How To Configure OPNsense Network Address Translation?
Network address translation is the process of mapping one [Internet Protocol (IP) address] to another by modifying the header of IP packets while they are in transit across a router. As part of this technique, NAT settings can expose only one IP address for an entire network to the outside world, effectively masking the entire internal network and increasing security. Network address translation is widely used in remote-access scenarios because it conserves addresses while also increasing security. This improves security while also reducing the number of IP addresses required by a business.
Network Address Translation (NAT) is a method of separating external and internal networks (WANs and LANs) and sharing an external IP address among clients on the internal network. NAT can be used on both IPv4 and IPv6 networks. Network Prefix Translation is also available for IPv6.
The majority of the options below make use of three distinct addresses: the source, destination, and redirect address. These addresses will be used for the following purposes:
Address | Description |
---|---|
Source | From where the traffic is coming. This is frequently left on "any.". |
Destination | Where the traffic is going. This is typically your external IP address for incoming traffic from the outside world. |
Redirect | Where traffic should be rerouted |
caution
Disabling pf
disables NAT
on OPNsense.
- BINAT: NAT typically operates in only one direction. But, if your networks are of equal size, you can also use bidirectional BINAT. This can help to simplify your setup. You can only use regular NAT if your networks are not of equal size.
- NAT reflection: When a user on the internal network attempts to connect to a local server by using the external IP address rather than the internal one, NAT reflection can rewrite the request to use the internal IP address, avoiding a detour and applying rules designed for actual outside traffic.
- Pool Options: When there are multiple IPs to choose from, this option allows you to control which IP is used. The default, Round Robin, simply sends packets to one server after another. This option has no effect if you only have one external IP address.
OPNsense firewall provides the following types of NAT configurations:
- Port Forwarding NAT (DNAT)
- One-to-One NAT (1:1 NAT)
- Outbound NAT (SNAT)
In this article, we will cover all these NAT configurations in OPNsense shortly and give the following real-world examples.
- Port forwarding configuration in OPNsense for a web server accessible from the Internet.
- Port forwarding configuration in OPNsense for ssh and RDP servers accessible by a specific IP
- Outbound NAT configuration in OPNsense for allowing specific local servers to access a remote service.
Port forwarding in OPNsenseโ
Any connections to the internal network from the Internet are blocked by the OPNsense firewall. You may use the OPNsense port forwarding feature to allow certain services(ports) from the external network.
Port forwarding is also known as "Destination NAT" or "DNAT." When multiple servers in a LAN share the same external IP address, any connection that is not initiated by one of the servers will fail because the firewall will not know where to send the traffic. This can be remedied by establishing port forwarding rules. For example, to make your organization's web server behind the firewall accessible from the internet, you must redirect HTTP(s) ports (80/443) to the server.
To configure the port forwarding in OPNsense you may navigate to Firewall
-> NAT
-> Port Forward
. An overview of port forwarding rules can be found here.
Figure 1. Port forwarding configuration in OPNsense
To add new port forwarding rules, you may click the +
button in the upper right corner.
