Skip to main content

How To Configure OPNsense Network Address Translation?

Network address translation is the process of mapping one [Internet Protocol (IP) address] to another by modifying the header of IP packets while they are in transit across a router. As part of this technique, NAT settings can expose only one IP address for an entire network to the outside world, effectively masking the entire internal network and increasing security. Network address translation is widely used in remote-access scenarios because it conserves addresses while also increasing security. This improves security while also reducing the number of IP addresses required by a business.

Network Address Translation (NAT) is a method of separating external and internal networks (WANs and LANs) and sharing an external IP address among clients on the internal network. NAT can be used on both IPv4 and IPv6 networks. Network Prefix Translation is also available for IPv6.

The majority of the options below make use of three distinct addresses: the source, destination, and redirect address. These addresses will be used for the following purposes:

AddressDescription
SourceFrom where the traffic is coming. This is frequently left on "any.".
DestinationWhere the traffic is going. This is typically your external IP address for incoming traffic from the outside world.
RedirectWhere traffic should be rerouted
caution

Disabling pf disables NAT on OPNsense.

  • BINAT: NAT typically operates in only one direction. But, if your networks are of equal size, you can also use bidirectional BINAT. This can help to simplify your setup. You can only use regular NAT if your networks are not of equal size.
  • NAT reflection: When a user on the internal network attempts to connect to a local server by using the external IP address rather than the internal one, NAT reflection can rewrite the request to use the internal IP address, avoiding a detour and applying rules designed for actual outside traffic.
  • Pool Options: When there are multiple IPs to choose from, this option allows you to control which IP is used. The default, Round Robin, simply sends packets to one server after another. This option has no effect if you only have one external IP address.

OPNsense firewall provides the following types of NAT configurations:

  • Port Forwarding NAT (DNAT)
  • One-to-One NAT (1:1 NAT)
  • Outbound NAT (SNAT)

In this article, we will cover all these NAT configurations in OPNsense shortly and give the following real-world examples.

  • Port forwarding configuration in OPNsense for a web server accessible from the Internet.
  • Port forwarding configuration in OPNsense for ssh and RDP servers accessible by a specific IP
  • Outbound NAT configuration in OPNsense for allowing specific local servers to access a remote service.

Port forwarding in OPNsense#

Any connections to the internal network from the Internet are blocked by the OPNsense firewall. You may use the OPNsense port forwarding feature to allow certain services(ports) from the external network.

Port forwarding is also known as "Destination NAT" or "DNAT." When multiple servers in a LAN share the same external IP address, any connection that is not initiated by one of the servers will fail because the firewall will not know where to send the traffic. This can be remedied by establishing port forwarding rules. For example, to make your organization's web server behind the firewall accessible from the internet, you must redirect HTTP(s) ports (80/443) to the server.

To configure the port forwarding in OPNsense you may navigate to Firewall -> NAT -> Port Forward. An overview of port forwarding rules can be found here.

Port forwarding configuration in OPNsense

Figure 1. Port forwarding configuration in OPNsense

To add new port forwarding rules, you may click the + button in the upper right corner.

The following fields are available when adding a port forwarding rule:

OptionDescription
DisabledCheck this option to disable the rule without removing it.
No RDR (NOT)Enabling this option prevents traffic matching this rule from being redirected and a redirect rule is not created. Hint: this option is rarely used; don't use it unless you're sure you know what you're doing.
InterfaceWhich interface the rule should apply to. The majority of the time, this will be WAN.
TCP/IP versionIPv4, IPv6 or both.
ProtocolIn typical scenarios, this will be TCP
SourceWhere the traffic comes from. Click Advanced to see the other source settings
Source / InvertInvert match in Source field.
Source port rangeWhen applicable, the source port on which we should match. This is almost always random and almost never equals the destination port range (and should almost always be 'any').
Destination / InvertInvert match in Destination field.
DestinationWhere the traffic is going
Destination port rangeService port(s) the traffic is using. For this mapping, specify the port or port range for the packet's destination when using the TCP or UDP protocols.
Redirect target IPWhere to redirect the traffic to. Enter the internal IP address of the server to which the ports will be mapped.
Redirect target portWhich port to use (when using TCP and/or UDP). Enter the port number for the machine with the IP address you entered above. In the case of a port range, specify the range's starting port (the end port will be calculated automatically).
Pool OptionsThis option is explained in the previous section. The default is to use Round robin. Only Round Robin types are compatible with Host Aliases. Subnets of any type can be used. Round Robin: Iterates over the translation addresses. Random: Chooses an address at random from the translation address pool Source Hash: Determines the translation address by hashing the source address, ensuring that the redirection address is always the same for a given source. Bitmask: Uses the subnet mask while keeping the last portion the same; 172.16.10.50 -> x.x.x.50. Sticky Address: When using the Random or Round Robin pool types, the Sticky Address option ensures that a specific source address is always mapped to the same translation address.
DescriptionA description to easily find the rule in the overview.
Set local tagYou can mark a packet matching this rule and use this mark to match on other NAT/filter rules.
Match local tagCheck for a tag set by another rule.
No XMLRPC syncPrevent this rule from being synced to a backup host. (Checking this on the backup host has no effect.)
NAT reflectionThis option is explained in the previous section. Leave this on the default unless you have a good reason not to.
Filter rule associationAssociate this with a regular firewall rule.

