Messages

[Goal]

I'm trying to switch to Opnsense and having a hard time getting it working. (I posted something similar a couple weeks ago, but I don't think I described it properly.)

Goal: I have two static IP addresses from my provider, 123.2.3.50 and 123.2.3.53. I want to use NAT port forwarding to forward ssh to the router WAN address (123.2.3.50) to go to local address 192.168.1.2.

I also want to use one-to-one NAT to forward ssh traffic addressed to 123.2.3.53 to go to 192.168.1.7.

I'm using One-to-one NAT with Virtual IP address to configure the second external static address.

Problem: When configured as described below, all ssh traffic for both 123.2.3.50 and 100.0.56.53 goes to 192.168.1.2 and none goes to 192.168.1.7.

Config:
WAN Interface: IPv4 address: 123.2.3.50/24
LAN Interface: 192.168.1.1/24

Virtual IP: IP Alias, WAN
Network / Address: 123.2.3.53/32

Firewall -> NAT -> One-to-One: WAN, BINAT
External Network: 123.2.3.53/32
Source: Single Host or Network: 192.168.1.7/32

Firewall -> NAT -> Port Forward:
TCP SSH from WAN address forward to 192.168.1.2/32

Firewall -> Rules -> WAN:
TCP SSH pass to 192.168.1.7/32
(automatic rule) TCP SSH pass to 192.168.1.2

Results:
When the virtual IP was set to /24:

• ssh from *internal* hosts on the *LAN* to external 123.2.3.53 would work correctly to 192.168.1.7
• ssh from external internet hosts to 123.2.3.53 would hang

When the virtual IP was set to /32:

• ssh from *internal* hosts on the *LAN* to external 123.2.3.53 would work correctly to 192.168.1.7
• ssh from external internet hosts to 123.2.3.53 would incorrectly forward to 192.168.1.2

What am I missing?  I'm concerned I got some of the netmask specifications incorrect.  (The ISP instructed to use /24 for the WAN address.)

Thank you.

Hi Opnsense community.  I'm new to Opnsense, but not new to IP networking.

I'm trying to replace an existing router with Opnsense.  My configuration is that I have four public static IP addresses from my ISP.  I'm trying to use (let's say) one of those to access a particular host on the LAN.

I have searched the forum and read many posts about this, but somehow I'm not succeeding.

Before using this in the real world, I'm trying to get my configuration working in a test environment to make sure I understand how to set it up.  To that end, I currently have my opnsense WAN port connected to my existing LAN.  I have a new opnsense LAN network where I'm trying to connect via a "WAN" address.

My router is OPNsense 23.7.12-amd64.
My Opnsense WAN IP is 10.9.8.54 (I have "block private networks" disabled on the WAN since WAN address is private)
My Opnsense LAN IP is 10.0.10.1
The netmask is /24 on both sides.

A host on the Opnsense LAN is 10.0.10.12 and I'm trying to connect to it from the WAN side using "public" static IP 10.9.8.75.

I have created a Virtual IP for 10.9.8.75:


Then I configured One-to-one NAT on the WAN to configure 10.9.8.75 to 10.0.10.12 on the LAN:


Then I configured a WAN firewall rule to allow SSH to the LAN host:  (later, I also tried/added http/https)


Then I tried connecting via ssh from "WAN" host 10.9.8.2 to "WAN" IP 10.9.8.75, but it was blocked by "Default Deny / state violation rule".  (You can see that the 1:1 NAT is working in the sense that it shows that the incoming connection to the "WAN" address was forwarded to the LAN host, but then presumably blocked.




As I said I tried this with ssh (22) as well as with http/https with the same result.  I must be forgetting something.  Can you help?

Thank you.