The following fields are available when adding a port forwarding rule:
Option | Description |
---|---|
Disabled | Check this option to disable the rule without removing it. |
No RDR (NOT) | Enabling this option prevents traffic matching this rule from being redirected and a redirect rule is not created. Hint: this option is rarely used; don't use it unless you're sure you know what you're doing. |
Interface | Which interface the rule should apply to. The majority of the time, this will be WAN. |
TCP/IP version | IPv4, IPv6 or both. |
Protocol | In typical scenarios, this will be TCP |
Source | Where the traffic comes from. Click Advanced to see the other source settings |
Source / Invert | Invert match in Source field. |
Source port range | When applicable, the source port on which we should match. This is almost always random and almost never equals the destination port range (and should almost always be 'any'). |
Destination / Invert | Invert match in Destination field. |
Destination | Where the traffic is going |
Destination port range | Service port(s) the traffic is using. For this mapping, specify the port or port range for the packet's destination when using the TCP or UDP protocols. |
Redirect target IP | Where to redirect the traffic to. Enter the internal IP address of the server to which the ports will be mapped. |
Redirect target port | Which port to use (when using TCP and/or UDP). Enter the port number for the machine with the IP address you entered above. In the case of a port range, specify the range's starting port (the end port will be calculated automatically). |
Pool Options | This option is explained in the previous section. The default is to use Round robin. Only Round Robin types are compatible with Host Aliases. Subnets of any type can be used. Round Robin: Iterates over the translation addresses. Random: Chooses an address at random from the translation address pool Source Hash: Determines the translation address by hashing the source address, ensuring that the redirection address is always the same for a given source. Bitmask: Uses the subnet mask while keeping the last portion the same; 172.16.10.50 -> x.x.x.50. Sticky Address: When using the Random or Round Robin pool types, the Sticky Address option ensures that a specific source address is always mapped to the same translation address. |
Description | A description to easily find the rule in the overview. |
Set local tag | You can mark a packet matching this rule and use this mark to match on other NAT/filter rules. |
Match local tag | Check for a tag set by another rule. |
No XMLRPC sync | Prevent this rule from being synced to a backup host. (Checking this on the backup host has no effect.) |
NAT reflection | This option is explained in the previous section. Leave this on the default unless you have a good reason not to. |
Filter rule association | Associate this with a regular firewall rule. |
One-to-one NATโ
One-to-one NAT, as the name suggests, will translate two IP addresses one-to-one rather than one-to-many, as is more common.
To configure the One-to-One NAT in OPNsense you may navigate to Firewall
-> NAT
-> One-to-One
. An overview of 1:1 NAT rules can be found here.
Figure 2. One-to-One NAT configuration in OPNsense
To add new One-to-One NAT rules, you may click the +
button in the upper right corner.
The following fields are available when adding a 1:1 mapping rule:
Option | Description |
---|---|
Disabled | Check this option to disable the rule without removing it. |
Interface | Which interface the rule should apply to. The majority of the time, this will be WAN. |
Type | BINAT (default) or NAT. |
External network | Enter the starting address of the external subnet for the 1:1 mapping or network. If no subnet mask is provided, the subnet mask from the internal address below will be applied to this IP address. This is the address or network to/from which traffic will be translated. |
Protocol | In typical scenarios, this will be TCP |
Source | Enter the internal subnet for the 1:1 mapping. The subnet size specified for the source will be applied to the external subnet, when none is provided. |
Source / Invert | Invert match in Source field. |
Destination / Invert | Invert match in Destination field. |
Destination | The destination network packages should match, when used to map external networks, this is usually any |
Description | A description to easily find the rule in the overview. |
NAT reflection | This option is explained in the previous section. Leave this on the default unless you have a good reason not to. |
Outbound NATโ
Outbound NAT is also known as Source NAT
or SNAT
. When a client on an internal network sends an outbound request, the gateway must change the source IP to the gateway's external IP, because the outside server will be unable to respond otherwise.
If you only have one external IP address, you should leave the Outbound NAT options set to automatic. If you have multiple IP addresses, however, you may want to change the settings and add some custom rules.
To configure the Outbound NAT in OPNsense you may navigate to Firewall
-> NAT
-> Outbound
. An overview of outbound rules can be found here.
Figure 3. Outbound NAT configuration in OPNsense
The following modes are available for outbound NAT configuration in OPNsense:
Outbound NAT Mode | Description |
---|---|
Automatic outbound NAT rule generation | The default and is good for most cases. |
Manual outbound NAT rule generation | No automatic rules are generated. Outbound NAT rules are created manually. |
Hybrid outbound NAT rule generation | Automatic rules are added, but manual rules can also be added. |
Disable outbound NAT rule generation | Disables outbound NAT. This is used for transparent bridges, for example. |
To add new Outbound NAT rules, you may select either the Manual outbound NAT rule generation
or Hybrid outbound NAT rule generation
option and then click Save
button.
New rules can be added, by clicking the +
button in the upper right corner.
