Configure NAT 1:1

[Dexter_23]

Hi

I want to configure NAT 1:1 what is the step to do?

Thanks

[Patrick M. Hausen]

Login to the UI, navigate to Firewall > NAT > One-to-One, configure ...

If you have a problem with what exactly to do in that form, we need a lot more detail from you, like e.g. a small diagram or a description of your network, IP addresses, desired result, ...

[Dexter_23]

Hi

I have add virtual ip and then NAT 1:1 but not working.

This is the Additional IP i bought:
IP:     10.108.100.197
Gateway: 10.108.100.193
Netmask: 255.255.255.192
Broadcast: 10.108.100.255
Separate MAC: 00:50:56:00:1F:97

This is the OpnSense WAN Interface:
IP:     10.108.100.200
Gateway: 10.108.100.193
Netmask: 255.255.255.192
Broadcast: 10.108.100.255
Separate MAC: 00:50:56:00:CF:F6

I want to map this ip 10.108.100.197 to this internal IP 172.29.49.40/24

[Patrick M. Hausen]

As far as I know OPNsense does not support setting a separate MAC address. Your provider needs to route that additional IP address to the same MAC address as the primary one.

[Dexter_23]

Ok so the Additional IP i bought he need to have the same MAC Adress of the WAN IP OPNSense right?

[Patrick M. Hausen]

Right.

[Dexter_23]

This is the reply of the Cloud Provider:

Dear Client,

unfortunately, we are unable to assist you with this task. It is not possible for two IP addresses to have same virtual mac address.

Thank you for your patience and understanding!


So how can do for fix this problem?

[Patrick M. Hausen]

Why can't you use the address you already have? I fear you cannot do anything about this. Can't they ROUTE the address to your firewall? Can you get a routed /29 subnet from them, possibly at a higher price?

[Dexter_23]

Hi this is my ip configuration

10.108.100.201 this is for Access Proxmox Server

10.108.100.200 this is the wan IP Adress on OPNSense firewall running on VM on Proxmox Server

10.108.100.197 this is the Virtual IP use for NAT 1:1 for internal mail server

[Patrick M. Hausen]

Then use 10.108.100.200 and forward ports 25, 587, 143, 995, etc. ... to the mail server. If your provider insists on a separate MAC address, you cannot use that extra IP.

Alternatively don't run your mailserver "behind" your OPNsense but put it on the external interface with its own public IP and MAC and make sure it's secure by hardening the host.

[Dexter_23]

Hi

My provider when i buy 1 additional IP by default use the mac adress of the main IP, but i have a option to request separate MAC Address .

The main IP is: 10.108.100.201

For the WAN Interface of OPNSense firewall i need to request separate MAC Adress and put on the configuration interface of the WAN, otherwise OPNSense Firewall not navigate on Internet

[Patrick M. Hausen]

Of course you need a separate MAC address for your OPNsense. It's a VM with a compete separate OS and IP stack. It cannot share a MAC address with the Proxmox host.
But don't request one for your 1:1 NAT. Just request one more IP and add that as an alias. It's that simple. You wrote your provider mandates separate MAC addresses for each individual IP ... seemingly they don't. It's still the same OPNsense and the same interface, so same MAC.

When you want to run another VM that is connected to the outside of Proxmox, THAT one will need another MAC address just like your OPNsense. Everything BEHIND your OPNsense doesn't. At least not one from your provider. The mail server VM will have a MAC address on the LAN side of OPNsense within your Proxmox virtual networking, but that's none of your provider's business?

Understood, now? 

[Dexter_23]

Hi

So if i buy subnet /29 i fix my problem?

[Patrick M. Hausen]

Ah ... now I get it. This is a hosted solution? Hetzner, possibly?

So you rented a server with MAC address X and put Proxmox on it, right? Now when you request additional IP addresses or /29 networks, they will route it t that same MAC address. Of course they do.

And you can request a separate MAC address for that one IP address to run your OPNsense VM. right? Then please why don't you explain all this from the start? You asked "how does 1:1 NAT work?". All of this is not a problem of 1:1 NAT but of IP to MAC address matching in a hosted environment.

If this is indeed Hetzner (I happen to know their infrastructure), you cannot do what you want to achieve. Every additional IP address or /29 will be routed to the MAC address of the rented servers system, i.e. Proxmox.

If you request a new MAC address for that additional IP, it won't go to the OPNsense VM, either. So - I think I wrote this before - two possible solutions:

- Don't put your mail server VM behind the OPNsense firewall. Give it the official external IP address and matching MAC address and you will be able to run it. That means you will have to make sure your mail server is secure without a firewall in front.
- Alternatively don't use 1:1 NAT. Use the same IP address your OPNsense already has (that's cheaper, even!) and use port forwarding for all relevant applications, like SMTP (25, 587), IMAP (143, 995) ... and the like. No extra IP, no extra MAC - mail server behind firewall.

I'd pick the second option.

[Dexter_23]

Yes a bought a Server on Hetzner

So if i bought a Subnet /29 the problem of Virtual IP remain?

Thanks you