OPNsense Forum

Archive => 18.1 Legacy Series => Topic started by: miclan on February 21, 2018, 03:20:55 pm

Title: NAT with multiple public ip
Post by: miclan on February 21, 2018, 03:20:55 pm
I upgraded from 17.x to 18.1.2 and everything is OK except one thing: now all lan computers use different public IP (I have 8 public ip).
With 17.x all lan computers use as public ip (checked with http://www.whatsmyip.org/) the one I gave to the WAN interface. After the upgrade they start use randomly all the 8 ip.
What's changed?
How can I obtain the same behavior as before?
Title: Re: NAT with multiple public ip
Post by: Dominian on February 21, 2018, 03:27:13 pm
You should be able to adjust you outbound NAT rule to tie to the specific IP/Alias in question that you want them to come from.
Title: Re: NAT with multiple public ip
Post by: marjohn56 on February 21, 2018, 03:30:00 pm
How are you defining your WAN IP's, I have 8 public IP's too, some are 1:1 natted to internal servers, some are not used, but the ones that are natted use the correct WAN IP for outgoing and the rest of the LAN devices use the primary gateway WAN.

Are you manually using ifconfig to add the WAN addresses?
Title: Re: NAT with multiple public ip
Post by: miclan on February 21, 2018, 04:31:53 pm
Thanks Dominian, now (as before with 17.x) on outbound NAT I have "Automatic outbound NAT rule generation (no manual rules can be used)".

@marjohn56 It's exactly my situation, the only difference is that since I upgraded to 18.1.2 my LAN devices doesn't use the primary gateway WAN ip address for outgoing, but they change continually ip chosen from the 8 public ip the service provider gave me.

What's the solution to have LAN devices using the same IP for outgoing?

Title: Re: NAT with multiple public ip
Post by: marjohn56 on February 21, 2018, 04:45:52 pm
Can you do an ifconfig and post the results, mask or change any public IP's before you post them. :)
Title: Re: NAT with multiple public ip
Post by: miclan on February 21, 2018, 05:02:03 pm
em0: flags=8c02<BROADCAST,OACTIVE,SIMPLEX,MULTICAST> metric 0 mtu 1500
   ether 00:18:71:ea:64:44
   hwaddr 00:18:71:ea:64:44
   media: Ethernet autoselect
   status: no carrier
em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
   ether 00:23:7d:fc:7d:e6
   hwaddr 00:23:7d:fc:7d:e6
   inet netmask 0xffffff00 broadcast
   inet6 fe80::223:7dff:fefc:7de6%em1 prefixlen 64 scopeid 0x2
   media: Ethernet autoselect (1000baseT <full-duplex>)
   status: active
em2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
   ether 00:23:7d:fc:7d:e7
   hwaddr 00:23:7d:fc:7d:e7
   inet netmask 0xffffff00 broadcast
   inet6 fe80::223:7dff:fefc:7de7%em2 prefixlen 64 scopeid 0x3
   media: Ethernet autoselect (1000baseT <full-duplex>)
   status: active
bce0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
   ether 00:1c:c4:42:04:e2
   hwaddr 00:1c:c4:42:04:e2
   inet netmask 0xffffff00 broadcast
   inet6 fe80::21c:c4ff:fe42:4e2%bce0 prefixlen 64 scopeid 0x4
   media: Ethernet autoselect (1000baseT <full-duplex>)
   status: active
bce1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
   ether 00:1c:c4:42:14:d4
   hwaddr 00:1c:c4:42:14:d4
   inet xx.xx.xx.8 netmask 0xfffffff8 broadcast xx.xx.xx.9
   inet xx.xx.xx.5 netmask 0xfffffff8 broadcast xx.xx.xx.9
   inet xx.xx.xx.6 netmask 0xfffffff8 broadcast xx.xx.xx.9
   inet xx.xx.xx.7 netmask 0xfffffff8 broadcast xx.xx.xx.9
   inet6 fe80::21c:c4ff:fe42:14d4%bce1 prefixlen 64 scopeid 0x5
   media: Ethernet autoselect (1000baseT <full-duplex>)
   status: active
enc0: flags=41<UP,RUNNING> metric 0 mtu 1536
   groups: enc
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
   inet6 ::1 prefixlen 128
   inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
   inet netmask 0xff000000
   groups: lo
pflog0: flags=100<PROMISC> metric 0 mtu 33160
   groups: pflog
pfsync0: flags=0<> metric 0 mtu 1500
   groups: pfsync
   syncpeer: maxupd: 128 defer: off
ovpns1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
   inet6 fe80::218:71ff:feea:6444%ovpns1 prefixlen 64 scopeid 0xa
   inet -->  netmask 0xffffffff
   groups: tun openvpn
   Opened by PID 46635
Title: Re: NAT with multiple public ip
Post by: marjohn56 on February 21, 2018, 05:44:59 pm
Multiple IP's showing  on the WAN.... I saw a similar thing happen with mine whilst I was messing around adding the extra WAN IP's to my system using ifconfig alias blah blah, this was whilst looking at an issue raised long ago. Franco has done some work on this, and  there is no need to do what I was attempting to do.

Back to your system,  Try doing it the way I do it, for example, two of my external IP's are used for my mail server and a Web server. For these I use 1:1 NAT, no port forwards, as the 1:1 as already doing that and I just set up firewall rules to only allow the ports through to those addresses that I want, so for example my web server, it's just 80 and 443.

So remember I have a 1:1 NAT for that Web server and the mail server.

External IP *.*.*.181, Internal IP, Destination any

I have a WAN rule for it, this is to allow only the ports through I want, and to stop 'plonkers' from trying to hack it, I use Geo blocking and a 'plonkers' alias list to stop unwanted attention. This is my rule for  the web server,


Source Any, Port Any, Protocol TCP, Destination, Dest Port Range from 'web_server_ports' to 'web_server_ports',  I use an Alias 'web_server_ports' here to specify the two ports 80 and 443.

Now my mail server is very similar in setup, more ports but that is really the only difference. I have separate rules for V6, for the simple reason it's easier for me to see it quickly.

Now the Virtual IP's...

In Virtual IP's, I have an IP Alias for three of my eight external IP's the primary IP *.*.*.182  is not there as that is the WAN static IP, so in Virtual IPs: Settings for the three entries
Type IP Alias
Interface WAN
Address *.*.*.181 /32
Address *.*.*.180 /32
Address *.*.*.178 /32

Now, try setting it up like that, using 1:1 NAT, back up your config first so you can revert to it if you need to.

Note, my ifconfig does NOT show any of my aliases, but they all work.