Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Outbound NAT to Alias of multiple Public IPs [SOLVED]
« previous
next »
Print
Pages: [
1
]
Author
Topic: Outbound NAT to Alias of multiple Public IPs [SOLVED] (Read 1535 times)
dpsguard
Jr. Member
Posts: 70
Karma: 2
Outbound NAT to Alias of multiple Public IPs [SOLVED]
«
on:
August 29, 2023, 05:02:05 am »
Hello All,
I have a simple requirement wherein I want to create a pool of Public IPs from ISP to be used as round robin target with sticky option for NAT translation. I created an alias first by choosing Hosts option and specifying the range of Public IPs. It accepts it without any error. Then I specify this as target address under Outbound NAT rule thru drop down box. And then apply and even reboot, but NAT does not work. I then edited this NAT alias by deleting range and adding the IPs one by one in the same alias. Again no joy.
If I choose a Public VIP address (I have a HA of two firewalls and hence created a VIP for CARP) and then NAT starts working.
I don't have any firewall rule that will block this as it is essentially default allow all rule and NAT comes after ACL / rules.
Thank you in advance for your help.
«
Last Edit: August 29, 2023, 06:46:49 am by dpsguard
»
Logged
dpsguard
Jr. Member
Posts: 70
Karma: 2
Re: Outbound NAT to Alias of multiple Public IPs
«
Reply #1 on:
August 29, 2023, 05:24:24 am »
Thinking more on this, since it is active - passive backup, any IP to be used on WAN side, must be on a VIP for arp point of view for ISP gateway to not be confused.
And then I read this:
https://docs.opnsense.org/manual/how-tos/carp.html#setup-outbound-nat
On this doc, there is a paragraph on Adding multiple CARP IPs.
Does it then make sense for me to create a third VIP (I have one for LAN and one for WAN already) or rather multiple VIPs and then pick existing VHID for WAN (which is group 1)? And then still keep the NAT Alias that I had created earlier with same range as the new multiple added VIPs on WAN side?
Thanks
Logged
dpsguard
Jr. Member
Posts: 70
Karma: 2
Re: Outbound NAT to Alias of multiple Public IPs
«
Reply #2 on:
August 29, 2023, 06:00:38 am »
Proxy ARP fixes it on a single box, but I need to now test by adding CARP type VIPs, tied to same existing WAN VIP number. Will report back tomorrow.
Logged
dpsguard
Jr. Member
Posts: 70
Karma: 2
Re: Outbound NAT to Alias of multiple Public IPs
«
Reply #3 on:
August 29, 2023, 06:40:59 am »
The correct procedure is to add the additional IPs that need to be part of the NAT pool for outbound / source NAT, is to add IP alias under Interfaces / VIP section, one entry at a time, with VHID to be same as WAN CARP VHID. No password is asked here as was case for CARP VIP, as these additional IP aliases get attached to the CARP group.
As we add the IP aliases for the NAT pool, we can clone them to quickly change the last digit of the IP and description. These wont replicate via HA, so need to separately create them on peer box as well.
Now create the Alias of all these IPs and then use that as NAT target. And then it works beautifully. Use round robin sticky as pool type. And make sure to reboot the two boxes, else everything seems to work, but bit slow and I had 50% ping loss going to Google or Quad 1 DNS servers. After reboot that went away.
Logged
dpsguard
Jr. Member
Posts: 70
Karma: 2
Re: Outbound NAT to Alias of multiple Public IPs
«
Reply #4 on:
August 29, 2023, 06:45:51 am »
Finally I started a continuous ping from a test client on LAN and then did a reboot to primary firewall and I just saw one ping drop and external IP on client remained same from the NAT pool. The did a reboot on second firewall and traffic went back to primary and same result.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Outbound NAT to Alias of multiple Public IPs [SOLVED]