One-to-one NAT#

One-to-one NAT, as the name suggests, will translate two IP addresses one-to-one rather than one-to-many, as is more common.

To configure the One-to-One NAT in OPNsense you may navigate to Firewall -> NAT -> One-to-One. An overview of 1:1 NAT rules can be found here.

One-to-One NAT configuration in OPNsense

Figure 2. One-to-One NAT configuration in OPNsense

To add new One-to-One NAT rules, you may click the + button in the upper right corner.

The following fields are available when adding a 1:1 mapping rule:

OptionDescription
DisabledCheck this option to disable the rule without removing it.
InterfaceWhich interface the rule should apply to. The majority of the time, this will be WAN.
TypeBINAT (default) or NAT.
External networkEnter the starting address of the external subnet for the 1:1 mapping or network. If no subnet mask is provided, the subnet mask from the internal address below will be applied to this IP address. This is the address or network to/from which traffic will be translated.
ProtocolIn typical scenarios, this will be TCP
SourceEnter the internal subnet for the 1:1 mapping. The subnet size specified for the source will be applied to the external subnet, when none is provided.
Source / InvertInvert match in Source field.
Destination / InvertInvert match in Destination field.
DestinationThe destination network packages should match, when used to map external networks, this is usually any
DescriptionA description to easily find the rule in the overview.
NAT reflectionThis option is explained in the previous section. Leave this on the default unless you have a good reason not to.

Outbound NAT#

Outbound NAT is also known as Source NAT or SNAT. When a client on an internal network sends an outbound request, the gateway must change the source IP to the gateway's external IP, because the outside server will be unable to respond otherwise.

If you only have one external IP address, you should leave the Outbound NAT options set to automatic. If you have multiple IP addresses, however, you may want to change the settings and add some custom rules.

To configure the Outbound NAT in OPNsense you may navigate to Firewall -> NAT -> Outbound . An overview of outbound rules can be found here.

Outbound NAT configuration in OPNsense

Figure 3. Outbound NAT configuration in OPNsense

The following modes are available for outbound NAT configuration in OPNsense:

Outbound NAT ModeDescription
Automatic outbound NAT rule generationThe default and is good for most cases.
Manual outbound NAT rule generationNo automatic rules are generated. Outbound NAT rules are created manually.
Hybrid outbound NAT rule generationAutomatic rules are added, but manual rules can also be added.
Disable outbound NAT rule generationDisables outbound NAT. This is used for transparent bridges, for example.

To add new Outbound NAT rules, you may select either the Manual outbound NAT rule generation or Hybrid outbound NAT rule generation option and then click Save button.

New rules can be added, by clicking the + button in the upper right corner.

