Author Topic: wan ip is isp private address(not static), how to configure 1:1 (Read 1702 times)

fwar34 · « **on:** July 19, 2023, 09:26:20 am »

Hi, My wan ip is isp private address, it's not static, e.g 10.52.105.13. I want to configure 1:1 use this ip to a internal ip(a dmz host 192.168.100.251), in pfsense i can choose 'WAN address' in drop down list in external ip, but in opnsense 1:1 external ip not have this item in drop down list, so i choose signal host and input '10.52.105.13', but when opnsense reboot or reconnect to internet the WAN ip address have changed, so must set new WAN ip address in 1:1 again, but this is stupid. Can anyone tell me how to configure 1:1 in this situation? Excuse me poor english, thanks.

bartjsmit · « **Reply #1 on:** July 19, 2023, 09:39:35 am »

Why do you need 1:1 NAT? Its purpose is to separate traffic from your default WAN IP and you can't do that in your situation, since you only have one (inseparable) public IP.

You sound like you have CGNAT and you're better off with something like cloudflared to direct traffic to your DMZ host.

Bart...

fwar34 · « **Reply #2 on:** July 19, 2023, 09:53:44 am »

thanks for your reply, I want to fully expose my dmz host to internet, so i configure 1:1 nat on WAN ip address, and add firewall rules to translate wan ip address to dmz host. Because my wan ip address is dynamic and is isp private address, in pfsense i can choose 'WAN address' in 1:1, but opnsense don't have this item, i must input wan address manual.

fwar34 · « **Reply #3 on:** July 19, 2023, 09:59:46 am »

This is pfsense 1:1 doc, "1:1 NAT on the WAN IP, aka “DMZ” on Linksys"

https://docs.netgate.com/pfsense/en/latest/nat/1-1.html?highlight=one%20one#nat-on-the-wan-ip-aka-dmz-on-linksys

bartjsmit · « **Reply #4 on:** July 19, 2023, 02:13:54 pm »

Which ports/protocols is the DMZ host listening on?

netstat -tulpen is a good way of finding out

CJ · « **Reply #5 on:** July 19, 2023, 03:30:49 pm »

Quote from: fwar34 on July 19, 2023, 09:53:44 am

thanks for your reply, I want to fully expose my dmz host to internet, so i configure 1:1 nat on WAN ip address, and add firewall rules to translate wan ip address to dmz host. Because my wan ip address is dynamic and is isp private address, in pfsense i can choose 'WAN address' in 1:1, but opnsense don't have this item, i must input wan address manual.

Why are you wanting to expose your entire DMZ host? What does that accomplish that individual port forwarding doesn't?

Exposing an entire host massively increases the surface area attackers have to use against you. There's almost never a good reason to do so.

fwar34 · « **Reply #6 on:** July 20, 2023, 04:06:51 am »

I depoly a blockchain machine in dmz host, but my wan ip address is isp private, upup plugin can't use in private ip, so i want to expose whole dmz host

CJ · « **Reply #7 on:** July 21, 2023, 02:53:20 pm »

What is a blockchain machine? Are you mining, or something else?

If you're already behind CGNAT, what are you expecting to happen by creating this DMZ host? It still won't be internet accessible.

Author Topic: wan ip is isp private address(not static), how to configure 1:1 (Read 1702 times)

fwar34

wan ip is isp private address(not static), how to configure 1:1

bartjsmit

Re: wan ip is isp private address(not static), how to configure 1:1

fwar34

Re: wan ip is isp private address(not static), how to configure 1:1

fwar34

Re: wan ip is isp private address(not static), how to configure 1:1

bartjsmit

Re: wan ip is isp private address(not static), how to configure 1:1

CJ

Re: wan ip is isp private address(not static), how to configure 1:1

fwar34

Re: wan ip is isp private address(not static), how to configure 1:1

CJ

Re: wan ip is isp private address(not static), how to configure 1:1