Not able Access OPT1 through NAT



  • HI Team,

    We are using PFsense firewall with 3 Interfaces, One is WAN , LAN and OPT1.
    WAN(Static IP) is directly connected to ISP switch
    LAN (192.168.25.100)
    OPT1(192.168.55.26) is a Having DHCP IP which getting a IP from another Sonicwall Firewall.

    We want to give a NAT Access to the Machine which is having IP from Sonicwall firewall.

    When we access LAN IP using NAT it is working fine, But not in OPT.

    Please find Packet capture for not working NAT rule:

    16:06:19.831390 00:26:88:cd:e3:93 > 00:0c:29:b9:ca:5d, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 111, id 27853, offset 0, flags [DF], proto TCP (6), length 52)
        xx.xx.xx.xx.37803 > yy.yy.yy.yy.85: Flags [S], cksum 0x2cfa (correct), seq 2611248001, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    16:06:19.831654 00:0c:29:b9:ca:5d > 00:26:88:cd:e3:93, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 63, id 17105, offset 0, flags [DF], proto TCP (6), length 40)
        yy.yy.yy.yy.85 > xx.xx.xx.xx.37803: Flags [R.], cksum 0x68aa (correct), seq 0, ack 2611248002, win 0, length 0
    16:06:19.835850 00:26:88:cd:e3:93 > 00:0c:29:b9:ca:5d, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 111, id 27854, offset 0, flags [DF], proto TCP (6), length 52)
        xx.xx.xx.xx.21098 > yy.yy.yy.yy.85: Flags [S], cksum 0x276a (correct), seq 2809509505, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    16:06:19.836006 00:0c:29:b9:ca:5d > 00:26:88:cd:e3:93, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 63, id 17106, offset 0, flags [DF], proto TCP (6), length 40)
        yy.yy.yy.yy.85 > xx.xx.xx.xx.21098: Flags [R.], cksum 0x631a (correct), seq 0, ack 2809509506, win 0, length 0
    16:06:20.099150 00:26:88:cd:e3:93 > 00:0c:29:b9:ca:5d, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 112, id 27855, offset 0, flags [DF], proto TCP (6), length 52)
        xx.xx.xx.xx.52829 > yy.yy.yy.yy.85: Flags [S], cksum 0xf30a (correct), seq 4063437871, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    16:06:20.099379 00:0c:29:b9:ca:5d > 00:26:88:cd:e3:93, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 63, id 17155, offset 0, flags [DF], proto TCP (6), length 40)
        yy.yy.yy.yy.85 > xx.xx.xx.xx.52829: Flags [R.], cksum 0x2ebb (correct), seq 0, ack 4063437872, win 0, length 0
    16:06:20.590562 00:26:88:cd:e3:93 > 00:0c:29:b9:ca:5d, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 111, id 27858, offset 0, flags [DF], proto TCP (6), length 52)
        xx.xx.xx.xx.53144 > yy.yy.yy.yy.85: Flags [S], cksum 0xf10c (correct), seq 2611248001, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    16:06:20.590785 00:0c:29:b9:ca:5d > 00:26:88:cd:e3:93, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 63, id 17246, offset 0, flags [DF], proto TCP (6), length 40)
        yy.yy.yy.yy.85 > xx.xx.xx.xx.53144: Flags [R.], cksum 0x2cbd (correct), seq 0, ack 2611248002, win 0, length 0
    16:06:20.597721 00:26:88:cd:e3:93 > 00:0c:29:b9:ca:5d, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 112, id 27857, offset 0, flags [DF], proto TCP (6), length 52)
        xx.xx.xx.xx.25483 > yy.yy.yy.yy.85: Flags [S], cksum 0x1649 (correct), seq 2809509505, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    16:06:20.597829 00:0c:29:b9:ca:5d > 00:26:88:cd:e3:93, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 63, id 17248, offset 0, flags [DF], proto TCP (6), length 40)
        yy.yy.yy.yy.85 > xx.xx.xx.xx.25483: Flags [R.], cksum 0x51f9 (correct), seq 0, ack 2809509506, win 0, length 0
