Problem with 1:1 NAT

[dd2594opn]

Hello - I am having trouble setting up 1:1 NAT for my /29 public subnet.

I have an x.x.x.8/29 subnet - the ISP gateway is x.x.x.9 -- my opnsense router is at x.x.x.10 and basic networking/access for all my internal subnets is functioning.

I have added a Virtual IP entry for each of my remaining /29 IPs:

Mode: IP Alias
Interface: WAN
Address: x.x.x.11/29   (also x.x.x.12/29, x.x.x.13/29, x.x.x.14/29)

The interface appears to have taken ownership as expected of the Virtual IPs as pinging the x.x.x.<10,11,12,13,14> all respond from an external machine,

Each of the Virtual IPs has a 1:1 NAT entry:

Interface: WAN
Type: BINAT
External Network: x.x.x.11   (or 12, 13, 14)
Source: Single Host or Network x.x.x.211/32  (or 212, 213, 214 as appropriate)
NAT Reflection: Enabled

Firewall Rules on the WAN interface:

Pass rule -- In, IPv4, TCP, Source: any, Destination: x.x.x.211 Ports: <alias for 80, 443>

--- so now the issue:

Internally the web server responds as expected. But when I attempt to access from an external machine using say https://x.x.x.11 or by the registered DNS name the response is: 404 Site x.x.x.11 is not served on this interface

What is it I am missing?

[Vilhonator]

Check your firewall, NAT rules and all settings in firewall ---> Settings ---> Advanced, especially Dual - WAN.

By default OpnSense will block all incoming connections from external sources, unless you create a rule which tells it to allow connections, for firewalls with 2 WAN ports (especially if they both aren't directly connected to internet on different network blocks), you have to make sure all traffic goes in and out from one WAN port and "other" WAN internet traffics get routed to it internally.

I have never tried 1:1 NAT so don't really know how it is done, but if you are using multiple public IPs, then issue is in either firewall rules, firewall settings or in routes.

Though if internet works as it should on all networks, then being externally blocked from your firewall isn't an issue really, you just have to use VPN

[dd2594opn]

So specifically what should I be looking at in the Firewall -- Settings -- Advanced ... assume the Dual-WAN you refer to is Multi-WAN. In the physical sense there is not a Multi-WAN involved. Literally this is a single NIC for the WAN with multiple IPs (using Virtual IPs) mapped to it.

So what settings would be in question here? I find no reference to them in the documentation. I know it has to a be a block that OPNsense has but which one and where? I have configured what the documentation has and everything works except for when on a truly external to my network machine.

I can get to the web server on the x.x.x.11 virtual IP from the internal network and when connected by VPN - so there is a block somewhere in the OPNsense rules/settings. But the documentation doesn't make clear which one. I know the base system will work as I converted a working pfSense (same basic system under the hood) to OPNsense and this problem begins occurring.

[Vilhonator]

Yes multi wan.

Don't know exactly which options to check (again never used 1:1 nat) and it doesn't matter if you have 2 or 1 physical wan port, if you have designated 2 interfaces to have public IP and assigned virtual IP for one that has no physical connection to internet, then it is multi wan (to my understanding).

You have to make sure that if traffic for both interfaces goes through 1 interface which is connected to the internet, port in question is able to route traffic belonging to other port to it's virtual IP and doesn't conflict with it's own IP (if both public IPs belong to same CIDR, automatic route won't work since it is the same for both, so Virtual IP is needed to separate the 2) this is how I understand it.

If you are just trying to connect a router with it's own firewall and NAT etc. to your firewall, you need to adjust opnsenses firewall outbound rules, which is also something I don't know much about.

Way how I would "fix" the issue, is to take unmanageable switch, connect that directly to the internet and connect all the ports on opnsense which need public IPs to it and assign them as gateways for each LAN I create respectively. Not sure if it would work, but that's one way I think you can put 2 public IPs on single device.

I would ask assistance from ISP how to set things up, they might be able to help you faster.

https://docs.netgate.com/pfsense/en/latest/nat/1-1.html here is some advice on 1:1 NAT, you can also do some research, but all I know for sure, it is matter of settings and / or routing how to get things done

[dd2594opn]

Thanks - I have checked all of those and yes used the pfSense document before -- since this exact setup works just perfectly under pfSense.

Guess OPNsense can't handle the simple Virtual IPs being on the WAN interface (hence no routing needed for this setup -- all of the static public IPs are on the same interface, there is no interface needing routing).

Do I know this to be an OPNsense issue -- yes. No need to contact the ISP since I could put pfSense back in place and the exact same setup would begin functioning again.

So the question -- what is different about OPNsense trying to handle Virtual IPs for a multiple public static IP situation -- not a Multi-WAN -- single WAN with multiple static IPs ... what should be (and is under OPNsense's parent, pfSense) simple seems to not be so.

[dd2594opn]

So I played and played and played -- basically I rebuilt my entire firewall in test ... and I can make the setup work, that is until I do a specific port forward ...

What is the order of execution for the NAT 1:1 and Port Forward rules?

I have the following working -- a /29 public IP subnet ... so:

gateway: x.x.x.9
opnsense: x.x.x.10
static IPs: x.x.x.11-x.x.x.14

I then have virtual IPs mapped onto the WAN interface (which is a static IP of x.x.x.10) and 1:1 NAT to internal addresses:
x.x.x.11 --> y.y.y.211
x.x.x.12 --> y.y.y.212
x.x.x.13 --> y.y.y.213
x.x.x.14 --> y.y.y.214

Added WAN firewall rules to allow specific ports for the 1:1 NATs (y.y.y.211-214)

To this point everything works as expected. I then a port forward for x.x.x.10 (OPNsense) port WebPorts to y.y.y.55 port WebPorts (80, 443)

Once that port forward is added everything that was 1:1 NAT stops working. This leads me to believe that OPNsense applies the rules in a different order than pfSense. From what I can see in the logs it appears that the port forward gets applied first -- then the 1: NATs ... which seems somewhat counter to the purpose of 1:1 NAT.

Am I seeing this correctly?

[Patrick M. Hausen]

Move the UI to different ports than 80/443.

[dd2594opn]

Work arounds are great - figured those out - the real question: Am I seeing the real issue correctly. And what should the actual way the software operates be?

[Patrick M. Hausen]

It's probably the automatic anti-lockout NAT rule that messes with any port forwarding on the same ports the UI uses. You can either move the UI to different ports or disable the anti-lockout feature.

Firewall > Settings > Advanced > Disable anti-lockout

[dd2594opn]

Ok - I will look at the anti-lockout rules ... but this is not the interface the UI uses. The UI uses the LAN interface, this is the WAN interface.

And even if it were the Virtual IPs and their 1:1 NATs should not be affected. This is the real crux here. The 1:1 NATs should be accomplished before the port forwards on the WAN IP -- when implemented in the proper order there is no issue with the rules.

And again for the anti-lockout rules -- those should be on the LAN interface not the WAN interface.