OPNsense Forum

Archive => 15.7 Legacy Series => Topic started by: s.Oliver on July 27, 2015, 06:06:43 pm

Title: [SOLVED] Binding an internal machines traffic to a specific external IP
Post by: s.Oliver on July 27, 2015, 06:06:43 pm
Hello everbody!

My name is Oliver and i'm new here and new to the OPNsense platform.

I used alot of different routers over the years, but had settled for one of the bigger players. They use all closed software on their hardware platform, but i've to admit, these was extremely optimized/responsive.

I want to change! And maybe you could help.

My setup uses the latest updates (15.7.4) on APU1D4 board (AMD, 64 bit).
All basic stuff does work so far. Establishing an internet connection, using NAT rules, etc. But i've encountered one problem with my Multi-WAN Setup. This is my setup right now:
LAN (re0): 192.168.0.x (IP v4, DHCP is provided by Server)
WAN1 (re1): ADSL / PPPoE (IP v4, DHCP from Provider) = default gateway
WAN2 (re2): SDSL / Static (IP v4, 8 addresses IP block)

Several different machines on the LAN all use the WAN1 (default) interface for internet connection. One machine is a server for a very small hosting environment. This server should use the WAN2 interface for it's traffic.

Traffic originating from the Internet and targeting the server (via one dedicated IP out of the pool) works fine via NAT rule:
Internet -> SDSL/IP -> OPNsense (via WAN2) -> NAT -> Server (LAN) = OK

But vice versa doesn't work and looks right now like this:
Server (LAN) -> NAT -> OPNsense (via WAN1) -> Internet = WRONG

I tried alot of possible configurations, but couldn't get it to work properly. Found several how-to's with hints like using a Virtual IP and also setting up outbound NAT rule generation in specific ways, but it didn't work out. I'm sure, OPNsense can do that, maybe someone can point me in the right direction.


Anybody did a setup like this? And likes to share how it needs to be set up?

Thanks alot.
Title: Re: Binding an internal machines traffic to a specific external IP
Post by: chrisch1974 on July 28, 2015, 09:33:41 am
I have done a similar setup which should work in your case too.

You need to add a LAN firewall rule where you specify the gateway (in your case the one of OPT1).

Interface: LAN
Source: IP of Server (LAN)
Destination: Any
Gateway: GW of OPT1

That should make the trick. Attached a screenshot to make it clearer. Hope this helps you.
Title: Re: Binding an internal machines traffic to a specific external IP
Post by: s.Oliver on July 28, 2015, 10:06:34 am
one question, did you have to setup a virtual ip (for the one IP used by the server facing to the internet) for it to work?

thanks alot chrisch1974.

ps: sorry for having changed the wording of my initial post. i thought it might get clearer.
Title: Re: Binding an internal machines traffic to a specific external IP
Post by: chrisch1974 on July 28, 2015, 10:23:44 am
No. In my case no virtual IP was necessary. I've seen that WAN2 has 8 IP addresses. So they reported outgoing IP should be the one assigned to the network interface on WAN2.

My setup has a different need. I made it to differentiate traffic over 2 internet connections (like http traffic going over a "cheap" line). Only disadvantage I realized and couldn't solve until now is that this happens before routing. But that shouldn't be an issue in your setup.
Title: Re: Binding an internal machines traffic to a specific external IP
Post by: s.Oliver on July 28, 2015, 11:38:11 am
ok, i'll check out tonight. but probably i need then the virtual ip, to be able to bind the server traffic to that exact ip.
on the other hand, OPNsense knows all about these 8 IPs anyway, because of the subnet mask. well, we'll see, i'll try first without, then with virtual ip.
Title: Re: Binding an internal machines traffic to a specific external IP
Post by: s.Oliver on July 29, 2015, 01:03:40 pm
alright, i could get it working  :D

in my scenario needed a virtual ip, else the first useable ip of the 8 address block would have been used. still not sure, if i've it optimized to best values, cause it needed several tries and then suddenly it work.

thx. for the tip.