    16:06:20.862104 00:26:88:cd:e3:93 > 00:0c:29:b9:ca:5d, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 112, id 27860, offset 0, flags [DF], proto TCP (6), length 52)
        xx.xx.xx.xx.50741 > yy.yy.yy.yy.85: Flags [S], cksum 0xfb32 (correct), seq 4063437871, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    16:06:20.862358 00:0c:29:b9:ca:5d > 00:26:88:cd:e3:93, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 63, id 17305, offset 0, flags [DF], proto TCP (6), length 40)
        yy.yy.yy.yy.85 > xx.xx.xx.xx.50741: Flags [R.], cksum 0x36e3 (correct), seq 0, ack 4063437872, win 0, length 0
    16:06:21.340703 00:26:88:cd:e3:93 > 00:0c:29:b9:ca:5d, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 111, id 27862, offset 0, flags [DF], proto TCP (6), length 52)
        xx.xx.xx.xx.10938 > yy.yy.yy.yy.85: Flags [S], cksum 0x95eb (correct), seq 2611248001, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    16:06:21.340916 00:0c:29:b9:ca:5d > 00:26:88:cd:e3:93, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 63, id 17353, offset 0, flags [DF], proto TCP (6), length 40)
        yy.yy.yy.yy.85 > xx.xx.xx.xx.10938: Flags [R.], cksum 0xd19b (correct), seq 0, ack 2611248002, win 0, length 0
    16:06:21.358488 00:26:88:cd:e3:93 > 00:0c:29:b9:ca:5d, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 111, id 27863, offset 0, flags [DF], proto TCP (6), length 52)
        xx.xx.xx.xx.25347 > yy.yy.yy.yy.85: Flags [S], cksum 0x16d1 (correct), seq 2809509505, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    16:06:21.358608 00:0c:29:b9:ca:5d > 00:26:88:cd:e3:93, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 63, id 17356, offset 0, flags [DF], proto TCP (6), length 40)
        yy.yy.yy.yy.85 > xx.xx.xx.xx.25347: Flags [R.], cksum 0x5281 (correct), seq 0, ack 2809509506, win 0, length 0
    16:06:21.621818 00:26:88:cd:e3:93 > 00:0c:29:b9:ca:5d, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 111, id 27864, offset 0, flags [DF], proto TCP (6), length 52)
        xx.xx.xx.xx.50590 > yy.yy.yy.yy.85: Flags [S], cksum 0xfbc9 (correct), seq 4063437871, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    16:06:21.622021 00:0c:29:b9:ca:5d > 00:26:88:cd:e3:93, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 63, id 17371, offset 0, flags [DF], proto TCP (6), length 40)
        yy.yy.yy.yy.85 > xx.xx.xx.xx.50590: Flags [R.], cksum 0x377a (correct), seq 0, ack 4063437872, win 0, length 0
    16:06:21.875967 00:26:88:cd:e3:93 > 00:0c:29:b9:ca:5d, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 112, id 27865, offset 0, flags [DF], proto TCP (6), length 52)
        xx.xx.xx.xx.44348 > yy.yy.yy.yy.85: Flags [S], cksum 0xdf86 (correct), seq 2112081188, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    16:06:21.876200 00:0c:29:b9:ca:5d > 00:26:88:cd:e3:93, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 63, id 17433, offset 0, flags [DF], proto TCP (6), length 40)
        yy.yy.yy.yy.85 > xx.xx.xx.xx.44348: Flags [R.], cksum 0x1b37 (correct), seq 0, ack 2112081189, win 0, length 0
    16:06:22.123792 00:26:88:cd:e3:93 > 00:0c:29:b9:ca:5d, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 111, id 27866, offset 0, flags [DF], proto TCP (6), length 52)
        xx.xx.xx.xx.41189 > yy.yy.yy.yy.85: Flags [S], cksum 0xcf7b (correct), seq 3896803109, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    16:06:22.123982 00:0c:29:b9:ca:5d > 00:26:88:cd:e3:93, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 63, id 17459, offset 0, flags [DF], proto TCP (6), length 40)
        yy.yy.yy.yy.85 > xx.xx.xx.xx.41189: Flags [R.], cksum 0x0b2c (correct), seq 0, ack 3896803110, win 0, length 0
