OPNsense Forum

Archive => 17.7 Legacy Series => Topic started by: jwtoler on September 27, 2017, 09:32:14 pm

Title: NAT Outbound Issue
Post by: jwtoler on September 27, 2017, 09:32:14 pm

I have 5 public static IPs assigned to me from my ISP. The modem they provide requires each ip to have a unique MAC address - so I created the appropriate Virtual IPs using CARP. My end goal is to have it set up the way it was when I was running pfSense (I wanted to switch and give this a go). With pfSense, I had my LAN (10.0.1.0/24) which had 3 web servers running in the LAN NET. All 3 servers need to have ports 80/443 open so I assigned the CARP IPs to just one ip address/server in the LAN NET and everything was working; after applying to appropriate rules, etc. So I was trying to replicate my set up w/ OPNsense and below is a run down of what I have going on currently:

Server #1 would have a public ip of X.X.X.21 (CARP) and a private ip of 10.0.1.5
Server #2 would have a public ip of X.X.X.22 (CARP)  and a private ip of 10.0.1.6
Server #3 would have a public ip of X.X.X.23 (CARP) and a private ip of 10.0.1.7
Everything else on the LAN would have a public ip of X.X.X.20 and a private ip range of 10.0.1.50-10.0.100

With OPNsense... when I try to go create the Firewall:NAT:Outbound rule to allow the servers to work correctly, I am unable to set the source as a single host. I enter 10.0.1.5/24 and when I hit save it ends up changing the source to be 10.0.1.0/24, which of course makes my whole LAN have the same public ip X.X.X.21 instead of the server having X.X.X.21 and everything else having X.X.X.20.

Title: Re: NAT Outbound Issue - potential bug
Post by: franco on September 27, 2017, 09:38:16 pm

10.0.1.5/32 does not work?


Cheers,
Franco

Title: Re: NAT Outbound Issue - potential bug
Post by: jwtoler on September 27, 2017, 09:42:36 pm

Quote from: franco on September 27, 2017, 09:38:16 pm

10.0.1.5/32 does not work?


Cheers,
Franco

and this is where I feel stupid... yes it caused it to stay the way it should be. The whole subnet thing still confused me a little can you maybe explain why /32 works?

The public ips have a /29 subnet and so do the virtual ips... the lan has /24.... why does /32 work with the outbound rules?

Title: Re: NAT Outbound Issue
Post by: franco on September 28, 2017, 03:31:03 pm

You can NAT whole networks so when you type /24 it selects that whole network, regardless of your IP specification. OpenVPN is really more harsh and correct about enforcement, when you type "10.0.0.1/8" it will error and say this doesn't work, because you really meant "10.0.0.0/8" or "10.0.0.1/32", but not both...

/32 means no network -- a full single address (all 32 bits of the address are valid). /29 may also work, but not knowing your network /32 is probably the safest thing to start with.


Cheers,
Franco