public subnet behind opnsense / ip source header of opnsense not server

[chrismaster]

I have opnsense with
WAN with public /32 and DMZ interface with public /29 and a dhcp server
When I add an server to the /29 network, I have the problem, that eg. curl -4 icanhazip.com returns the the public /32 ip. There is no problem to ssh from Internet to a server in /29.

my network looks like this

Code Select Expand


Fiber
  |
WAN IF @ OpnSense (block private networkds)
(aaa.aaa.aaa.aaa)/32 public IP via DHCP
  +
DMZ IF @ OpnSense (no dynamic gateway policy, ipv4 gateway rules disabled)
(aaa.aaa.bbb.bb1)/29 public IP static IP
  |
ServerA
(aaa.aaa.bbb.bb2)/29 public IP with DHCP from Opnsense



From Server A:
curl -4 icanhazip.com
gives the IP of WAN IF

curl -6 icanhazip.com
gives the ServerA ip

I also need the Server A ip with ipv4 curl -4

Where should I start to look?
Thx
Chris
ps: Beside this, everything works fine

[Monviech (Cedrik)]

You have to make sure the Firewall rule that allows Internet from the DMZ has the Gateway of the /29 net selected.

[dseven]

Firewall -> NAT -> Outbound

You'll probably have to turn off automatic rule generation, and setup your own rules as needed (or not)....

[Monviech (Cedrik)]

There are only public IPs there is no NAT. I almost wrote the same and checked twice.  ;D

[dseven]

Eh? Sounds like the /29 is routed to the /32 "WAN" IP address. NAT would be on by default - needs to be turned off ... no?

[Monviech (Cedrik)]

Oh yeah you are right. Its probably also a NAT thing.

[chrismaster]

Thx, outbound NAT was the problem.
But only for ipv4, ipv6 worked before.