The following fields are available when adding an outbound rule:
Option | Description |
---|---|
Disabled | Check this option to disable the rule without removing it. |
Do not NAT | Enabling this option will disable NAT for traffic matching this rule and stop processing Outbound NAT rules.Hint: this option is rarely used; don't use it unless you're sure you know what you're doing. |
Interface | Which interface the rule should apply to. The majority of the time, this will be WAN. |
TCP/IP version | IPv4 or IPv6. |
Protocol | In typical scenarios, this will be TCP |
Source | The source network to match |
Source / Invert | Invert match in Source field. |
Source port range | When applicable, the source port on which we should match. This is almost always random and almost never equals the destination port range (and should almost always be 'any'). |
Destination / Invert | Invert match in Destination field. |
Destination | Enter the destination network for the outbound NAT mapping. |
Destination port range | Service port the traffic is using. |
Translation / target | Packets matching this rule will be mapped to the IP address given here.If you want this rule to apply to another IP address rather than the IP address of the interface chosen above, select it here (you will need to define Virtual IP addresses on the interface first). |
Log | Put packets matching this rule in the logs. Use this sparingly to avoid overflowing the logs. |
Pool Options | This option is explained in the previous section. The default is to use Round robin. Only Round Robin types are compatible with Host Aliases. Subnets of any type can be used. Round Robin: Iterates over the translation addresses. Random: Chooses an address at random from the translation address pool. Source Hash: Determines the translation address by hashing the source address, ensuring that the redirection address is always the same for a given source. Bitmask: Uses the subnet mask while keeping the last portion the same; 172.16.10.50 -> x.x.x.50. Sticky Address: When using the Random or Round Robin pool types, the Sticky Address option ensures that a specific source address is always mapped to the same translation address. |
Translation / port | Which port to use on the target |
Static-port | Prevents pf(4) from modifying the source port on TCP and UDP packets. |
Set local tag | Set a tag that other NAT rules and filters can check for. |
Match local tag | Check for a tag set by another rule |
No XMLRPC sync | Prevent this rule from being synced to a backup host. (Checking this on the backup host has no effect.) |
Description | A description to easily find the rule in the overview. |
Real-World Examples for NAT Configurations in OPNsenseโ
How to Configure Port Forwarding For Web Servicesโ
Businesses that provide a service to their customers via the Internet must make their applications or web servers accessible from the Internet. Assume your company has two separate web servers in the DMZ network and one public IP address. Both the HTTP and HTTPS ports on these web servers should be accessible from anywhere in the world using the same public IP address. To accomplish this, you may define the port forwarding rules in your OPNsense. You may configure your rules in such a way that while requests coming to 80 and 443 ports are redirected to the first web server, the second web server is accessible via 81 and 8443 ports. For this configuration, you may follow the next steps below.
Server Name | External IP | External Port | Local IP | Local Port |
---|---|---|---|---|
WebServer1 | Public Internet IP | 80 | 10.10.10.13 | 80 |
WebServer1 | Public Internet IP | 443 | 10.10.10.13 | 443 |
WebServer2 | Public Internet IP | 81 | 10.10.10.14 | 80 |
WebServer2 | Public Internet IP | 8443 | 10.10.10.14 | 443 |
Figure 4. Port Forwarding topology for web services
After completing the port forwarding configurations on your OPNsense firewall, HTTP(80) and HTTPS(443) requests for your WAN IP will be redirected to the WebServer1(10.10.10.13), while port 81 and port 8443 requests for your WAN IP will be redirected to the WebServer2(10.10.10.14).
Port Forwarding For HTTPS(443) Service of WebServer1โ
You may follow the instructions below to add a port forwarding rule for HTTPS service of WebServer1.
- Navigate to
Firewall
->NAT
->Port Forward
in your OPNsense Web UI. - Click the
+
button in the upper right corner. This will open the port forwarding configuration window.
