OPNsense Forum

Archive => 17.7 Legacy Series => Topic started by: thegadget on August 30, 2017, 07:12:14 pm

Title: NAT, Port Forwarding, Firewall Rules, Public IPs
Post by: thegadget on August 30, 2017, 07:12:14 pm
Howdy!  I hate to ask this question, but following what documentation I have found on the web I am unable to get a working port forward.  Here is what I am trying to do:

2 Web servers:
Public IP
x.x.121.10, x.x.121.11
Internal IP
x.x.195.101, x.x.195.103
Ports forwarded
80,443,8443

I have setup the Aliases for all IPs and Ports.  I am having trouble creating the NAT and rule.  So after I create NAT, all traffic is killed on the network.  I looked through the forums, and am unable to find this info in 17.7.  If you have a link or could point me in the right direction, I would appreciate it.  :)
Title: Re: NAT, Port Forwarding, Firewall Rules, Public IPs
Post by: franco on August 30, 2017, 07:20:35 pm
Hi there,

You'll need three separate rules under Firewall: NAT: Port Forward for each individual port.

Unless x.x.121.10, x.x.121.11 are IPs from the WAN, then you must use Firewall: NAT: One to One and forward the whole IP.


Cheers,
Franco
Title: Re: NAT, Port Forwarding, Firewall Rules, Public IPs
Post by: thegadget on August 30, 2017, 07:25:32 pm
Yes, the 121.10 IP addresses are public and on the wan interface. 
Title: Re: NAT, Port Forwarding, Firewall Rules, Public IPs
Post by: thegadget on August 30, 2017, 07:27:20 pm
I only want the three ports forwarded, not all ports if that makes any sense.  Does the one-to-one forward all ports?
Title: Re: NAT, Port Forwarding, Firewall Rules, Public IPs
Post by: Ciprian on August 30, 2017, 07:50:37 pm
Yes, 1 to 1 NAT forwards the whole IP with whole its ports: 1 to 1 NAT means 1 (public IP, all ports) to 1 (private IP, all ports, respectively). You can think of it as an in between 2 IPs (one public, one private) mirroring/ cloning. :)
Title: Re: NAT, Port Forwarding, Firewall Rules, Public IPs
Post by: ChrisH on August 31, 2017, 10:37:59 am
You'll need three separate rules under Firewall: NAT: Port Forward for each individual port.
He could create a port alias with those three ports. Then he needs only two NAT: Port Forward rules, one for each IP. No?
Title: Re: NAT, Port Forwarding, Firewall Rules, Public IPs
Post by: Ciprian on August 31, 2017, 11:28:36 am
You'll need three separate rules under Firewall: NAT: Port Forward for each individual port.
He could create a port alias with those three ports. Then he needs only two NAT: Port Forward rules, one for each IP. No?

Yes!

Only that I wouldn't go this way, since ports 80 and 443 are standard HTTP/S ports: what if, in the future, he would want to connect to other services/ machines on these ports?

So I would use ha-proxy to do a reverse proxy for these two servers, with rules conditioned by corresponding URL strings.
Title: Re: NAT, Port Forwarding, Firewall Rules, Public IPs
Post by: thegadget on August 31, 2017, 10:59:32 pm
Thank you guys for all your input.  I got it running like a champ.  :)