Set up NAT without round-robin

[hes]

Hello there!

We was recently given a couple of OPNsense firewalls under management and have issues setting up NAT.
There is a corporate WAN (attached to the WAN interface) and a small network managed by external supplier (attached to the LAN interface).
There are 3 devices in the LAN which need to be accessible from any address on the WAN (via inbound NAT).
And the 3 devices are the only that are allowed to access the WAN (via outbound NAT).

We tried to set this up but inbound NAT doesn't seem to work.
Sometimes it does work inboud, on Device A, but not on the others.
Outbound NAT sometimes works, sometimes not. Driving us crazy :-)
When we replace the OPNsense with a very basic Sitecom consumer router, the NAT works fine! (for one IP, because it doesn't support multiple IPs)

I've been reading the forum a bit and perhaps I am running in to the round-robin behaviour which is described here, but not sure one must work around this.
https://forum.opnsense.org/index.php?topic=7132.0

It's important in our case that the addresses used by the NAT are fixed and not changed every now and then by OPNsense because this is blocked by the security devices all over the rest of the network.

Can somebody please describe how to create a simple inbound and outbound NAT rule including firewall rules (can be auto-created?) where WAN IP 10.x.x.42 is NATed to 172.x.x.10 and never ever uses another IP than these two?

Any other suggestions that might be the cause are also very welcome!

LAN addresses
Subnet /24
OPNsense VIP 172.x.x.1 (used as gateway by Device A,B,C)
OPNsense node A 172.x.x.2
OPNsense node B 172.x.x.3
Device A 172.x.x.10
Device B 172.x.x.11
Device C 172.x.x.12

WAN addresses
Subnet /26
Gateway 10.x.x.62
OPNsense cluster (VIP) 10.x.x.5
OPNsense node A 10.x.x.6
OPNsense node B 10.x.x.7
Device A (VIP) 10.x.x.42
Device B (VIP) 10.x.x.43
Device C (VIP) 10.x.x.44

[franco]

First and foremost: what version are you running?


Cheers,
Franco

[hes]

This system is running OPNsense-18.7-OpenSSL-serial-amd64 :-)

[franco]

If it's not on 18.7.2 or 18.7.3 would you mind updating before we continue to look into it?


Cheers,
Franci

[hes]

Sure, but where do I download it?
My download source is https://pkg.opnsense.org/releases/ and only 18.7 is listed there. Same for the other mirrors. 

[franco]

Minor updates are online updates.


Cheers,
Franco

[hes]

Aaaaah, hmmm...
There is no internet on this site :-) Can I get this on USB stick somehow?
OPNsense is used as firewall between two internal networks in this case with no route to the internet.

[franco]

I can provide an image then when 18.7.3 is out for testing.

The general idea is that if your site doesn't have Internet you can use any web server rsynced / manually copied with e.g. https://mirror.fra10.de.leaseweb.net/opnsense/ to be able to update locally.


Cheers,
Franco

[franco]

As promised:

https://pkg.opnsense.org/FreeBSD:11:amd64/snapshots/OPNsense-18.7.3-OpenSSL-serial-amd64.img.bz2


Cheers,
Franco