OPNsense Forum
Archive => 17.1 Legacy Series => Topic started by: TommyJay on June 29, 2017, 04:32:08 pm
-
Hello all,
I'm trying to get the following situation set up, but can't seem to get it working.
I have one Opnsense VM running, using a static WAN IP x.x.x.80/26, which is the default gateway for the LAN segment. No problem so far.
Now, I'm trying to get the following working, but I can't figure out how to do it.
I have several WAN IP addresses available, x.x.x.76/26-x.x.x.80/26. What I want, is to assign an additional WAN IP to the WAN interface and have a LAN client use this IP as both an incoming and outgoing IP address.
Incoming isn't a problem, using a virtual IP for the WAN interface, but outgoing uses the default gateway (x.x.x.80).
Can someone tell me if what I'm trying to achieve is possible and if so, how?
-
Yes, you need a 1:1 NAT for this. It guarantees that the traffic is symmetrical. Firewall -> NAT -> One-to-One
Bart...
-
bartjsmit is right!
In addition, and as an another approach, and especially for your possible future needs when you will have to assign a range of public IPs to several machines, set an interface (opt1) to be treated as a perimeter one, meaning you will disable NAT entirely for that interface. But you have to have route in place in between you and your ISP for that range: your ISP must route any request to any of your public IPs to your WAN IP.
It depends on what your needs are...
Good luck!
-
Hey guys, it's been a while since I made this post, but I want to let you know that I managed to get it working with 1:1 NAT and virtual IP's for the WAN port.
Thanks for the help!
-
Great! Glad you did it and works. :)
-
I managed as well but only 1 internal address to 1 external Virtual Ip.
When I try to NAT the Lan subnet to the external IP the thing crashes.
Is it possible to use the virtual external ip as outgoing ip for the whole Lan subnet ?
Update:
Found the solution ! Forget 1:1 NAT !
Use NAT - Outbound with
Interface: Waninterface
Source: Lanip/subnet
Nat address: virtual external Ip
That's it !
-
Exactly!
I have read in my email your initial reply, without the update, and I entered here to tell you the solution. Glad you found it quickly!
Keep up the good work!