Text only | Text with Images

OPNsense Forum

English Forums => General Discussion => Topic started by: vintschi on April 03, 2020, 08:04:51 PM

Title: Can opnsense do "Full cone NAT" ?
Post by: vintschi on April 03, 2020, 08:04:51 PM
Hello OPNsense guys!

I want to switch to OPNsense, so I setup an OPNsense firewall. Looks very promising!
In any case, I test whether OPNsense covers all functions that I want to use.
I couldn't find informations in the configuration nor in the documentation about Full cone NAT.

Can OPNsense do Full cone NAT? https://en.wikipedia.org/wiki/Network_address_translation#Methods_of_translation (https://en.wikipedia.org/wiki/Network_address_translation#Methods_of_translation)
Title: Re: Can opnsense do "Full cone NAT" ?
Post by: phoenix on April 03, 2020, 08:20:09 PM
Yes, it can, the documentation is always a good place to start: https://docs.opnsense.org/manual/nat.html#one-to-one
Title: Re: Can opnsense do "Full cone NAT" ?
Post by: vintschi on April 03, 2020, 11:23:59 PM
Thanks for your quick reply phoenix. Please do not confuse a Full NAT to a 1:1 NAT. Those are different things.

1:1 NAT (whole networks): Maps IP addresses of a network to another network one-to-one. The rule applies either for the source or for the destination address of the defined IP packets.

Full NAT (source + destination): Maps both the source address and the destination address of defined IP packets to one new source and one new destination address. The source service and the target service can be changed, too.
Title: Re: Can opnsense do "Full cone NAT" ?
Post by: vintschi on April 04, 2020, 12:50:44 AM
Maybe it's easier to understand what I mean, if I'll explain the scenario. Given is the following network.

Code Select

      WAN / Internet
(Public IPv4 Range routed to this WAN  IP)
            :
            :
            :
      .-----+-----.
      |  Gateway  | 
      '-----+-----'
            |
        WAN |
            |
      .-----+------. DMZ-EXT       
      |            +-------------------------.
      |  OPNsense  | 172.16.2.1/28           | 172.16.2.2
      |            |                 .-------+-------.
      |            |                 | Reverse Proxy |
      |            |                 '-------+-------'
      |            | DMZ-INT                 | 172.16.1.2
      |            +-------------------------'
      |            | 172.16.1.1/28
      |            |
      |            |
      |            |  LAN-SERVERS    .---------------.
      |            +-----------------+ Web Server    | 10.0.4.2
      |            |  10.0.4.1/24    '---------------'
      '-----+------'
            |
        LAN | 10.0.3.1/24
    CLIENTS |
      .-----+------.
      | LAN-Switch |
      '-----+------'
            |
    ...-----+------...


For the routed public IP addresses that points to the reverse proxy, a port forwarding will beconfigured on OPNsense. The webserver traffic reaches at first the reverse proxy. The reverse proxy is configured that packets addressed to public IP's go only over DMZ-EXT network to internet and packets addressed to CIDR range go only over DMZ-INT network.

Users need to acces Web Servers from public (Internet) and from internal network LAN Clients. Accessing directly the webserver is not an option. Only public DNS resolvers are used on the users computer, this means an user located at LAN Client network needs to have the ability to connect to one of the routed public IP addresses.

To achieve this, a Full NAT is needed. The config on the actual system (sophos) looks something like this:
All traffic that applies to source "LAN client network" with destination "public IP of reverse proxy" needs to change the source to "WAN IP" and needs to change the destination to "DMZ-EXT IP Reverse Proxy".


Is something like this possible to configure in OPNsense?
At least I did not get any configuration to work like this.
Text only | Text with Images