I tried to configure virtual ip /29 on opnsense 2.7
But only wan ip seem to work all othe ips are nor functioning.
I want to assing one ip to a webserver with port forward to lan ip port 80/443 but not successful.
Any body can lead me towards right steps..
Thx
How did you detect this? On inbound or outbound?
If you cannot reach your webserver from outside sniff the traffic on WAN to check if the packets even arrive.
thx for reply,
I parked the IP /29 in Virtual IP and tried to port forward ports 80/443 to an internal server but when checking the ports these ports are still closed.
It would help if you showed your virtual IP configuration and your port forwarding rules ;)
As mentioned, sniff the traffic on WAN, while you try to access the IP and you will instantly know, if it even works on the outside and can go further.
Hi Patrick, Thx for reply. But I don't know how to show virtual IP configuration and your port forwarding rules. I can take snaps but cant find another way to get it. the rules were auto generated by NAT
Quote from: viragomann on September 27, 2024, 10:50:24 AM
As mentioned, sniff the traffic on WAN, while you try to access the IP and you will instantly know, if it even works on the outside and can go further.
Thx a lot but How to sniff the wan traffic?
Quote from: unicomaz on September 28, 2024, 02:23:22 AM
Thx a lot but How to sniff the wan traffic?
Interfaces > Diagnostic > Packet Capture
Select the WAN, state the source IP if you know and the destination port Start the capture and try to acces from outside. The display the result.
Quote from: unicomaz on September 28, 2024, 02:22:03 AM
Hi Patrick, Thx for reply. But I don't know how to show virtual IP configuration and your port forwarding rules. I can take snaps but cant find another way to get it. the rules were auto generated by NAT
You created the individual addresses of your /29 on WAN as virtual IPs, didn't you? Well, if you did not, that explains why it's not working ;) Look into Interfaces > Virtual IPs.
If you did, there might be something wrong with it, so just post a screenshot, please.
The NAT rules are supposed to go in Firewall > NAT > Port Forwarding. Again, these are of course necessary, so you did create them, right? Same as with the virtual IPs - something's wrong, so screenshots, please.
How are we supposed to tell what's wrong with your setup if you don't show us the actual setup?
I did enter each ip address in virtual IP
Search
IP Alias
Address
VHID
Interface WAN
Type
Description
Commands
xx.xx.xx.65/29 WAN IP Alias Firewall
xx.xx.xx.66/29 WAN IP Alias Webserver
xx.xx.xx.67/29 WAN IP Alias Spare
xx.xx.xx.68/29 WAN IP Alias Spare 2
xx.xx.xx.69/29 WAN IP Alias Spare 3
Here are the screen Shorts
Your NAT rules only show forwarding of the WAN address.
Note, that WAN address is strictly interface IP, nothing else.
If you want to forward traffic destined to any of the VIPs you have to set the VIP as destination in the rule.
Its working now my mistake I forget filter rule associated.
Create an alias for each single IP, use that alias as destination address in the inbound NAT port forward rule.
See next post instead.
If you have added each IP as virtual, as you wrote above, you should find them in the destination drop-down in a port forwarding rule.
Quote from: viragomann on October 02, 2024, 07:06:59 PM
If you have added each IP as virtual, as you wrote above, you should find them in the destination drop-down in a port forwarding rule.
I wasn't sure. If that is indeed the case I do not understand the OP's problem ;) Thanks for the update.
Yes I do find but ports 443 remains closed.
Then please just show one of the NAT Port Forward rules. All of it.
my mistake I did select to apply associated rule while saving the NAT port forward.
Thanks all of you for your time..
Quote from: unicomaz on October 03, 2024, 11:09:16 PM
my mistake I did select to apply associated rule while saving the NAT port forward.
Thanks all of you for your time..
Yeah, "pass" is the appropriate setting for most cases. I have still not encountered a use case where you would want a separate firewall rule. You can specify source and destination to great detail in the NAT rule alright.