OPNsense Forum

Archive => 18.1 Legacy Series => Topic started by: kkoh on June 18, 2018, 04:52:52 pm

Title: RFH: Proper way to route traffic from WAN to LAN
Post by: kkoh on June 18, 2018, 04:52:52 pm
I've been on pfsense for years now. We have what I think is a relatively simple setup... two WANs each with full class Cs and a single LAN that houses users and a few services, some of which need to be accessed from the WAN side.
For our purposes we often have a virtual IP on each of our ISP class Cs lead to a single service within our LAN and simply give them different DNS names so that in the case of an outage of one of our ISPs we have a backup ingress point.
In the past (pfsense) I'd use VirtIPs and 1:1 NAT along with a firewall rule. I intend to start testing opnsense now that I've got it running on my NETGATE hardware. I'm at the stage where I'd like to test the above mentioned techniques but I'm at a loss in understanding the One-to-One interface as my only prior experience was the pfsesne version. Also, I'm willing to accept that perhaps we weren't doing it right back then as we hired a third party to get us up and running and he seemed to be figuring it out as he went.
So, if my goal is to give access to a handful of internal LAN services via dual ISP virtual IPs... and usually only from a specific host or subnet and to a specific port, which method is the correct way?

If it still is VirtIP - 1:1 - FW Rules, then can somebody point me to the correct doc becasue I can't find it on the doc pages and the threads that turn up here are all over the place as to intent and none that I've found explain it clearly.
Thanks for any pointers.
Title: Re: RFH: Proper way to route traffic from WAN to LAN
Post by: kkoh on June 18, 2018, 04:54:25 pm
Also... NAT / BINAT  -- I'm talking single hosts... not an entire subnet nor full access to entire machines.
Title: Re: RFH: Proper way to route traffic from WAN to LAN
Post by: kkoh on June 18, 2018, 05:27:21 pm
Okay... this answer: https://forum.opnsense.org/index.php?topic=5541.msg22639#msg22639
to another question has gotten me to the point where I am successfully attaching to an internal services via a BINAT 1:1 rule and the firewall source specific lock down.

So remaining questions:
1. Are the virtual IPs necessary to have the box respond to these other IPs?2. Given what I'm trying to do, is this the best way to accomplish it?
Thanks!
Title: Re: RFH: Proper way to route traffic from WAN to LAN
Post by: pongafence on June 19, 2018, 12:02:57 pm
I guess it really depends on how you want to manage it.

I use Virtual IP's and use specific Source and Destination NAT's to achieve the 1:1 NAT without publishing all services.
Title: Re: RFH: Proper way to route traffic from WAN to LAN
Post by: kkoh on June 19, 2018, 01:36:46 pm
I guess it really depends on how you want to manage it.

I use Virtual IP's and use specific Source and Destination NAT's to achieve the 1:1 NAT without publishing all services.
That's exactly how I've done it in the past so I'm content to move forward that way... just making sure there's not some other/better way to do it.