Hello. I created a Virtual IP (WAN) and created 1:1 NAT. And then created WAN rules to connect the server from outside. I can connect the server from outside, but when I check the public IP in the server, it shows the main IP address, not Virtual Wan IP. What am I missing to do? Outbound NAT is automatic. As far as I know if you use 1:1 NAT, you don't need to create Outbound NAT rule again.
There is no need to create a virtual IP for 1:1 NAT. This works for me:
Firewall, NAT, One-to-One.
Set External network to a single public IP from your external range
Set Source to single host or network and enter the internal IP of your server with /32
Give it a meaningful description and save
Leave WAN, BINAT and everything else as default. Your firewall rules won't need to change since they have the internal IP as destination.
Bart...
Hi
@elvinmammadov could you show, what Firwall rule you use for the WAN interface?
@bartjsmit I followed a description from the book OPNSense Praktiker by Markus Stubbing. There is an example as described by elvinmammadov with a virtual IP on the WAN interface. The description is similar to the pfsense guide: https://docs.netgate.com/pfsense/en/latest/nat/1-1.html
I followed those steps, and used the /32 suffix, as you described.
Wenn accessing the virtual IP 172.17.1.15:8006 from the host 172.17.1.23 I am getting the following Firewall log entry:
wan Dec 31 12:22:03 172.17.1.23:36562 10.1.1.2:8006 tcp Default deny rule
That is similar what elvinmammadov describes, the access happens in the name of the host, not the virtual IP.
What I don't understand, Bart said I need no Firewall rule, but the default rule seems to deny the access. On the other hand my added Firewall rule on the WAN interface for 172.17.1.15 to 10.1.1.2 does not apply. There are only 5 automatic rules on the WAN interface and I am not sure, where the default deny rule comes from as ist is not part of the automatic rules there?
Did they change the way 1:1 NAT works in terms of firwall rules?
I am Running OPNsense 21.7.7
Thanks for your help.
Regards,
Günter
Hi Günter,
Quote from: dsp4711 on December 31, 2021, 01:04:21 PM
Bart said I need no Firewall rule
Not quite; you don't need to change your firewall rule for 1:1 NAT. You will need a rule to allow the protocol/port that your service listens on, but its destination is the internal IP of the server. I.e. the rule is applied after the NAT.
Simple example:
1:1 NAT on WAN, external IP 123.456.789.101, internal IP 10.0.0.1
firewall rule on WAN, IPv4 TCP, destination 10.0.0.1, port 443, rest *
This will forward https to the internal IP.
Bart...
Hello. Thank you for your replies. Yes, in 1:1 NAT, we don't need to open ports in NAT, creating rules in WAN is enough and it is working normal. But my question is, I can connect the server via its Virtual IP from outside, but when I check the Public IP address inside the server, it shows the main host ip address, not Virtual public ip address. So I would like to know, what I am missing.
Quote from: elvinmammadov on January 03, 2022, 12:42:21 PMI check the Public IP address inside the server, it shows the main host ip address, not Virtual public ip address.
Which method are you using to check the perceived public IP address? https://ifconfig.co ?
I recommend https://test-ipv6.com - shows you both, IPv4 and IPv6 if active.