The following fields are available when adding an outbound rule:

OptionDescription
DisabledCheck this option to disable the rule without removing it.
Do not NATEnabling this option will disable NAT for traffic matching this rule and stop processing Outbound NAT rules.Hint: this option is rarely used; don't use it unless you're sure you know what you're doing.
InterfaceWhich interface the rule should apply to. The majority of the time, this will be WAN.
TCP/IP versionIPv4 or IPv6.
ProtocolIn typical scenarios, this will be TCP
SourceThe source network to match
Source / InvertInvert match in Source field.
Source port rangeWhen applicable, the source port on which we should match. This is almost always random and almost never equals the destination port range (and should almost always be 'any').
Destination / InvertInvert match in Destination field.
DestinationEnter the destination network for the outbound NAT mapping.
Destination port rangeService port the traffic is using.
Translation / targetPackets matching this rule will be mapped to the IP address given here.If you want this rule to apply to another IP address rather than the IP address of the interface chosen above, select it here (you will need to define Virtual IP addresses on the interface first).
LogPut packets matching this rule in the logs. Use this sparingly to avoid overflowing the logs.
Pool OptionsThis option is explained in the previous section. The default is to use Round robin. Only Round Robin types are compatible with Host Aliases. Subnets of any type can be used. Round Robin: Iterates over the translation addresses. Random: Chooses an address at random from the translation address pool. Source Hash: Determines the translation address by hashing the source address, ensuring that the redirection address is always the same for a given source. Bitmask: Uses the subnet mask while keeping the last portion the same; 172.16.10.50 -> x.x.x.50. Sticky Address: When using the Random or Round Robin pool types, the Sticky Address option ensures that a specific source address is always mapped to the same translation address.
Translation / portWhich port to use on the target
Static-portPrevents pf(4) from modifying the source port on TCP and UDP packets.
Set local tagSet a tag that other NAT rules and filters can check for.
Match local tagCheck for a tag set by another rule
No XMLRPC syncPrevent this rule from being synced to a backup host. (Checking this on the backup host has no effect.)
DescriptionA description to easily find the rule in the overview.

Real-World Examples for NAT Configurations in OPNsense#

How to Configure Port Forwarding For Web Services#

Businesses that provide a service to their customers via the Internet must make their applications or web servers accessible from the Internet. Assume your company has two separate web servers in the DMZ network and one public IP address. Both the HTTP and HTTPS ports on these web servers should be accessible from anywhere in the world using the same public IP address. To accomplish this, you may define the port forwarding rules in your OPNsense. You may configure your rules in such a way that while requests coming to 80 and 443 ports are redirected to the first web server, the second web server is accessible via 81 and 8443 ports. For this configuration, you may follow the next steps below.

Server NameExternal IPExternal PortLocal IPLocal Port
WebServer1Public Internet IP8010.10.10.1380
WebServer1Public Internet IP44310.10.10.13443
WebServer2Public Internet IP8110.10.10.1480
WebServer2Public Internet IP844310.10.10.14443

Port Forwarding topology for web services

Figure 4. Port Forwarding topology for web services

After completing the port forwarding configurations on your OPNsense firewall, HTTP(80) and HTTPS(443) requests for your WAN IP will be redirected to the WebServer1(10.10.10.13), while port 81 and port 8443 requests for your WAN IP will be redirected to the WebServer2(10.10.10.14).

Port Forwarding For HTTPS(443) Service of WebServer1#

You may follow the instructions below to add a port forwarding rule for HTTPS service of WebServer1.

  1. Navigate to Firewall -> NAT -> Port Forward in your OPNsense Web UI.
  2. Click the + button in the upper right corner. This will open the port forwarding configuration window.

Port forwarding rule configuration for HTTPS in OPNsense-1

Figure 5. Port forwarding rule configuration for HTTPS in OPNsense-1

  1. Set the Interface to WAN.
  2. Set the TCP/IP Version to IPv4.
  3. Set the Protocol to TCP.
  4. Set the Destination to WAN Address.
  5. Set the Destination Port Range to HTTPS.
  6. Select Single Host or Network from the Redirect Target IP dropdown menu. Then, set the field to the private IP address of the WebServer1, such as 10.10.10.13.
  7. Set the Redirect Target Port to HTTPS.

Port forwarding rule configuration for HTTPS in OPNsense-2

Figure 6. Port forwarding rule configuration for HTTPS in OPNsense-2

  1. You may enable logging by clicking the check box in the Log option.
  2. Fill in the Description field, such as Allow HTTPS access to Webserver_10.10.10.13.
  3. Select Add associated filter rule from the Filter rule association option.
  4. Leave other options as default.
  5. Click Save button at the bottom of the page.

Port forwarding rule configuration for HTTPS in OPNsense-3

Figure 7. Port forwarding rule configuration for HTTPS in OPNsense-3

Port Forwarding For HTTP(80) Service of WebServer1#

To create a port forwarding rule for the HTTP(80) service of the WebServer1, you may clone the port forwarding rule for the HTTPS(443) service created above and change the related settings by following the step given below.

