Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Difference Between Virtual IP and 1:1 NAT and Best Practices
« previous
next »
Print
Pages: [
1
]
Author
Topic: Difference Between Virtual IP and 1:1 NAT and Best Practices (Read 941 times)
theprez1980
Newbie
Posts: 20
Karma: 0
Difference Between Virtual IP and 1:1 NAT and Best Practices
«
on:
June 15, 2024, 09:17:27 pm »
Hey All -
I'm trying to understand the differences and practices between 1:1 NAT and a Virtual IP. I was allocated a /29 (5 usable) and if I got this right - it seems Virtual IP traffic can cause problems where inbound traffic comes in on one of the public IPs but is returned via the gateway IP - which can cause other applications to block it since it's expecting traffic back on the same IP it contacted but instead, the response came from the WAN IP of OpnSense. Did I get that right? I guess 1:1 BI NAT basically has traffic coming in on one of these IPs and leaving out the same IP?
If I use 1:1 NAT, do I plug one of the /29 public IP address on the machine and use the ISP provided gateway or am I still using private IPs and mapping them somehow?
Any screenshots would be great - I plan to use my 5 IPs for a VPN Server, Mail Server and Web Server.
Thanks
«
Last Edit: June 15, 2024, 09:19:03 pm by theprez1980
»
Logged
FLguy
Newbie
Posts: 35
Karma: 1
Re: Difference Between Virtual IP and 1:1 NAT and Best Practices
«
Reply #1 on:
June 16, 2024, 07:00:23 am »
Hello Prez,
1:1 NAT and virtual IP are not distinct entities, but rather, they work in tandem. To utilize a 1:1 NAT (or any NAT type) for an IP address not assigned to the WAN interface, it's crucial to use virtual IPs for all those addresses.
E.g.
192.168.0.0/29
Say your ISP gateway is 192.168.0.1
Your WAN address is 192.168.0.2
Then you will need to create Virtual IPs for 192.168.0.3, 192.168.0.4, and so on to .6
Once you have those Virtual IPs configured, you can create 1:1 NATs, port forwarding NATs, etc. This is because of a concept called Proxy ARP, which is why virtual IPs exist.
Thanks,
Nick
Logged
theprez1980
Newbie
Posts: 20
Karma: 0
Re: Difference Between Virtual IP and 1:1 NAT and Best Practices
«
Reply #2 on:
June 17, 2024, 03:35:55 am »
Thanks Nick -
that helps me understand the concept of Virtual IPs but am still struggling between the difference between 1:1 NAT and just regular Virtual IPs with port forwarding.
Once issue I seem to be running into with Virtual IPs is the following:
I have a /29 public IPv4 block - and they are configured as virtual IPs under Interfaces -> Virtual IPs -> Settings.
Under NAT -> Port Forward I have rules setup to route services from the public IPs to their corresponding private IPs in the 10.0.0.0/24 block.
Entries such as SSH/22UDP and Web TCP/80 work as expected. However, there seems to be an issue with OpenVPN server on SSH/1194 on one of these virtually mapped IPs.
I can connect this OpenVPN server fine using the public virtual IP that's mapped to a private 10.0.0.104 IP, I can ping other connected clients just fine also and they can ping me. I can also ping the 10.0.0.254 address which is the OpenVPN server LAN IP. All that works as expected.
What's broken:
Pinging to other devices on the 10.0.0.X subnet doesn't work. I have the OpenVPN server set to forward and masquerade and this configuration worked fine on UniFi. Upon closer inspection, it appears my ping requests are getting received by the WAN IP address and of course blocked by the WAN filter.
Why would responses going back come from the WAN IP of OpnSense and not the same virtual IP? Is this by design? How would I resolve a situation such as this?
Thanks
Logged
FLguy
Newbie
Posts: 35
Karma: 1
Re: Difference Between Virtual IP and 1:1 NAT and Best Practices
«
Reply #3 on:
June 17, 2024, 07:04:42 am »
Sorry, man, your issue is a bit unclear to me. At any rate, I would suggest using 1:1 BINAT for your OpenVPN server. This will make the NAT bidirectional. Port forwarding translations aren't bidirectional by nature, as traffic only flows in one direction (from source to destination or from Client to Server). This means the server will never "initiate" traffic over the port forward nat. If you want Server to client traffic to use the VIP, use 1:1 BINAT.
The part I don't understand for you is the OpenVPN server behind the firewall. you say it's working, and you can ping some hosts, but then you say you can't ping other hosts. Either your masquerading isn't configured correctly, or something else is happening. Your "client VPN" traffic should exit the OpenVPN server towards the LAN hosts and return traffic to the OpenVPN when the LAN replies. From there, it should be tunneled back to your VPN client (or site2site), and the opnsense firewall should never see this traffic (LAN replies) as it should be tunneled.
You know opnsense can be the OpenVPN server for the network, right?
Another possible issue is outbound NAT (aka PAT). For IPSec VPNs, PATs have to be considered. It's really not the case for OpenVPN deployments, but honestly, having used OpenVPN for years.
Logged
theprez1980
Newbie
Posts: 20
Karma: 0
Re: Difference Between Virtual IP and 1:1 NAT and Best Practices
«
Reply #4 on:
June 17, 2024, 11:52:40 am »
No worries, I don't think I explained it very well lol.
For the 1:1 BINAT setup, a few questions please:
I have a /29 public IP range and my LAN network is currently configured as a /24 so off hand, I don't think I can use BINAT with that particular LAN network right since the subnets have to be the same size based on what I read elsewhere on the forums?
It looks like I'll have to create another LAN network, say 192.168.50/29. If I do that, do I have to burn a /29 IP for the LAN gateway in that subnet? I'm assuming I have to create a gateway in that IP space but perhaps not? When I setup a local machine in that new subnet, I'll pick an IP in the 192.168.50.X range, but what gateway do I give it?
Thanks
«
Last Edit: June 17, 2024, 01:06:33 pm by theprez1980
»
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Difference Between Virtual IP and 1:1 NAT and Best Practices