OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 17.7 Legacy Series »
  • NAT Outbound Issue
« previous next »
  • Print
Pages: [1]

Author Topic: NAT Outbound Issue  (Read 3106 times)

jwtoler

  • Newbie
  • *
  • Posts: 3
  • Karma: 0
    • View Profile
NAT Outbound Issue
« on: September 27, 2017, 09:32:14 pm »
I have 5 public static IPs assigned to me from my ISP. The modem they provide requires each ip to have a unique MAC address - so I created the appropriate Virtual IPs using CARP. My end goal is to have it set up the way it was when I was running pfSense (I wanted to switch and give this a go). With pfSense, I had my LAN (10.0.1.0/24) which had 3 web servers running in the LAN NET. All 3 servers need to have ports 80/443 open so I assigned the CARP IPs to just one ip address/server in the LAN NET and everything was working; after applying to appropriate rules, etc. So I was trying to replicate my set up w/ OPNsense and below is a run down of what I have going on currently:

Server #1 would have a public ip of X.X.X.21 (CARP) and a private ip of 10.0.1.5
Server #2 would have a public ip of X.X.X.22 (CARP)  and a private ip of 10.0.1.6
Server #3 would have a public ip of X.X.X.23 (CARP) and a private ip of 10.0.1.7
Everything else on the LAN would have a public ip of X.X.X.20 and a private ip range of 10.0.1.50-10.0.100

With OPNsense... when I try to go create the Firewall:NAT:Outbound rule to allow the servers to work correctly, I am unable to set the source as a single host. I enter 10.0.1.5/24 and when I hit save it ends up changing the source to be 10.0.1.0/24, which of course makes my whole LAN have the same public ip X.X.X.21 instead of the server having X.X.X.21 and everything else having X.X.X.20.
« Last Edit: September 27, 2017, 09:48:02 pm by jwtoler »
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13699
  • Karma: 1178
    • View Profile
Re: NAT Outbound Issue - potential bug
« Reply #1 on: September 27, 2017, 09:38:16 pm »
10.0.1.5/32 does not work?


Cheers,
Franco
Logged

jwtoler

  • Newbie
  • *
  • Posts: 3
  • Karma: 0
    • View Profile
Re: NAT Outbound Issue - potential bug
« Reply #2 on: September 27, 2017, 09:42:36 pm »
Quote from: franco on September 27, 2017, 09:38:16 pm
10.0.1.5/32 does not work?


Cheers,
Franco

and this is where I feel stupid... yes it caused it to stay the way it should be. The whole subnet thing still confused me a little can you maybe explain why /32 works?

The public ips have a /29 subnet and so do the virtual ips... the lan has /24.... why does /32 work with the outbound rules?
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13699
  • Karma: 1178
    • View Profile
Re: NAT Outbound Issue
« Reply #3 on: September 28, 2017, 03:31:03 pm »
You can NAT whole networks so when you type /24 it selects that whole network, regardless of your IP specification. OpenVPN is really more harsh and correct about enforcement, when you type "10.0.0.1/8" it will error and say this doesn't work, because you really meant "10.0.0.0/8" or "10.0.0.1/32", but not both...

/32 means no network -- a full single address (all 32 bits of the address are valid). /29 may also work, but not knowing your network /32 is probably the safest thing to start with.


Cheers,
Franco
Logged

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 17.7 Legacy Series »
  • NAT Outbound Issue
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2