Outbound NAT rules (Hybrid setup) question [SOLVED]

[Callahan]

Hi,

I have a working OPNSense setup, 3 VPNs, and a DMZ hanging off the only LAN interface. Everything works but I'm confused how the DMZ hosts are getting out to the Internet and it's bothering me.

• I have a single WAN connection, 3 VPNs, one to my Azure infrastructure, one to another site for backup and one that routes specific hosts over IPVanish (hence the need for Hybrid setup of Outbound NAT rules).
  
• One DMZ hung off the LAN interface.
  
• I have a selection of Outbound NAT rules to allow VPNs to function as well as the Outbound NAT for my LAN subnet (192.168.10.0/24). My DMZ sits on the subnet 192.168.20.0/24.
  

Hosts on the LAN and the DMZ can access the Internet (which was my intention), but I have no Outbound NAT rule for the 192.168.20.0/24 subnet. Obviously the traffic is leaving on the only WAN interface available but for other corp FWs I've used up to now, you would have to define your subnet in the Outbound NAT rules. If I defined 192.168.0.0/16, I could understand why it worked but as I've defined a smaller, non overlapping subnet, I'm confused as to how DMZ traffic gets out.

Anyone care to point out what I'm missing? 

[Maurice]

You have only one LAN interface, but a LAN subnet and a DMZ subnet? Does that mean two subnets on one interface (using virtual IPs)? Or another router connected to the LAN?

(In hybrid mode, outbound NAT rules are auto-generated for all locally attached subnets.)

Cheers

Maurice

[Callahan]

Hi Maurice,

Thanks for you reply. You're correct. I meant to mark this post as "solved" when I realised my mistake some days ago.