Initial setup / multiple dedicated IPs

Started by sgbran, April 13, 2021, 02:32:01 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 13, 2021, 02:32:01 PM
Good morning, I'm hoping someone can tell me the best way to do what I'm doing.  Most of my work with opnsense so far has been experimental, I'm trying to learn how to do all of the things.  I have a full rack in a datacenter with a 10g copper drop.  I have the 10g drop coming into my opensense machine and then my cisco switch is connected on another interface.  I have a /28 of allocated IPv4 space.  Is it possible for me to have a machine connected to the switch utilize one of the dedicated internet facing IPs?  I may have a misunderstanding of how 1:1 NAT works, but I am currently under the assumption I have to assign a local IP on a machine like 192.xxx and then a virtual IP on the opnsense machine.  I want the individual utilizing this machine to be able to have the dedicated IP information in their /etc/network/interfaces file and not have a "LAN" IP there.  Please advise if you would be so kind, thanks!

If having a switch in front of OPNsense with the drop, and them plugged into that switch is the only way, then I understand, but I wanted the option of filtering the traffic for things like country blocks etc...
April 13, 2021, 02:55:30 PM #1
Yes, add the WAN IP as a virtual IP and then add a 1:1 NAT to the internal machine, that's how my mail gateway and web servers work. Don't forget to add the rules!
OPNsense 25.7a - Qotom Q355G4 - ISP - Squirrel 1Gbps.

Team Rebellion Member
April 13, 2021, 03:34:11 PM #2 Last Edit: April 13, 2021, 04:23:57 PM by sgbran
So you're saying with the 1:1 NAT, I should be able to set the static interface IP on the machine itself as the dedicated internet facing IP, and not have to use a 192.xxx type IP?  I had read I may need another interface dedicated to that /28 to handle that traffic.  If so, can that be virtual or does that have to be a third physical interface?  If it can be virtual, do VLANs need to be involved?
April 13, 2021, 04:48:48 PM #3 Last Edit: April 13, 2021, 04:57:16 PM by marjohn56
No, it's NAT "To" the internal machine. i.e. server resides at 10.4.12.30


Like this:



You need to add the virtual IP of the WAN address you want natted.



Ignore the gateway and virtual IP password, that's my browser doing odd things and pasting them in!
OPNsense 25.7a - Qotom Q355G4 - ISP - Squirrel 1Gbps.

Team Rebellion Member
April 13, 2021, 04:57:30 PM #4
Yeah but that's assigning a private IP to the host machine.  I want the host machine to use the public IP locally.  It's for game servers, so it's important it knows that it's a public machine and not a private one.  But I'd like to be able to filter the traffic too in the firewall.
April 13, 2021, 04:59:57 PM #5
Well you might be able to, but I can't help you with that. The normal way is to NAT.
OPNsense 25.7a - Qotom Q355G4 - ISP - Squirrel 1Gbps.

Team Rebellion Member
April 13, 2021, 05:09:26 PM #6
I have it functioning with a transparent bridge presently, but it complicates things to say the least.
April 13, 2021, 06:38:14 PM #7
This can be done without NAT and without having to fall back on a transparent filtering bridge, but the exact configuration depends on the configuration of the upstream router. Do you have a dedicated WAN address which the /28 is routed to? Or does the upstream router expect the /28 to be on-link? And is the upstream router's IP address within the /28?

Cheers

Maurice
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
Print
Go Up Pages1
User actions