OPNsense Forum

Archive => 17.1 Legacy Series => Topic started by: mitchinseattle on March 20, 2017, 07:14:51 am

Title: one-to-one nat
Post by: mitchinseattle on March 20, 2017, 07:14:51 am
Hi,

Firstly I would like to extend a huge thanks to the developers of OPNsense, it is an awesome product, and even though I've only been using it for a few days, it has already simplified so many admin tasks for us.

I am trying to understand how to correctly configure one-to-one nat, I have looked on the wiki but unfortunately there seems to be very little documentation on this topic.

Our OPNsense server has two NICs, one connected to the WAN with the primary IP and a few virtual IPs configured using IP alias, and a second NIC connected to a private LAN using 10.10.10.0/24 for example.

So on the WAN interface, say I have configured a virtual IP of 2.2.2.2/32 and under one-to-one NAT I have added a new rule with 2.2.2.2 as the external IP, for internal I select LAN address, and destination is set to "any", I don't see anywhere where I can specify that I want all traffic forwarded to 10.10.10.99 for example, where do I configure the destination IP for this rule?

My apologies if this seems like an obvious question, I just haven't worked out the correct procedure yet.

Also I noticed on the OPNsense homepage it mentions "► Full Mesh VPN routing using Tinc" which is great, as we use Tinc in switch mode for joining network segments, however under VPN in the UI I only see IPSEC and OpenVPN, where might I go to configure Tinc or is there some documentation on this I can go through?

Thanks for your time and any suggestions you can provide.

Title: Re: one-to-one nat
Post by: djGrrr on March 20, 2017, 02:12:37 pm
"LAN address" is the IP address on your LAN interface, this is not what you want. You need to scroll right to the top and select "single host or network", then input the IP you want it to be forwarded to.

Tinc is a plugin that must be installed under System > Firmware > Plugins
Title: Re: one-to-one nat
Post by: mitchinseattle on March 20, 2017, 05:44:36 pm
Hi,

Thanks for your reply, so do I change Source or Destination to single host or IP, or both?

When I change Source to Single host or IP it populates the address field with "LAN" and a netmask of 32.

Destination is currently set to "Any" and if I click on the little Help link it says that's probably what it should be set to.

I'm sure this is probably a very simple thing to set up, but the labels and help text on this page could really use some tweaking to point the user in the right direction, maybe I'll submit a git pull request with some updates once I've got it figured out.

Thanks also for the hint about Tinc, I'll go and install that plug-in now.

Cheers
Title: Re: one-to-one nat
Post by: djGrrr on March 21, 2017, 03:25:14 pm
I'm not sure what you are referring to, there is no "source" for one to one nat, if you mean internal ip, I would think that is self explanatory, you put the ip of the internal ip you want the traffic forwarded to after selecting "single host or network".