Static WAN IP to LAN IP using one-to-one NAT: Doing something wrong

[thisisjjd]

Hi Opnsense community.  I'm new to Opnsense, but not new to IP networking.

I'm trying to replace an existing router with Opnsense.  My configuration is that I have four public static IP addresses from my ISP.  I'm trying to use (let's say) one of those to access a particular host on the LAN.

I have searched the forum and read many posts about this, but somehow I'm not succeeding.

Before using this in the real world, I'm trying to get my configuration working in a test environment to make sure I understand how to set it up.  To that end, I currently have my opnsense WAN port connected to my existing LAN.  I have a new opnsense LAN network where I'm trying to connect via a "WAN" address.

My router is OPNsense 23.7.12-amd64.
My Opnsense WAN IP is 10.9.8.54 (I have "block private networks" disabled on the WAN since WAN address is private)
My Opnsense LAN IP is 10.0.10.1
The netmask is /24 on both sides.

A host on the Opnsense LAN is 10.0.10.12 and I'm trying to connect to it from the WAN side using "public" static IP 10.9.8.75.

I have created a Virtual IP for 10.9.8.75:


Then I configured One-to-one NAT on the WAN to configure 10.9.8.75 to 10.0.10.12 on the LAN:


Then I configured a WAN firewall rule to allow SSH to the LAN host:  (later, I also tried/added http/https)


Then I tried connecting via ssh from "WAN" host 10.9.8.2 to "WAN" IP 10.9.8.75, but it was blocked by "Default Deny / state violation rule".  (You can see that the 1:1 NAT is working in the sense that it shows that the incoming connection to the "WAN" address was forwarded to the LAN host, but then presumably blocked.




As I said I tried this with ssh (22) as well as with http/https with the same result.  I must be forgetting something.  Can you help?

Thank you.