Good morning, I'm hoping someone can tell me the best way to do what I'm doing. Most of my work with opnsense so far has been experimental, I'm trying to learn how to do all of the things. I have a full rack in a datacenter with a 10g copper drop. I have the 10g drop coming into my opensense machine and then my cisco switch is connected on another interface. I have a /28 of allocated IPv4 space. Is it possible for me to have a machine connected to the switch utilize one of the dedicated internet facing IPs? I may have a misunderstanding of how 1:1 NAT works, but I am currently under the assumption I have to assign a local IP on a machine like 192.xxx and then a virtual IP on the opnsense machine. I want the individual utilizing this machine to be able to have the dedicated IP information in their /etc/network/interfaces file and not have a "LAN" IP there. Please advise if you would be so kind, thanks!
If having a switch in front of OPNsense with the drop, and them plugged into that switch is the only way, then I understand, but I wanted the option of filtering the traffic for things like country blocks etc...
Yes, add the WAN IP as a virtual IP and then add a 1:1 NAT to the internal machine, that's how my mail gateway and web servers work. Don't forget to add the rules!
So you're saying with the 1:1 NAT, I should be able to set the static interface IP on the machine itself as the dedicated internet facing IP, and not have to use a 192.xxx type IP? I had read I may need another interface dedicated to that /28 to handle that traffic. If so, can that be virtual or does that have to be a third physical interface? If it can be virtual, do VLANs need to be involved?
No, it's NAT "To" the internal machine. i.e. server resides at 10.4.12.30
Like this:
(https://i.ibb.co/bzxhvvC/nat.png)
You need to add the virtual IP of the WAN address you want natted.
(https://i.ibb.co/zHcxPKC/Virtual-IP.png")
Ignore the gateway and virtual IP password, that's my browser doing odd things and pasting them in!
Yeah but that's assigning a private IP to the host machine. I want the host machine to use the public IP locally. It's for game servers, so it's important it knows that it's a public machine and not a private one. But I'd like to be able to filter the traffic too in the firewall.
Well you might be able to, but I can't help you with that. The normal way is to NAT.
I have it functioning with a transparent bridge presently, but it complicates things to say the least.
This can be done without NAT and without having to fall back on a transparent filtering bridge, but the exact configuration depends on the configuration of the upstream router. Do you have a dedicated WAN address which the /28 is routed to? Or does the upstream router expect the /28 to be on-link? And is the upstream router's IP address within the /28?
Cheers
Maurice