how to subnet prefix /29 - 8 ipv4 addresses with opnsense

[RamSense]

I have a ISP PPPOE connection with the option of getting, instead of 1 ipv4 address, a subnet prefix /29 with 8 ipv4 addresses.

I have ISP -> Opnsense -> LAN - Wifi Access Point -> NAS (mail and webserver)

With this subnet prefix /29 how to e.g. set xxx.10 to the opnsense box, xxx.11 to the nas? etc
I found some info talking about a virtual IP, but I think that is than assigned to a different nuc/lan per ip, instead of multiple ipv4 to 1 LAN(?)
How to arrange that with devices connected on 1 LAN?

Who has done this and can show the how to config this? Thanks in advance!

[bartjsmit]

I get a /29 from my ISP and I just add 1:1 NAT entries for internal boxes to use WAN IP's in my range.

Remember that OPNsense works outwards - you set the source internal and the BINAT target as public.

Firewall: NAT: One-to-One
Interface WAN
Type BINAT
External network wan.ip.from.range
Source Single host or Network
internal.ip.for.host/32
Destination any

[bartjsmit]

Also, /29 has six usable IP's not eight - you lose one to the subnet address and one to broadcast 

[RamSense]

Thanks Bartjsmit!
Never used NAT: One-to-One before. And that sounds easier than expected :-) thanks a lot!
And with 6 ip's to use I think i have more than enough (for now at least)

[lilsense]

.

[RamSense]

@lilsense:  ?

And with this 1:1 NAT, is it exposing all ports? or can you limit the ports exposed? Don't know how it works yet.
I have my webserver behind opnsense-nginx, but the emailserver with port forward direct, so i am trying to imagine how this 1:1 NAT is going to work with that...

[bartjsmit]

Each 1:1 can have its own firewall rules - in fact there are no automatic inbound rules for them, so you are limited to egress only until you add some inbound rules.

Add the inbound allowed ports to your WAN firewall rules with the internal hosts as destination.

Bart...

[RamSense]

Ah, that's good.
But as an example when I have a firewall-rules-wan (or an NAT: Port Forward)
interface: wan
source: any
destination: single host or network / internal.ip.host/32
destinaiton port range: SMTP

will the SMTP port be accessible with the IPaddress of WAN/opnsense and with the NAT 1:1: ip4.public.address?
Or can it be limited to only the NAT 1:1 ?

[bartjsmit]

The idea behind 1:1 NAT is that the TCP connections make sense for the client. If they open a conversation to 1:1 address A and get a reply back on the generic WAN address, there is a disconnect. It may not even get through their firewall, since there is no entry in the state table for the return traffic.

Try for yourself - set up your MTA with 1:1 and an allow rule for inbound SMTP then check with Steve Gibson's ShielsUP! https://www.grc.com/x/ne.dll?bh0bkyd2 to confirm that no TCP 25 is open on your general WAN

Then confirm that the 1:1 NAT works by entering the public IP into the MX toolbox https://mxtoolbox.com/diagnostic.aspx

Bart...

[RamSense]

I have set the 1:1 NAT today and the mailserver was right away accessible at the new public ipv4, thanks!
But the mailserver is also accessible when using the WAN-ip of the router/opnsense (https://mxtoolbox.com/diagnostic.aspx)
 Is this normal behavior or should i change something in the firewal-nat-port forward - rule ?

answ(?): I think i found it (can you confirm? :-) ) : My firewall - port forward - rule was: destination"wan address", i changed that (for the mail server port rules) to "single host or network" and "public ipv4 for mailserver"

and question 2: can you confirm that this can also be arranged with ipv6? Like adding a virtual ipv6 to opnsense, and adding this to the port forward rule instead of wan address? pointing to the ipv6 of the nas?

I have to change my firewall rules with thisfirewall and wan address to specific addresses :-)

[bartjsmit]

answ(?): I think i found it (can you confirm? :-) ) : My firewall - port forward - rule was: destination"wan address", i changed that (for the mail server port rules) to "single host or network" and "public ipv4 for mailserver"

You need to target the 1:1 public IP in the NAT rule. Your mail server won't care - it will send all traffic to the LAN IP of OPNsense.

and question 2: can you confirm that this can also be arranged with ipv6? Like adding a virtual ipv6 to opnsense, and adding this to the port forward rule instead of wan address? pointing to the ipv6 of the nas?

