Forwarding external IPs to machines in DMZ

[Joolz]

Hi All,

I'm migrating from a Linux based UTM to Opnsense and have the following setup:

LAN - 172.20.0.0
DMZ - 172.21.0.0
WAN 33.31.153.xxx

Our ISP has provided us with a block of 14 external IP addresses for webservers, running 81.145.xxx.1 to 81.145.xxx.15 .

On our existing Linux UTM, all that was required to open the machines in the DMZ to the outside world was forwarding the port required as an incoming port forwarding rule, with the external IP named as the source, and the DMZ IP named as destination.  I tried replicating this on Opnsense but it didn't seem to work.

The existing UTM has been in place for a considerable length of time and there are all kinds of rules pushing ports all over the place so for instance, ports 22, 80 and 3389 on a single external IP may be resolving to 3 different machines in the DMZ which I believe excludes using 1:1 NAT.

What would be the eaisest way to replicate settings from the Linux box, if indeed that is possible?  Should I rejig the rules and go 1:1 or can I use IP aliases or normal port forwarding.

I'd be very grateful if anyone could point me in the right direction.

Thanks,

Joolz

[opnsenuser]

Hi,
I think the easiest (direct) way to do this is to assign the IPs (in your case 81.145.xxx.xxx) to the one to the DMZ interface and the rest as required to the (web)servers.
This way the opnsense can route the requests to the servers, if your firewallrules allow so.
This would not require any NAT and portforwarding.

oipnsenuser

[lewald]

define the ip addresses as virtual ips.
go to firewall->virtual ips
for every ip one.
then use port forward.
firewall->nat->portforward.
define rules.
interface wan source any destination your ip from isp forward to ip of dmz (device) and the ports