Need Help with NAT Configuration on Multiple WAN IPs

[Cipher]

Hi everyone,

I hope you're doing well. I'm currently working on a networking project and could use some advice. Here's a brief overview of my setup:

I'm using two subnets on the WAN, each with a /29 configuration, providing me with a total of 8 IP addresses. These IPs are utilized as virtual IPs on the WAN side. My primary concern arises when configuring NAT for these IPs.

I've successfully configured NAT for one IP on port 443, directing traffic to the internal domain. However, I'm facing an issue with the remaining IPs. Even though I haven't set up NAT for these IPs, they seem to be accessible.

Any insights into why this might be happening and how I can ensure that only the intended IP with NAT is reachable? Your expertise would be greatly appreciated.

Thank you!

[Patrick M. Hausen]

Unless you show us the details of your NAT rules there really is no way to tell.

[Cipher]

Hello,

Thank you for your response. I appreciate your request for more details. In my current configuration, I have a single NAT rule set up to direct external traffic to the internal server on port 443, specifically for the IP 1.2.3.4.

Just to clarify, my WAN address is 1.2.3.3. If you need more specific information or have additional questions about the NAT rules, feel free to ask.

I cannot make now a screenshot that why.

[Vilhonator]

If I'm not mistaken, you need to apply filtering rules and NAT on the WAN port that is directly connected to the internet.

Kinda similar to transparent filtering bridge mode (https://www.zenarmor.com/docs/network-security-tutorials/how-to-configure-transparent-filtering-bridge-on-opnsense). Only port that is directly connected to the internet can filter traffic coming from internet.

Not sure though (just spitballing here), but when you think of it, reason why second wan port is completely open, might be because Traffic doesn't come from specific external port or IP, it comes from WAN that is connected to the internet.

Only methods I have used to use more than 1 public IPs, is to connect a switch directly to internet and firewalls to the switch and transparent filtering bridges. Honestly both of those are much simpler (though not ideal) than playing around with Dual WAN configurations.

Also you could check routes as well and make sure, that traffic for each IP is routed as should. But if internet works on both ports as should and only issue is that 1 is completely open, then it's definitely something related to NAT and firewall rules.

[Cipher]

this the only NAT rule i have on the NAT which is configured.
the same rule is created automatically on the WAN side.


So, I've got this setup with a single physical WAN cable. Our primary WAN IP is 1.2.3.1, and we're using 1.2.3.2 for an RDS gateway. I've set up an NAT rule to allow 443 to the gateway server, all good so far.

Now, here's the thing. IPs from 1.2.3.3 to 1.2.3.9 don't have specific NAT rules, but they are somehow accessible to the gateway. When I go to, say, https://1.2.3.3, it takes me to the Windows IIS on the gateway.

I've double-checked, and there's no explicit rule for these IPs. Any ideas on why this might be happening? I want them isolated unless I set up something specific for them.

Appreciate the help!

[Cipher]

i got this sorted out, we had a duplication on the rules.

thank you everyone.