Don't use NAT for IPv6. Give your mail server a static IPv6 and allow traffic to it. That will obviously only work if you have a fixed IPv6 delegation.

Bart...

[RamSense]

    answ(?): I think i found it (can you confirm? :-) ) : My firewall - port forward - rule was: destination"wan address", i changed that (for the mail server port rules) to "single host or network" and "public ipv4 for mailserver"

You need to target the 1:1 public IP in the NAT rule. Your mail server won't care - it will send all traffic to the LAN IP of OPNsense.

I think that is what I meant or I do not understand what you mean in regards to the port forward. I have the 1:1 public ip in the NAT rule.
And in addition to this, the
Firewall: NAT: Port Forward rule for port 25:

interface: wan
destination: public ip from range ( changed this from wan address to public ip from range)
destination port range: SMTP (25)
Redirect target IP: internal IPv4 of nas mailserver
Redirect target port: SMTP

Without that rule, the port 25 is not working (tested at https://mxtoolbox.com/diagnostic.aspx)
But with this old rule with destination " wan address" and tested at https://mxtoolbox.com/diagnostic.aspx the port 25 is open for the 1:1 NAT rule (what I want) but also with the public ip of my ISP / opnsense-router, hence i was experimenting with the port forward rule.

So hopefully we ment the same(?)

-------------

Don't use NAT for IPv6. Give your mail server a static IPv6 and allow traffic to it. That will obviously only work if you have a fixed IPv6 delegation.

The static ipv6 is working, but what I'm trying to achieve is that with another IPv6-ip (added to the virtual IP's in opnsense) and a Firewall: NAT: Port Forward rule for port 25 to this virtual ipv6 ip, instead of the static ipv6, for the mailserver port 25 be reachable and adding a reverse dns / ptr record to that ipv6. Or is there another way to do this, or why not to do it?

[bartjsmit]

I think that is what I meant or I do not understand what you mean in regards to the port forward. I have the 1:1 public ip in the NAT rule.
And in addition to this, the
Firewall: NAT: Port Forward rule for port 25:

interface: wan
destination: public ip from range ( changed this from wan address to public ip from range)
destination port range: SMTP (25)
Redirect target IP: internal IPv4 of nas mailserver
Redirect target port: SMTP

You have two NAT rules and the general one wins. Remove the SMTP port forward rule and add:

Firewall: Rules: WAN, + and change:
Protocol: TCP
Destination: Single host or Network, SMTP.host.internal.ip /32
Destination port range:  SMTP to SMTP
Description: Inbound email traffic
Click Save and Apply and test again

or why not to do it?

IPv6 was specifically designed to expand the small address range of IPv4 which was kept going with NAT that:

- Reduced the number of necessary public addresses
- Made it impossible for attackers to scout out internal hosts

This made NAT popular in spite of its basic flaw that it breaks IP connections and needs a lot of work on the NAT routers to fix that.

Before NAT, every computer with internet access had a public IPv4 address. Seems scary now

Even a modest IPv6 delegation from your ISP gives billions upon billions of IP addresses. More than enough to go back to every device having a publicly routable IP address. Private IPv6 ranges are used for networks that don't need, or can't have internet access, never for NAT. An adversary will need multiple times the half-life of a proton (the particle, not the car) to find your unpublished hosts if you give them random IP's with SLAAC.

TL:DR don't use IPv6 NAT, like DHCP6 it is an edge case

Bart...

[RamSense]

Firewall: Rules: WAN, + and change:

thanks! Now I understand it. If you know it looks so simple afterwards :-)

It works like a charm. thanks a lot!

Thanks for the learning curve and info about subnet / ipv6

[bartjsmit]

Super! As an aside, take a look at EFA to help ward off the email nasties coming down your shiny new SMTP pipe: https://efa-project.org/