent back - layman terms = F off ;)

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        1 Reply Last reply Reply Quote 0
        • V
          viragomann @systemadmin
          last edited by

          @systemadmin said in Not able Access OPT1 through NAT:

          OPT1(192.168.55.26) is a Having DHCP IP which getting a IP from another Sonicwall Firewall.
          We want to give a NAT Access to the Machine which is having IP from Sonicwall firewall.

          That is reading like the devices on the OPT1 network are using the Sonicwall as default gateway. So you will get an asymmetric routing issue unless you configure the devices to use pfSense or do NAT on outbound packets on OPT1 or route the traffic meant to that devices over the Sonicwall.

          @systemadmin said in Not able Access OPT1 through NAT:

          Please find Packet capture for not working NAT rule:

          Can't find any IP address in the capture, so it says nothing about NAT.
          🙄

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.