1-to-1 NAT confusion OPNSense 21.1.4

[nellson]

So I am new to OPNSense from a Palo Alto firewall system. My home network has a /29 public block, where I use the first useable as my firewall IP, and all my port forwarding.

But I have some servers that need two 1-to-1 NAT's and I am having trouble understanding the docs on how this works.

I made two BINAT rules the way I think they needed to be, <public>.99 <-> <private>.24/32 and when I test my .24 host with a what's my IP test, I get my public NAT, but when I try to contact my host via an external DIG (it's a DNS server) I get nothing. My Rules allow TCP/UDP 53 & 953 to my two outside IP's.

Do I need to use a Virtual IP construct to get OPNSense to respond to the two outside IP's of my NAT (this was from a google search of someone who got a lab to work. did not make sense)

[nellson]

UPDATE: OK, so I did see that making a series of virtual IP's for my <public>.96/29 external range is needed for inbound traffic. So I made the remaining 4 free IP's as Virtuals so I will not forget.

Now the NAT's work inbound and OUT.

But the rules I built are not what I was expecting. I created a WAN rule to allow the DNS ports to my external IP's and nothing worked. I looked in the live log, and I see DENIES from my source test but the destination is the <private>.24 IP and not the <public>.99 static IP on the WAN interface? WTH? OK, so I clone my rule, and change the destination to the <private>.24 IP and now DNS is working..

The Port forwarding rules work against the outside IP of the firewall, and I expected it to be that way.

So 1-to-1 NAT happens before the rules are checked? Meh.. So far it appears that way..

[ZPrime]

This is pfSense documentation, but AFAIK since OPNsense is still based on the same guts, the order of operations are the same...

https://docs.netgate.com/pfsense/en/latest/nat/process-order.html