Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
17.7 Legacy Series
»
NAT Outbound Issue
« previous
next »
Print
Pages: [
1
]
Author
Topic: NAT Outbound Issue (Read 4652 times)
jwtoler
Newbie
Posts: 3
Karma: 0
NAT Outbound Issue
«
on:
September 27, 2017, 09:32:14 pm »
I have 5 public static IPs assigned to me from my ISP. The modem they provide requires each ip to have a unique MAC address - so I created the appropriate Virtual IPs using CARP. My end goal is to have it set up the way it was when I was running pfSense (I wanted to switch and give this a go). With pfSense, I had my LAN (10.0.1.0/24) which had 3 web servers running in the LAN NET. All 3 servers need to have ports 80/443 open so I assigned the CARP IPs to just one ip address/server in the LAN NET and everything was working; after applying to appropriate rules, etc. So I was trying to replicate my set up w/ OPNsense and below is a run down of what I have going on currently:
Server #1 would have a public ip of X.X.X.21 (CARP) and a private ip of 10.0.1.5
Server #2 would have a public ip of X.X.X.22 (CARP) and a private ip of 10.0.1.6
Server #3 would have a public ip of X.X.X.23 (CARP) and a private ip of 10.0.1.7
Everything else on the LAN would have a public ip of X.X.X.20 and a private ip range of 10.0.1.50-10.0.100
With OPNsense... when I try to go create the Firewall:NAT:Outbound rule to allow the servers to work correctly, I am unable to set the source as a single host. I enter 10.0.1.5/24 and when I hit save it ends up changing the source to be 10.0.1.0/24, which of course makes my whole LAN have the same public ip X.X.X.21 instead of the server having X.X.X.21 and everything else having X.X.X.20.
«
Last Edit: September 27, 2017, 09:48:02 pm by jwtoler
»
Logged
franco
Administrator
Hero Member
Posts: 17669
Karma: 1612
Re: NAT Outbound Issue - potential bug
«
Reply #1 on:
September 27, 2017, 09:38:16 pm »
10.0.1.5/32 does not work?
Cheers,
Franco
Logged
jwtoler
Newbie
Posts: 3
Karma: 0
Re: NAT Outbound Issue - potential bug
«
Reply #2 on:
September 27, 2017, 09:42:36 pm »
Quote from: franco on September 27, 2017, 09:38:16 pm
10.0.1.5/32 does not work?
Cheers,
Franco
and this is where I feel stupid... yes it caused it to stay the way it should be. The whole subnet thing still confused me a little can you maybe explain why /32 works?
The public ips have a /29 subnet and so do the virtual ips... the lan has /24.... why does /32 work with the outbound rules?
Logged
franco
Administrator
Hero Member
Posts: 17669
Karma: 1612
Re: NAT Outbound Issue
«
Reply #3 on:
September 28, 2017, 03:31:03 pm »
You can NAT whole networks so when you type /24 it selects that whole network, regardless of your IP specification. OpenVPN is really more harsh and correct about enforcement, when you type "10.0.0.1/8" it will error and say this doesn't work, because you really meant "10.0.0.0/8" or "10.0.0.1/32", but not both...
/32 means no network -- a full single address (all 32 bits of the address are valid). /29 may also work, but not knowing your network /32 is probably the safest thing to start with.
Cheers,
Franco
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
17.7 Legacy Series
»
NAT Outbound Issue