[Solved] 3 public IPs, 1 WebServer and a DMZ

[dhofer76]

Hi Guys

I posted this also in the german forum.

I'm running a virtualisation on a root server and use the following setup:


WAN_IP_1 => IP Adress OPNSense Wall (public IP Adress 1)
WAN_IP_2 => IP Adress WebServer 1 (public IP Adress 2)
WAN_IP_3 => IP Adress WebServer 2 (public IP Adress 3)
LAN_IP => LAN Network (172.16.1.x)
DMZ_IP => DMZ Network (172.16.2.x)

In my DMZ network I installed 2 servers with private IP addresses and with NAT/Port Forward all required ports are routed to the server (e.g. SSH port from WAN_IP_3 to SSH on WebServer2). Everything is working fine and the server has connectivity to the internet and is reachable also from outside.

The only thing now is that my WebServer2 uses the wrong public IP address - WAN_IP_1 instead of WAN_IP_3 for outside communication. Now when I do a check in VirtualMin I receive the following error:

External IP address for DNS records is set to WAN_IP_1, but the detected external address is actually WAN_IP_3 This may cause DNS records for Virtualmin domains to point to the wrong system.

As this server is also a mail server I have problems now to send emails to some mail providers (SPAM CHECKS). Now I need to configure my OPNSense Firewall so that WebServer2 uses WAN_IP_3 as public IP for every outside communication.

Dos anyone has a idea how to configure this?

Best regards,
DHofer76

[AdSchellevis]

Hi DHofer76,

You need to setup outbound nat rules (firewall_nat_out.php) for this to work properly.
Switch to "Hybrid outbound NAT rule generation" and add  rules for your machines or networks (set "Translation / target" for the address to use).

Best regards,

Ad

[dhofer76]

Hi Ad

Thanks for your anser - but eveything I tried did not work. For your and my understanding:

I switched to Hybrid and set the following rule:

Interface: DMZ
Protocol: TCP/UDP
Source: Single host (172.16.2.122/32)

Destination: Any
Translation/target: WAN_IP_3()

Same error ... After that I tried the following:

Interface: IP_WAN_WEB
Protocol: TCP/UDP
Source: any

DestinatioN: Single Host (172.16.1.122/32)
Translation/target: WAN_IP_3


After that I tried to change in translation/target to interface addess - same error.

Any tips?
Thanks
DHofer76

[AdSchellevis]

Hi DHofer76,

Can you post a screenshot of your outbound nat config? (containing both manual and automatic rules)

Regards,

Ad

[dhofer76]

Hi Ad

Thnaks for you rquick reply. I created a link to my owncloud with the screenshots (128kb file upload is not very much):

https://mydrive.dhofer.net/s/qqgLd6sVeasKSzG
Password: Screen

Thanks!
DHofer76

[AdSchellevis]

Hi DHofer76,

I'm missing the settings of your new rules in there, but did you select IP_WAN_GK as interface for your outgoing traffic? (I guess your other virtual ips use the same interface)

Regards,

Ad

[dhofer76]

Hi Ad

I'm sorry - I deleted the rule and set it up new ... here is a actual screenshot

Best Regards
DHofer76

[dhofer76]

... I copied also a screen from my new rule to the owncloud ...

BR
DHofer76

[AdSchellevis]

it looks like you switched source and destination, you want to nat traffic coming from ip 172.16.x.x to any destination.

[dhofer76]

Hi Ad

Nope - this doesn't work. I tried now also to configure a virtual IP and configured it like the the screenshot I uploaded to the owncloud.

Best Regards
DHofer76

[AdSchellevis]

Hi DHofer76,

If I interpret your config right, then you have the wrong interface selected in your last attempt... choose "IP_WAN_GK" and keep the source to that 172.x.x.x address you have now.

Regards,

Ad

[dhofer76]

Hi Ad

Thanks for you help - I got it. First off all I set the whole configuration to Default and configured it new.

- First I setup all NAT inbound rules
- After that I created a Virtual IP for my WebServer
- Then I created a outbound rules with:

Interface: WAN
Protocol: any
Source: 172.16.2.122/32 (IP address of my internal web server)

Destination: any
Translation / target: <Virtual IP WebServer e.g. 8.7.6.5>

After this my WebServer recognized my external IP address as 8.7.6.5.

Best Regards and many many thanks for your help!
DHofer76

[AdSchellevis]

Your welcome, thanks for reporting back!