Text only | Text with Images

OPNsense Forum

English Forums => 25.1, 25.4 Series => Topic started by: mgambacorta on July 29, 2025, 08:06:31 PM

Title: virtual ip
Post by: mgambacorta on July 29, 2025, 08:06:31 PM
Hello all,

first of all ... I am new to opnsense ... I have experience with fortigates, but decided to switch to opnsense.

I have some things setup (3 networks, routing between, internet from inside).

My system info:
OPNsense 25.4.1-amd64
FreeBSD 14.2-RELEASE-p3
OpenSSL 3.0.16
Licensed until 2026-02-03

What I need to do and is making me cray is virtual IPs.

In Fortigate world you can do them in 2 ways: with port forwarding or mapping 1-1 all ports from a public ip to an internal ip. In a 1-1 scenario ports allowed are set with rules.

The 1-1 scenario is the one I prefer, but I could also resort to port forwarding.

I have setup the virtual ip in Interfaces -A Virtual IPs -> Settings: I chose the WAN interface, and entered my public IP address in the network / address field.

Then I went to set a NAT One-to-One: here there are some doubts. On this form I set the following fields:
interface -> WAN
Type -> BINAT
External network / Target: my public ip address (a single one)
Source / Internal: my private address (the internal address the public ip will map to).
Destination -> any (I do not understand this field ... this likely means I am missing something)

Save then Apply

Then I create a rule on Firewall -> rules -> WAN:
Interface -> WAN
Direction -> in
TCP/IP version : IPv4
Protocol -> TCP
Source -> any
Destination -> Single Hist and my public iPhone address
Destination port range -> From https to https
Gateway -> WAN GW

Save and Apply

It is not working :-(

I appreciate help :-)
Title: Re: virtual ip
Post by: viragomann on July 30, 2025, 09:30:40 PM
The destination in the firewall rule has to be the internal IP (the real redirect target).
Title: Re: virtual ip
Post by: Seimus on July 31, 2025, 10:47:45 AM
Here you go

https://docs.opnsense.org/manual/nat.html#one-to-one

External network - the IP that should be NATed
Source - the IP to which it should be NAted
Destination - The destination network packages should match, when used to map external networks, this is usually any


rule on Firewall -> rules -> WAN:
Interface -> WAN
Direction -> in
TCP/IP version : IPv4
Protocol -> TCP
Source -> any
Destination -> Source from 1-to-1 NAT rule
Destination port range -> From https to https
Gateway -> WAN GW

Here is a diagram of packet packet flow, NAT is always in the chain before rule matching. So you need to always consider creating rules after NAT rules are applied.

https://forum.opnsense.org/index.php?topic=36326.msg210877#msg210877

Regards,
S.
Text only | Text with Images