Figure 5. Port forwarding rule configuration for HTTPS in OPNsense-1
- Set the Interface to
WAN
. - Set the TCP/IP Version to
IPv4
. - Set the Protocol to
TCP
. - Set the Destination to
WAN Address
. - Set the Destination Port Range to
HTTPS
. - Select
Single Host or Network
from the Redirect Target IP dropdown menu. Then, set the field to the private IP address of the WebServer1, such as10.10.10.13
. - Set the Redirect Target Port to
HTTPS
.
Figure 6. Port forwarding rule configuration for HTTPS in OPNsense-2
- You may enable logging by clicking the check box in the Log option.
- Fill in the Description field, such as
Allow HTTPS access to Webserver_10.10.10.13
. - Select
Add associated filter rule
from the Filter rule association option. - Leave other options as default.
- Click
Save
button at the bottom of the page.
Figure 7. Port forwarding rule configuration for HTTPS in OPNsense-3
Port Forwarding For HTTP(80) Service of WebServer1โ
To create a port forwarding rule for the HTTP(80) service of the WebServer1, you may clone the port forwarding rule for the HTTPS(443) service created above and change the related settings by following the step given below.
Figure 8. Port forwarding rules list in OPNsense
- Click the clone icon to copy the port forwarding rule for the HTTPS(443) service created above.
- Change the Destination Port Range option to
HTTP
.
Figure 9. Port forwarding rule configuration for HTTP in OPNsense-1
- Set the Redirect Target Port to
HTTP
. - Change the Description field to
Allow HTTP access to Webserver_10.10.10.13
. - Verify that the Filter rule association option is set to
Add associated filter rule
- Leave other options as they are.
- Click
Save
button at the bottom of the page.
Figure 10. Port forwarding rule configuration for HTTP in OPNsense-2
Port Forwarding For HTTP Service of WebServer2 on Custom External Port(81)โ
To create a port forwarding rule for the HTTP service of the WebServer2 on custom port(81), you may clone the port forwarding rule for the HTTP(80) service created above and change the related settings by following the step given below.
Figure 11. Port forwarding rules list in OPNsense
- Click the clone icon to copy the port forwarding rule for the HTTP(80) service created above.
- Change the Destination Port Range option to
other
and enter81
to the related field.
Figure 12. Port forwarding rule configuration for HTTP(81) in OPNsense-1
- Set the Redirect Target IP to
10.10.10.14
- Set the Redirect Target Port to
HTTP
. - Change the Description field to
Allow HTTP access to Webserver_10.10.10.14
. - Verify that the Filter rule association option is set to
Add associated filter rule
- Leave other options as they are.
- Click
Save
button at the bottom of the page.
Figure 13. Port forwarding rule configuration for HTTP(81) in OPNsense-2
Port Forwarding For HTTPS Service of WebServer2 on Custom External Port (8443)โ
To create a port forwarding rule for the HTTPS service of the WebServer2 on a custom external port(8443), you may clone the port forwarding rule for the HTTP(81) service created above and change the related settings by following the step given below.
Figure 14. Port forwarding rules list in OPNsense
- Click the clone icon to copy the port forwarding rule for the HTTP(81) service created above.
- Change the Destination Port Range option to
8443
.
Figure 15. Port forwarding rule configuration for HTTP(8443) in OPNsense-1
- Set the Redirect Target Port to
HTTPS
. - Change the Description field to
Allow HTTPS access to Webserver_10.10.10.14
. - Verify that the Filter rule association option is set to
Add associated filter rule
- Leave other options as they are.
- Click
Save
button at the bottom of the page.
Figure 16. Port forwarding rule configuration for HTTP(8443) in OPNsense-2
Now, you have completed the port forwarding configurations of both web servers. Your port forwarding rules list should look like this.
Figure 17. Port forwarding rules list for web servers in OPNsense
- Click
Apply Changes
at the upper right of the page to activate the settings.
info
Since we have selected the Add associated filter rule
option, the related firewall rules are created on the WAN interface automatically. To view the automatically added associated rules, navigate to the Firewall
-> Rules
-> WAN
. Firewall rules list on WAN interfaces should look like this:
Figure 18. WAN firewall rules for web server port forwarding in OPNsense
tip
Although internal users should access the web servers by connecting to the private IP address (local IP) of the servers, they may try to connect to a local server by using the public IP addresses. To allow local users to access the public IP addresses of these servers, you must allow the NAT reflection. For NAT reflection, first you should enable the NAT reflection by checking on the Reflection for port forwards
option on the Firewall
-> Settings
->Advanced
page.