    16:06:22.639659 00:26:88:cd:e3:93 > 00:0c:29:b9:ca:5d, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 111, id 27867, offset 0, flags [DF], proto TCP (6), length 52)
        xx.xx.xx.xx.27545 > yy.yy.yy.yy.85: Flags [S], cksum 0x212a (correct), seq 2112081188, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    16:06:22.639907 00:0c:29:b9:ca:5d > 00:26:88:cd:e3:93, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 63, id 17502, offset 0, flags [DF], proto TCP (6), length 40)
        yy.yy.yy.yy.85 > xx.xx.xx.xx.27545: Flags [R.], cksum 0x5cda (correct), seq 0, ack 2112081189, win 0, length 0
    16:06:22.892597 00:26:88:cd:e3:93 > 00:0c:29:b9:ca:5d, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 112, id 27869, offset 0, flags [DF], proto TCP (6), length 52)
        xx.xx.xx.xx.35571 > yy.yy.yy.yy.85: Flags [S], cksum 0xe56d (correct), seq 3896803109, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    16:06:22.892802 00:0c:29:b9:ca:5d > 00:26:88:cd:e3:93, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 63, id 17557, offset 0, flags [DF], proto TCP (6), length 40)
        yy.yy.yy.yy.85 > xx.xx.xx.xx.35571: Flags [R.], cksum 0x211e (correct), seq 0, ack 3896803110, win 0, length 0
    16:06:23.387427 00:26:88:cd:e3:93 > 00:0c:29:b9:ca:5d, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 111, id 27872, offset 0, flags [DF], proto TCP (6), length 52)
        xx.xx.xx.xx.9446 > yy.yy.yy.yy.85: Flags [S], cksum 0x67dd (correct), seq 2112081188, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    16:06:23.387672 00:0c:29:b9:ca:5d > 00:26:88:cd:e3:93, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 63, id 17625, offset 0, flags [DF], proto TCP (6), length 40)
        yy.yy.yy.yy.85 > xx.xx.xx.xx.9446: Flags [R.], cksum 0xa38d (correct), seq 0, ack 2112081189, win 0, length 0
    16:06:23.654548 00:26:88:cd:e3:93 > 00:0c:29:b9:ca:5d, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 111, id 27874, offset 0, flags [DF], proto TCP (6), length 52)
        xx.xx.xx.xx.17358 > yy.yy.yy.yy.85: Flags [S], cksum 0x2c93 (correct), seq 3896803109, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    16:06:23.654786 00:0c:29:b9:ca:5d > 00:26:88:cd:e3:93, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 63, id 17662, offset 0, flags [DF], proto TCP (6), length 40)
        yy.yy.yy.yy.85 > xx.xx.xx.xx.17358: Flags [R.], cksum 0x6843 (correct), seq 0, ack 3896803110, win 0, length 0
    
    

    Thanks

    Raghul


  • LAYER 8 Global Moderator

    its a bit unclear on what is what there, since you blocking out rfc1918 address and the full address?

    But looks like dest is sending back RST!!!

    Here

        xx.xx.xx.xx.41189 > yy.yy.yy.yy.85: Flags [S]
        yy.yy.yy.yy.85 > xx.xx.xx.xx.41189: Flags [R].
    

    SYN sent, and RST sent back - layman terms = F off ;)



  • @systemadmin said in Not able Access OPT1 through NAT:

    OPT1(192.168.55.26) is a Having DHCP IP which getting a IP from another Sonicwall Firewall.
    We want to give a NAT Access to the Machine which is having IP from Sonicwall firewall.

    That is reading like the devices on the OPT1 network are using the Sonicwall as default gateway. So you will get an asymmetric routing issue unless you configure the devices to use pfSense or do NAT on outbound packets on OPT1 or route the traffic meant to that devices over the Sonicwall.

    @systemadmin said in Not able Access OPT1 through NAT:

    Please find Packet capture for not working NAT rule:

    Can't find any IP address in the capture, so it says nothing about NAT.
    🙄


Log in to reply