virtual ip

Started by mgambacorta, July 29, 2025, 08:06:31 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 29, 2025, 08:06:31 PM
Hello all,

first of all ... I am new to opnsense ... I have experience with fortigates, but decided to switch to opnsense.

I have some things setup (3 networks, routing between, internet from inside).

My system info:
OPNsense 25.4.1-amd64
FreeBSD 14.2-RELEASE-p3
OpenSSL 3.0.16
Licensed until 2026-02-03

What I need to do and is making me cray is virtual IPs.

In Fortigate world you can do them in 2 ways: with port forwarding or mapping 1-1 all ports from a public ip to an internal ip. In a 1-1 scenario ports allowed are set with rules.

The 1-1 scenario is the one I prefer, but I could also resort to port forwarding.

I have setup the virtual ip in Interfaces -A Virtual IPs -> Settings: I chose the WAN interface, and entered my public IP address in the network / address field.

Then I went to set a NAT One-to-One: here there are some doubts. On this form I set the following fields:
interface -> WAN
Type -> BINAT
External network / Target: my public ip address (a single one)
Source / Internal: my private address (the internal address the public ip will map to).
Destination -> any (I do not understand this field ... this likely means I am missing something)

Save then Apply

Then I create a rule on Firewall -> rules -> WAN:
Interface -> WAN
Direction -> in
TCP/IP version : IPv4
Protocol -> TCP
Source -> any
Destination -> Single Hist and my public iPhone address
Destination port range -> From https to https
Gateway -> WAN GW

Save and Apply

It is not working :-(

I appreciate help :-)
July 30, 2025, 09:30:40 PM #1
The destination in the firewall rule has to be the internal IP (the real redirect target).
July 31, 2025, 10:47:45 AM #2 Last Edit: July 31, 2025, 10:51:23 AM by Seimus
Here you go

https://docs.opnsense.org/manual/nat.html#one-to-one

External network - the IP that should be NATed
Source - the IP to which it should be NAted
Destination - The destination network packages should match, when used to map external networks, this is usually any


rule on Firewall -> rules -> WAN:
Interface -> WAN
Direction -> in
TCP/IP version : IPv4
Protocol -> TCP
Source -> any
Destination -> Source from 1-to-1 NAT rule
Destination port range -> From https to https
Gateway -> WAN GW

Here is a diagram of packet packet flow, NAT is always in the chain before rule matching. So you need to always consider creating rules after NAT rules are applied.

https://forum.opnsense.org/index.php?topic=36326.msg210877#msg210877

Regards,
S.
Networking is love. You may hate it, but in the end, you always come back to it.

OPNSense HW
APU2D2 - deceased
N5105 - i226-V | Patriot 2x8G 3200 DDR4 | L 790 512G - VM HA(SOON)
N100   - i226-V | Crucial 16G  4800 DDR5 | S 980 500G - PROD
Print
Go Up Pages1
User actions