Figure 19. Enabling Reflection for port forwards
Then, you should select the interface where the local users are, such as LAN, as well as the WAN interface during the port forwarding rule configuration.
Figure 20. NAT reflection
Also, be sure that NAT reflection is enabled in the port forwarding rule configuration.
Figure 21. NAT reflection is enabled in port forwarding rule
How to Configure Port Forwarding For SSH and RDP Services on Custom Portsโ
Assume that a web administrator needs remote(SSH & RDP) access to the web servers from his home. He is using a static public IP address at home. Since management services such as SSH and RDP are critical and pose a high security risk, it is recommended that they are not accessible from the entire Internet. As a result, you will create a port forwarding rule to allow the web administrator's IP address to connect to the web servers. Also, because the default ports are already in use for accessing other servers, you must enable SSH and RDP services on custom ports.
Server Name | External IP | External Port | Local IP | Local Port | Client IP |
---|---|---|---|---|---|
WebServer1 | Public Internet IP | 2222 | 10.10.10.13 | 22 | 1.1.1.1 |
WebServer2 | Public Internet IP | 5555 | 10.10.10.14 | 3389 | 1.1.1.1 |
Figure 22. Port Forwarding topology for SSH and RDP services
After completing the port forwarding configurations in your OPNsense firewall, port 2222 requests coming from web administrator IP address(1.1.1.1) to your WAN IP will be redirected to the WebServer1(10.10.10.13), while port 5555 requests coming from web administrator IP address(1.1.1.1) to your WAN IP will be redirected to the WebServer2(10.10.10.14).
Port Forwarding For SSH Service of WebServer1 on Custom External Port(2222)โ
To create a port forwarding rule for the SSH service of the WebServer1 on custom port(2222), you may clone the port forwarding rule for the HTTP(80) service created above and change the related settings by following the step given below.
- Click the clone icon to copy the port forwarding rule for the HTTP(80) service created above.
- Click the
Advanced
button in theSource
option. This will displays the details of the Source option. - Select
Single Host or Network
from the Source dropdown menu. - Enter the Web Administrator's static public IP address, such as 1.1.1.1/32.
- Leave Source Port Range as
any
.
Figure 23. Port forwarding rule configuration for SSH(2222) in OPNsense-1
- Change the Destination Port Range option to
2222
. - Set the Redirect Target Port to
SSH
. - Change the Description field to
Allow SSH access to Webserver_10.10.10.13
.
Figure 24. Port forwarding rule configuration for SSH(2222) in OPNsense-2
- Verify that the Filter rule association option is set to
Add associated filter rule
- Leave other options as they are.
- Click
Save
button at the bottom of the page.
Figure 25. Port forwarding rule configuration for SSH(2222) in OPNsense-3
Port Forwarding For RDP Service of WebServer2 on Custom External Port(5555)โ
To create a port forwarding rule for the RDP service of the WebServer2 on custom port(5555), you may clone the port forwarding rule for the SSH(2222) service created above and change the related settings by following the step given below.
- Click the clone icon to copy the port forwarding rule for the SSH(2222) service created above in the port forward rules list.
- Change the Destination Port Range option to
5555
. - Set the Redirect Target IP to WebServer2 local IP address, such as 10.10.10.14.
- Set the Redirect Target Port to
MS RDP
. - Change the Description field to
Allow RDP access to Webserver_10.10.10.14
.
Figure 26. Port forwarding rule configuration for MS-RDP(5555) in OPNsense-1
- Verify that the Filter rule association option is set to
Add associated filter rule
- Leave other options as they are.
- Click
Save
button at the bottom of the page.
