Port-Forwarding with 2 WANs but identical Gateway

Started by Madhater, February 14, 2025, 12:03:49 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 14, 2025, 12:03:49 PM
Hey everyone,
as I couldn't really find a solution that seem to work for my setup I am a bit lost with the following problem:

I have setup with a OPNsense VM, that has two public IPs bound to different WAN interfaces. The upstream Gateway for both interfaces is identical. I seem to be unable to port forward ports to a subnet via WAN2.

The setup is basically
For WAN 1 and 2 the setup is basically the same:
"Internet" <-> Datacenter Provider Gateway <-> WAN1/2 Interface <-> Internal Network 1/2 <-> Internal Network1/2 Application

Within the WAN 1 stream everything works as desired - and I additionally can also reach internal network 2 applications if I port forward from there.
So far, so good.

Within the WAN 2 stream it does not work even though I configure a standard
Port-Forward
(Interface WAN2, Source any, Destination WAN2 address, Destination Port "desired Port", redirect IP "Internal Application 2" redirect Port "desired Port", no reflection or filter rule association),
 
add a manual Firewall rule
(Interface: WAN2, Protocol TCP, Source any, Destination WAN2 address, Destination Port "desired Port", Gateway "default")

I have additonally tried to use configure outbound NAT, but without any success either.
(Hybrid Outbound, Interface WAN2, Protocol TCP, Source Internal Network 2, Source Port "any", Destination&Destination Port any, Translation Target "Interface").

The issues that I see:
The WAN2 Interface has no gateway assigend, though, as the Gateway for both WANs would be the same - and OPNsense of course does not accept that.


What am I doing wrong here?
February 14, 2025, 12:05:49 PM #1
Instead of two interfaces use a virtual IP address, perhaps?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
February 14, 2025, 12:37:54 PM #2
Quote from: Patrick M. Hausen on February 14, 2025, 12:05:49 PMInstead of two interfaces use a virtual IP address, perhaps?

Thanks for your input.
The problem is,that the DC provider (Hetzner) requires each public IP to be configured with it's own specific MAC address provided by them.

From my limited point of view this prohibits the use of a virtual IP, doesn't it?

Kind regards,
MH
February 14, 2025, 12:51:06 PM #3
Should be possible with a vSwitch. I run 2 OPNsense installations at Hetzner this way, but real hardware, not VMs.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
February 14, 2025, 01:00:54 PM #4 Last Edit: February 14, 2025, 04:47:11 PM by Madhater
Quote from: Patrick M. Hausen on February 14, 2025, 12:51:06 PMShould be possible with a vSwitch. I run 2 OPNsense installations at Hetzner this way, but real hardware, not VMs.

Thank you! This is an avenue I didn't even think about, to be honest.

Could you give me a few clues how this solution could look like so I can read up on it? I must admit I have literally zero experience and very little knowledge about the VSwitch concept.

Kind regards,
MH

EDIT:
Just found your other thread that explains it. Thanks! I will see what I can do.
Print
Go Up Pages1
User actions