Hi there
I've used OPNS a while back and had 0 issues with it but my layout was quite simple. At that same time I was using Cisco ISR + FTD (NGFW) for my more complicated setup but wanted to move it all over to just OPN.
I won't get to crazy details of my setup but will mention the most basic needs;
I have 5 usable static ips, each static wan ip has its own network. I.E. 207.108.x177 is 192.168.1.0, 207.108.x 178 is 192.160.2.0 and so on. Obviously I need NAT for WAN to LAN (ip) direction for specific ip's and port services etc but also want a NAT for the WAN to NETWORK as a whole.
Just curious if this is possible.
So, I'd need NAT x.x.x.177 is 192.168.1.0 but then NAT x.x.x.177 Port 443 to let's say 192.168.1.443 for NGINX.
Of course this is perfectly possible with OPNsense. Not at all complicated.
Quote...let's say 192.168.1.443 for NGINX
Need to be a forum subscriber on the Vanity+ yearly plan to use vanity IPs in OPNsense I'm afraid.
I do not understand your meaning, vanity IP's? I just mean that if I were to connect to WAN https x.x.x.177 it would forward to LAN 192.168.1.443:443, so essentially I wanna run a https server. This would be part of a pay subscription?
192.168.1.443 is not a valid IP address ...
192.168.1.43:443 I am sorry, yeah I just got giddy with typing you are correct. Also NGINX would be running on a Docker container on that IP.
Quote from: fbeye on November 08, 2024, 05:01:24 PM
I do not understand your meaning, vanity IP's? I just mean that if I were to connect to WAN https x.x.x.177 it would forward to LAN 192.168.1.443:443, so essentially I wanna run a https server. This would be part of a pay subscription?
Oh wow I am an idiot. You were referring to the 192.168.1.
443, which I was mistaken in saying, I am slow today. Alright cool I'll look into getting this all done. Thanks all.
BUMP
I added IP Aliases, also WAN set for PPPoE and grabs default IP/Gateway x.x.x.182;
x.x.x.177
x.x.x.178
x.x.x.179
x.x.x.180
x.x.x.181
x.x.x.182 [Default WAN IP]
NAT One-To-One BiNAT, Each WAN IP translates to it's own LAN Network;
x.x.x.177 NAT 192.168.1.0
x.x.x.178 NAT 192.168.2.0
x.x.x.179 NAT 192.168.3.0
x.x.x.180 NAT 192.168.4.0
x.x.x.181 NAT 192.168.5.0
x.x.x.182 NAT 192.168.6.0
Will Outbound NAT will be negotiated via Hybrid NAT rules/ BiNAT setup?
Is there a way to specify outgoing as a whole, I.E. 'anything' on 192.168.1.0
outbounds x.x.x.177, 192.168.2.0 outbounds x.x.x.178 and so on? I assume I would
need to make those Outbound entries... to email servers and http servers.
I will assume that I give LAN Interface on OPNSense an IP of 172.16.1.1
I create 6 Static Routes to the SG350XG Networks using 172.16.1.2 [SG GE 1/1 Interface IP]
as the Gateway.
This way anything Incoming on a specific WAN IP will be NAT'd to the specific LAN Network
which is forwarded to the SG350XG via the Static Routes for the Networks
192.168.1.0 255.255.255.0 172.16.1.2
192.168.2.0 255.255.255.0 172.16.1.2
And so on.
Do I need to set up a Gateway at all on the OPNSense?
Yeah, that did not work. Like, everything "worked" except Internet access. Only thing I did not ADD were any OUTGOING NAT rules, but I assumed I did not need. Apparently I did. I tried doing auto nat and hybrid.
Through the OPNSense to the SG350XG, I could connect to all LAN devices on each Network, all was fine.. But nothing outgoing.
Sorry to be a repetitive ignoramus, been up for hours just can not figure this out!
Being that I have the 6 STATIC IP's NAT'd to 6 LAN Networks, do I need to create OUTBOUND for each Network to WAN? As I said I tried, and left blank, Hybrid and Automatic.
I have my PPPoE setup and from opnsense can ping 8.8.8.8
I have my LAN on opnsense 172.16.2.1 which connects to SG350XG 172.16.2.2
I have the 6 [usable] WAN IP's set up as aliases
I have 6 BINat One-To-One WAN IP to LAN NETWORK [I.E. x.x.x.177 BINat to 192.168.1.0]
I have ZERO at all OUTBOUND NAT rules [But I would need to create one for the LAN's to know what WAN IP to leave on, yeah?]
I have a GATEWAY [I made it 172.168.2.1, the opnsense LAN IP] so I can make STATIC ROUTES
I made 6 Static Routes, and even tried 192.168.0.0/16 so all LAN Networks can be found on the SG via 172.16.2.2 which raises the question, would the GATEWAY to the / for the SG350XG Networks be the opnsense Interface IP or the SG350XG Interface?
I just can not get Internet access to work.