Figure 27. Port forwarding rule configuration for SSH(2222) in OPNsense-3
Now, you have completed the port forwarding rule configurations of both management services. Your port forwarding rules list should look like this.
Figure 28. Port forwarding rules list for web servers in OPNsense
- Click
Apply Changes
at the upper right of the page to activate the settings.
info
Since we have selected the Add associated filter rule
option, the related firewall rules are created on the WAN interface automatically. To view the automatically added associated rules, navigate to the Firewall
-> Rules
-> WAN
. Firewall rules list on WAN interfaces should look like this:
Figure 29. WAN firewall rules for SSH and RDP access in OPNsense
Outbound NAT For Accessing a Remote Service Via Specific External IP Addressโ
Assume that one of your application servers (WebServer1 with the IP address 10.10.10.13) needs to connect to a MySQL database on another company network via the Internet. However, in accordance with the agreements between your company and the other company, you must ensure that the remote MySQL DB server(public IP address: 3.3.3.3) is only accessible by WebServer1 and that no other devices in your LAN can access the remote DB.
To accomplish this, firstly you need a second public IP address which will be used for providing WebServer1 access to the remote MySQL database. Because, your first public IP address is being used for Internet access of the local users and servers. We will use the 2.2.2.2
as our second IP address and WebServer1 will connect to the remote MySQL database with this external IP address.
Packet Type | Source IP Before NAT | Destination IP Before NAT | Source IP After NAT | Destination IP After NAT |
---|---|---|---|---|
MySQL Request | 10.10.10.13 | 3.3.3.3 | 2.2.2.2 | 3.3.3.3 |
MySQL Reply | 3.3.3.3 | 2.2.2.2 | 3.3.3.3 | 10.10.10.13 |
Figure 30. Outbound NAT/SNAT topology for accessing remote Database server
You may follow the next steps given below:
- Define an alias, such as
RemoteCompany_DB
. For more information about creating an alias, please refer to How to Configure OPNsense Firewall article. - To create a Virtual IP address for your second public IP address, navigate to the
Interfaces
->Virtual IPs
->Settings
. - Click the
+
icon to add Virtual IP address.
Figure 31. Adding Virtual IP address in OPNsense
- Select
IP Alias
as Mode. - Select
WAN
as Interface. - Set Address to your second public IP address which is used for accessing the database server by your WebServer1, such as
2.2.2.2/32
- Enter
WAN VIP_2.2.2.2
in the Description field. - Leave other options as default.
- Click
Save
.
Figure 32. Setting Virtual IP address configuration in OPNsense
- Click
Apply Changes
to activate the VIPs settings.
Figure 33. Virtual IP address settings in OPNsense
- Navigate to the
Firewall
->NAT
->Outbound
to define Outbound NAT. - Select
Hybrid outbound NAT rule generation
option. - Click
Save
button.
Figure 34. Setting Outbound NAT mode in OPNsense
- Click
+
icon to add a manual Outbound NAT rule. - Set Interface to
WAN
. - Set TCP/IP Version to
IPv4
. - Set Protocol
TCP
. - Set Source add to
Single Host or Network
- Enter the WebServer1 IP address such as
10.10.10.13/32
. - Set Source Port to
any
.
Figure 35. Defining Outbound NAT rule in OPNsense -1
- Select Destination Address as
RemoteCompany_DB
. - Select Destination Port as
MySQL
. - Select
2.2.2.2 (WAN IP_2.2.2.2)
for Translation / target - Enable Logging.
Figure 36. Defining Outbound NAT rule in OPNsense -2
- Enter
Remote MySQL DB access
in Description field. - Click
Save
- Click
Apply Changes
to activate the Outbound NAT rule.
Your Outbound NAT rules list should look something like this:
Figure 37. Manual Outbound NAT rules in OPNsense
When WebServer1 tries to connect to a remote database server, you should see that it connects the DB using 2.2.2.2
IP address in your firewall logs. To view the firewall logs navigate to Firewall
-> Log Files
-> Live View
. Your logs look like this.
Figure 38. Firewall Live Log View in OPNsense