Can not get on the Internet LAN Side, but OPNSense itself can Ping 8.8.8.8

Started by fbeye, November 08, 2024, 03:59:27 AM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
November 08, 2024, 03:59:27 AM Last Edit: November 22, 2024, 03:41:53 AM by fbeye
Hi there

I've used OPNS a while back and had 0 issues with it but my layout was quite simple. At that same time I was using Cisco ISR + FTD (NGFW) for my more complicated setup but wanted to move it all over to just OPN.
I won't get to crazy details of my setup but will mention the most basic needs;

I have 5 usable static ips, each static wan ip has its own network. I.E. 207.108.x177 is 192.168.1.0, 207.108.x 178 is 192.160.2.0 and so on. Obviously I need NAT for WAN to LAN (ip) direction  for specific ip's and port services etc but also want a NAT for the WAN to NETWORK as a whole.
Just curious if this is possible.
So, I'd need NAT x.x.x.177 is 192.168.1.0 but then NAT x.x.x.177 Port 443 to let's say 192.168.1.443 for NGINX.
November 08, 2024, 08:29:08 AM #1
Of course this is perfectly possible with OPNsense. Not at all complicated.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
November 08, 2024, 12:29:22 PM #2
Quote...let's say 192.168.1.443 for NGINX

Need to be a forum subscriber on the Vanity+ yearly plan to use vanity IPs in OPNsense I'm afraid.
November 08, 2024, 05:01:24 PM #3
I do not understand your meaning, vanity IP's? I just mean that if I were to connect to WAN https x.x.x.177 it would forward to LAN 192.168.1.443:443, so essentially I wanna run a https server. This would be part of a pay subscription?
November 08, 2024, 05:04:43 PM #4
192.168.1.443 is not a valid IP address ...
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
November 08, 2024, 05:06:44 PM #5
192.168.1.43:443 I am sorry, yeah I just got giddy with typing you are correct. Also NGINX would be running on a Docker container on that IP.
November 08, 2024, 05:20:40 PM #6
Quote from: fbeye on November 08, 2024, 05:01:24 PM
I do not understand your meaning, vanity IP's? I just mean that if I were to connect to WAN https x.x.x.177 it would forward to LAN 192.168.1.443:443, so essentially I wanna run a https server. This would be part of a pay subscription?
Oh wow I am an idiot. You were referring to the 192.168.1.443, which I was mistaken in saying, I am slow today. Alright cool I'll look into getting this all done. Thanks all.
November 19, 2024, 09:33:10 PM #7 Last Edit: November 20, 2024, 09:20:17 PM by fbeye
BUMP
November 20, 2024, 05:59:45 PM #8 Last Edit: November 20, 2024, 09:20:42 PM by fbeye
I added IP Aliases, also WAN set for PPPoE and grabs default IP/Gateway x.x.x.182;

x.x.x.177
x.x.x.178
x.x.x.179
x.x.x.180
x.x.x.181
x.x.x.182 [Default WAN IP]

NAT One-To-One BiNAT, Each WAN IP translates to it's own LAN Network;

x.x.x.177 NAT 192.168.1.0
x.x.x.178 NAT 192.168.2.0
x.x.x.179 NAT 192.168.3.0
x.x.x.180 NAT 192.168.4.0
x.x.x.181 NAT 192.168.5.0
x.x.x.182 NAT 192.168.6.0

Will Outbound NAT will be negotiated via Hybrid NAT rules/ BiNAT setup?
Is there a way to specify outgoing as a whole, I.E. 'anything' on 192.168.1.0
outbounds x.x.x.177, 192.168.2.0 outbounds x.x.x.178 and so on? I assume I would
need to make those Outbound entries... to email servers and http servers.

I will assume that I give LAN Interface on OPNSense an IP of 172.16.1.1
I create 6 Static Routes to the SG350XG Networks using 172.16.1.2 [SG GE 1/1 Interface IP]
as the Gateway.
This way anything Incoming on a specific WAN IP will be NAT'd to the specific LAN Network
which is forwarded to the SG350XG via the Static Routes for the Networks
   192.168.1.0 255.255.255.0 172.16.1.2
   192.168.2.0 255.255.255.0 172.16.1.2
And so on.