One-to-one NAT maps *ONE* external IP address to *ONE* internal IP address. 192.168.1.0 is one IP address, not a subnet. It happens to be a network address, not a host, so one-to-one NAT for it will not do anything useful.
If you need need an entire internal subnet to share one external IP address, use outbound NAT.
If you need to expose internal hosts to the internet, you could either use port-forwarding, or use some of your public IP addresses for 1:1 NAT, but you can't use a given public IP address for both outbound NAT and one-to-one NAT at the same time.
Good Morning
I will not lie, this confuses me a little bit. I had assumed I could do One-to-One NAT because I want whole subnets to be associated with specific WAN, I.E I want everything 192.168.1.0 to associate with x.x.x.177, everything 192168.2.0 to associate with x.x.x.178 and so on. I thought that that was the correct way...
So, 1-to-1 is literally host specific WAN to LAN, not WAN to LAN [Subnet]?
Alright, so for simple internet "Internet' use, I make OUTBOUND NAT's associating LAN Networks to out on their specific WAN.
And then in terms of incoming for email/web servers I would then use Port Forwarding but "If you need to expose internal hosts to the internet, you could either use port-forwarding, or use some of your public IP addresses for 1:1 NAT, but you can't use a given public IP address for both outbound NAT and one-to-one NAT at the same time." confuses me too... So I can not have OUTBOUND NAT associating specific LAN [Network] to WAN and then also for incoming a specific NAT 1-to-1?
After reading https://docs.opnsense.org/manual/nat.html it does make more sense, I will give you that.
Anything incoming WAN to LAN would need Port Forwarding to know where the packet needs to go but I also need OUTGOING NAT for the LAN Networks to know which WAN IP to use.. Probably most instances not relevant but with multiple lan networks seems to be the correct course.
For that you place outbound NAT rules on WAN. Assigning individual addresses to source networks as you see fit.
1:1 really means one external address for each internal address. To NAT a network or a range of addresses to a single public one you need outbound.
Hello. It appears that 1:1 works best for one LAN Network..I am sure it is more complex but for me seems not what I need as you say.
I understand what you say for Outbound NAT... I will create OB NAT assigning LAN Networks to their respective WAN IP's. Would there be a preference to use BINAT on that?
I will go home and attempt all this and I am sure I will have better success, I am betting me making 1:1 really messed it up for me.
One more question [for now];
Being these 6 Networks reside/are hosted on the SG350XG via GE 1/1 172.16.2.2 and is connected to OPNSense LAN Interface 192.168.2.1, I need to create static routes on OPNSense to tell it where to find these Networks but I see that to create a static route I need a Gateway aside from "null".
Would this Gateway be the IP of the OPNsense LAN Interface IP 172.16.2.1 or the SG350XG IP 172.16.2.2...I am thinking in terms of usually I just create the "next hop" where to find the Networks and never really dealt with having to create a Gateway for the routes..
Quote from: fbeye on November 23, 2024, 09:08:22 PM
Hello. It appears that 1:1 works best for one LAN Network
No! Unless you have a public network of exactly the same size, 1:1 does not work.
Internal: network, probably /24, possibly /16
External: single IP address
That's outbound. Always. No binat, no 1:1.
Networking fundamentals, not in any way OPNsense specific.
Ahhh alright, I got ya. Thank you.
Quote from: fbeye on November 23, 2024, 09:08:22 PM
Being these 6 Networks reside/are hosted on the SG350XG via GE 1/1 172.16.2.2 and is connected to OPNSense LAN Interface 192.168.2.1, I need to create static routes on OPNSense to tell it where to find these Networks but I see that to create a static route I need a Gateway aside from "null".
Would this Gateway be the IP of the OPNsense LAN Interface IP 172.16.2.1 or the SG350XG IP 172.16.2.2...I am thinking in terms of usually I just create the "next hop" where to find the Networks and never really dealt with having to create a Gateway for the routes..
The gateway is the next hop. OPNsense already knows what its own IP address is - it's the next hop that it needs to know the address of.
Cool thank you.
I will let ya all know of my success or other questions, thanks.
Well I clearly done something wrong or missed something.. Currently, OPNSense itself can ping internet and even get updates, but my LAN can do nothing.
Also
Last 1
Do you have an "allow" rule on your LAN interface to cover this source subnet?
Other than what was already put in by default I never did any rules on LAN. Was not aware I needed one outbound
Alright that seems to have worked, for the 1 Network.
Now, all 6 Networks all reside through the same location as the [working] 192.168.5.0] but the other 5 Networks timeout, no internet connection. All Outbound NAT and LAN Access rules are copied from the working 192.168.5.0 [obviously changing the important stuff] but they do not connect.
Also, my wifi light keeps going red,but keeps internet.
Also, 2 new photos for comment above.
GOT IT!
On Interfaces:LAN: Gateway Rules: I had to select the Gateway to the SG350XG, now everything works and I verified each Network is using it's dedicated WAN so, AWESOME..
Thank you all posters for helping and being patient, believe me it inspired me to continue.