My configuration:
OPNSense on a phisical server (Dell PowerEDGE) with 3 nics: LAN, WAN and DMZ.
LAN and DMZ are configured with private networks (eg. 192.168.10.0/24).
My ISP will give me their router and a range of 8 public (network type 255.255.255.248).
ISP's router will be assigned the first public IP and OPNSense WAN interface the second one.
My aim is to use the remaining public IPs and to bind them to the WAN interface. I did it in IpCop installation and there they're called "Alias IPs".
In OPNSense we have "Virtual IPs" and I wonder whether they can be used to "map" all public IPs I have to the WAN interface.
I will use them to create rules, make Port Forwardings, ecc. just as they were different interfaces (nics).
Is this the right way to configure them? I read several post talking about using the NAT 1:1 feature when having different public IPs and want to bind them to the same interface (WAN) but most of the users were talking about OPNSEnse built as a virtual machine (with all the implications of that case) whereas mine is a physical server.
Thanks a lot.
Michele.
Hi Michele, I've used 1:1 NAT on a physical firewall without any issue.
Bart...
Maybe I'm mistaking but for what I know NAT 1:1 is used when you want to bind one specific public IP to one specific private IP and allow the private IP to be reachable from the internet directly to that specific public IP and NOT to IP assigned to WAN. Well, If my understanding is good I don't want this or better I don't need this.
I could do like below but I need your opinion:
- add my further public IPs to the virtual ips page
- I use port forwarding (and not nat 1:1) to nat a certain private IP to a certain public IP
May this procedure be functional? I mean, why should I use nat 1:1 and not port forwarding?
Pros and cons?
I'll really appreciate any suggestions and opinions.
Cheers.
Hi Michele,
The main benefit of 1:1 NAT is that the addresses match up; any traffic generated from the internal host originates from the public IP assigned to their NAT, instead of the general WAN IP of the firewall.
This helps with asynchronous protocols, like ajax pages and Outlook Anywhere.
Bart...