OpnSense : 23.7.1_3-amd64
Hello
We are migrating our Router/Firewall infrastructure from Sophos UTM 9.7 to OPNsense and I apologize to address the 1:1 NAT theme again although it is an topic with many entries in the forum. Unfortunately im stuck in the OPNSense configuration and was not able to get run the 1:1 NAT after hours of configuration tentatives and consulting forum entries :-[.
Thus I would be very gratefull for any concise advice (step by step) how an 1:1 NAT single IPs configuration should be done.
Our network "layout" is the following:
WAN | xxx.yyy.zzz.240/29 public subnet, xxx.yyy.zzz.241 router, xxx.yyy.zzz.242 OPNsense WAN
DMZ | 192.168.5.0/24
LAN | 192.168.1.0/24
on the DMZ subnet we had (sophos UTM 9.7) and want now on OPNsense to 1:1 NAT the following IPs:
WAN | xxx.yyy.zzz.244 -> DMZ | 192.168.5.10/24
WAN | xxx.yyy.zzz.245 -> DMZ | 192.168.5.11/24
therefore we have on OPNsense the following initial configuration:
interface WAN | IP xxx.yyy.zzz.242/29, gateway autodetect
interface DMZ | IP 192.168.5.1/24, gateway autodetect
interface LAN | 192.168.1.1/24, gateway autodetect
virtual IP | xxx.yyy.zzz.244/32, type alias
virtual IP | xxx.yyy.zzz.245/32, type alias
firewall one-to-one | if WAN, ex IP xxx.yyy.zzz.244/32, in IP 192.168.5.10, dest any, type nat, nat reflection enable
firewall one-to-one | if WAN, ex IP xxx.yyy.zzz.245/32, in IP 192.168.5.11, dest any, type nat, nat reflection enable
firewall outbound | manual rules
firewall outbound | IP4, any, any, LAN address (in order that LAN has Internet access)
firewall advanced settings | NAT 1:1 reflection enabled
We tried different manual firewall rules to enable/allow traffic to/from the 1:1 nated public addresses (xxx.yyy.zzz.244/32 and xxx.yyy.zzz.245/32) but where not able to access the servers behind those 1:1 nated addresses (neither from public nor from LAN side). Instead we are able to access there DMZ addresses 192.168.5.10 and 192.168.5.11 from LAN.
So it seems that we are missing an important part in the configuration that makes 1:1 to work for us. Therefore we would be very gratefull for any hint or exmaple configuration how to make 1:1 NAT with single IPs on a public subnet and DMZ to work.
Many thanks and best regards,
André
You have to create Proxy ARP entries for the additional external IP addresses your firewall should respond on.
https://docs.opnsense.org/manual/firewall_vip.html
Edit:
Whats also important is that NAT rules match before Firewall rules, so the Firewall rules have to allow internal IP Adresses on the WAN interface.
Hello
Many thanks for your prompte response and hints. I am sorry to reply only today.
Now our 1:1 NAT on multiple sinlge public IPs configuration is working - in a basic configration (without special - service specific - blocking/allowing firewall rules) - is running.
I will post here in the next days our configuration (anonymised) in order somebody else needs a step to step guide.
best regards
Hello
here is my configuration that my help others to setup 1:1 / On-to-On NAT with single IPs for multipe public single IPs
here is basic network layout as mentionded above:
Network-Layout
WAN | xxx.yyy.zzz.240/29 public subnet, xxx.yyy.zzz.241 router, xxx.yyy.zzz.242 OPNsense WAN
DMZ | 192.168.5.0/24
LAN | 192.168.1.0/24
1:1 IP mapping
WAN | xxx.yyy.zzz.244 -> DMZ | 192.168.5.10/24
WAN | xxx.yyy.zzz.245 -> DMZ | 192.168.5.11/24
OPNsense Configuration | Interfaces:
interface WAN | IP xxx.yyy.zzz.242/29, gateway autodetect
interface DMZ | IP 192.168.5.1/24, gateway autodetect
interface LAN | 192.168.1.1/24, gateway autodetect
OPNsense Configuration | Interfaces | Virtual IPs:
interfaces virtual IP | xxx.yyy.zzz.244/32, if: WAN, type: Proxy ARP
interfaces virtual IP | xxx.yyy.zzz.245/32, if: WAN, type: Proxy ARP
OPNsense Configuration | Firewall | One-to-One: (I found that aliases do not work )
firewall one-to-one | if: WAN, ex IP: xxx.yyy.zzz.244/32, in IP - single Host/Network: 192.168.5.10/32, dest: any, type: binat, nat reflection: enable
firewall one-to-one | if: WAN, ex IP: xxx.yyy.zzz.245/32, in IP - single Host/Network: 192.168.5.11/32, dest: any, type: binat, nat reflection: enable
OPNsense Configuration | Firewall | Rules | WAN (Interface):
firewall rules wan | action: Pass, quick: enabled, if: WAN, direction: in, protocol: any, source: any, destination: any, gateway: default
or if some only specific port ranges should be 1:1 forwarded (again Aliases for the DMZ IP address seems not to work):
firewall rules WAN | action: Pass, quick: enabled, if: WAN, direction: in, protocol: TCP/UDP, source: any, destination - single host network: 192.168.5.10/32, destination port range: 443 (for https), gateway: default
firewall rules WAN | action: Pass, quick: enabled, if: WAN, direction: in, protocol: TCP/UDP, source: any, destination - single host network: 192.168.5.11/32, destination port range: 80 (for http or Alias with multiple ports), gateway: default
for any other protocol types together with a TCP/UDP port range additional rules have to added:
firewall rules WAN | action: Pass, quick: enabled, if: WAN, direction: in, protocol: ICMP, source: any, destination - single host network: 192.168.5.10/32, gateway: default
best regards