Additional IP addresses WAN interface

[jochen35]

Hello,
We have the OPNSense behind a router of the ISP with a 28er public network. How can you set up additional IP addresses of the same subnet for NAT on different LAN servers on the WAN interface?

greeting
Jochen

[bartjsmit]

Hi Jochen,

I set up a one-to-one NAT with the external IP chosen from the ISP range and the internal IP set to a server on the LAN. Firewall -> NAT -> One-to-one.

This has the advantage that the source IP for the return traffic is consistent, i.e. it does not use the OPNsense WAN IP.

Bart...

[kyferez]

Don't mean to hijack, but this is closely related: Is there any way to specify that certain traffic goes out certain WAN IPs?

For example, I often want to use a 2nd Public IP specifically for mail. How would I set it up so all outbound mail from my mail server IP is routed out the 2nd Public IP, but only mail? Note I would want all other traffic from the mail server to use the primary WAN IP.

In Sophos UTM this is easy - it's called Masquerading and Multipath. See screenshot. You can select a source Host or network or destination IP, network or Domain and select a Port or Port Group and direct the matching traffic outbound via a specific Public IP. It's Very flexible. I'd like to see similar in OPNsense

[franco]

Take a look at: https://docs.opnsense.org/manual/how-tos/multiwan.html?highlight=multi%20wan#step-4-policy-based-routing

What you want is to write fine-grained policy routing rules... The example here only talks about a "catch all rule" but you can select the appropriate gateway and filter based on a lot of properties. I think it's all there.

[kyferez]

Franco, thanks again!

To make sure I am doing this right: I create the additional WAN IPs as Gateways? Then I use a firewall rule to route the traffic out that new gateway, correct?