Do I need to set up a Gateway at all on the OPNSense?   
November 21, 2024, 01:23:12 AM #9
Yeah, that did not work. Like, everything "worked" except Internet access. Only thing I did not ADD were any OUTGOING NAT rules, but I assumed I did not need. Apparently I did. I tried doing auto nat and hybrid.
Through the OPNSense to the SG350XG, I could connect to all LAN devices on each Network, all was fine.. But nothing outgoing.
November 21, 2024, 06:21:48 PM #10
Sorry to be a repetitive ignoramus, been up for hours just can not figure this out!

Being that I have the 6 STATIC IP's NAT'd to 6 LAN Networks, do I need to create OUTBOUND for each Network to WAN? As I said I tried, and left blank, Hybrid and Automatic. 
November 22, 2024, 10:11:52 PM #11
I have my PPPoE setup and from opnsense can ping 8.8.8.8
I have my LAN on opnsense 172.16.2.1 which connects to SG350XG 172.16.2.2
I have the 6 [usable] WAN IP's set up as aliases
I have 6 BINat One-To-One WAN IP to LAN NETWORK [I.E. x.x.x.177 BINat to 192.168.1.0]
I have ZERO at all OUTBOUND NAT rules [But I would need to create one for the LAN's to know what WAN IP to leave on, yeah?]
I have a GATEWAY [I made it 172.168.2.1, the opnsense LAN IP] so I can make STATIC ROUTES
I made 6 Static Routes, and even tried 192.168.0.0/16 so all LAN Networks can be found on the SG via 172.16.2.2 which raises the question, would the GATEWAY to the / for the SG350XG Networks be the opnsense Interface IP or the SG350XG Interface?

I just can not get Internet access to work.
November 23, 2024, 09:44:57 AM #12
One-to-one NAT maps *ONE* external IP address to *ONE* internal IP address. 192.168.1.0 is one IP address, not a subnet. It happens to be a network address, not a host, so one-to-one NAT for it will not do anything useful.

If you need need an entire internal subnet to share one external IP address, use outbound NAT.

If you need to expose internal hosts to the internet, you could either use port-forwarding, or use some of your public IP addresses for 1:1 NAT, but you can't use a given public IP address for both outbound NAT and one-to-one NAT at the same time.
November 23, 2024, 04:33:57 PM #13 Last Edit: November 23, 2024, 05:05:02 PM by fbeye
Good Morning

I will not lie, this confuses me a little bit. I had assumed I could do One-to-One NAT because I want whole subnets to be associated with specific WAN, I.E I want everything 192.168.1.0 to associate with x.x.x.177, everything 192168.2.0 to associate with x.x.x.178 and so on. I thought that that was the correct way...
So, 1-to-1 is literally host specific WAN to LAN, not WAN to LAN [Subnet]?
Alright, so for simple internet "Internet' use, I make OUTBOUND NAT's associating LAN Networks to out on their specific WAN.
And then in terms of incoming for email/web servers I would then use Port Forwarding but "If you need to expose internal hosts to the internet, you could either use port-forwarding, or use some of your public IP addresses for 1:1 NAT, but you can't use a given public IP address for both outbound NAT and one-to-one NAT at the same time." confuses me too... So I can not have OUTBOUND NAT associating specific LAN [Network] to WAN and then also for incoming a specific NAT 1-to-1?

After reading https://docs.opnsense.org/manual/nat.html it does make more sense, I will give you that.
Anything incoming WAN to LAN would need Port Forwarding to know where the packet needs to go but I also need OUTGOING NAT for the LAN Networks to know which WAN IP to use.. Probably most instances not relevant but with multiple lan networks seems to be the correct course.
November 23, 2024, 08:30:58 PM #14
For that you place outbound NAT rules on WAN. Assigning individual addresses to source networks as you see fit.

1:1 really means one external address for each internal address. To NAT a network or a range of addresses to a single public one you need outbound.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Print
Go Up Pages1 2
User actions