Port forwarding rules list in OPNsense

Figure 8. Port forwarding rules list in OPNsense

  • Click the clone icon to copy the port forwarding rule for the HTTPS(443) service created above.
  • Change the Destination Port Range option to HTTP.

 Port forwarding rule configuration for HTTP in OPNsense-1

Figure 9. Port forwarding rule configuration for HTTP in OPNsense-1

  • Set the Redirect Target Port to HTTP.
  • Change the Description field to Allow HTTP access to Webserver_10.10.10.13.
  • Verify that the Filter rule association option is set to Add associated filter rule
  • Leave other options as they are.
  • Click Save button at the bottom of the page.

 Port forwarding rule configuration for HTTP in OPNsense-2

Figure 10. Port forwarding rule configuration for HTTP in OPNsense-2

Port Forwarding For HTTP Service of WebServer2 on Custom External Port(81)#

To create a port forwarding rule for the HTTP service of the WebServer2 on custom port(81), you may clone the port forwarding rule for the HTTP(80) service created above and change the related settings by following the step given below.

Figure 11. Port forwarding rules list in OPNsense

  • Click the clone icon to copy the port forwarding rule for the HTTP(80) service created above.
  • Change the Destination Port Range option to other and enter 81 to the related field.

Figure 12. Port forwarding rule configuration for HTTP(81) in OPNsense-1

  • Set the Redirect Target IP to 10.10.10.14
  • Set the Redirect Target Port to HTTP.
  • Change the Description field to Allow HTTP access to Webserver_10.10.10.14.
  • Verify that the Filter rule association option is set to Add associated filter rule
  • Leave other options as they are.
  • Click Save button at the bottom of the page.

Port forwarding rule configuration for HTTP(81) in OPNsense-2

Figure 13. Port forwarding rule configuration for HTTP(81) in OPNsense-2

Port Forwarding For HTTPS Service of WebServer2 on Custom External Port (8443)#

To create a port forwarding rule for the HTTPS service of the WebServer2 on a custom external port(8443), you may clone the port forwarding rule for the HTTP(81) service created above and change the related settings by following the step given below.

Port forwarding rules list in OPNsense

Figure 14. Port forwarding rules list in OPNsense

  • Click the clone icon to copy the port forwarding rule for the HTTP(81) service created above.
  • Change the Destination Port Range option to 8443.

Port forwarding rule configuration for HTTP(8443) in OPNsense-1

Figure 15. Port forwarding rule configuration for HTTP(8443) in OPNsense-1

  • Set the Redirect Target Port to HTTPS.
  • Change the Description field to Allow HTTPS access to Webserver_10.10.10.14.
  • Verify that the Filter rule association option is set to Add associated filter rule
  • Leave other options as they are.
  • Click Save button at the bottom of the page.

Port forwarding rule configuration for HTTP(8443) in OPNsense-2

Figure 16. Port forwarding rule configuration for HTTP(8443) in OPNsense-2

Now, you have completed the port forwarding configurations of both web servers. Your port forwarding rules list should look like this.

 Port forwarding rules list for web servers in OPNsense

Figure 17. Port forwarding rules list for web servers in OPNsense

  • Click Apply Changes at the upper right of the page to activate the settings.
info

Since we have selected the Add associated filter rule option, the related firewall rules are created on the WAN interface automatically. To view the automatically added associated rules, navigate to the Firewall -> Rules -> WAN. Firewall rules list on WAN interfaces should look like this:

WAN firewall rules for web server port forwarding in OPNsense

Figure 18. WAN firewall rules for web server port forwarding in OPNsense

tip

Although internal users should access the web servers by connecting to the private IP address (local IP) of the servers, they may try to connect to a local server by using the public IP addresses. To allow local users to access the public IP addresses of these servers, you must allow the NAT reflection. For NAT reflection, first you should enable the NAT reflection by checking on the Reflection for port forwards option on the Firewall -> Settings ->Advanced page.

Enabling Reflection for port forwards

Figure 19. Enabling Reflection for port forwards

Then, you should select the interface where the local users are, such as LAN, as well as the WAN interface during the port forwarding rule configuration.

NAT reflection

Figure 20. NAT reflection

Also, be sure that NAT reflection is enabled in the port forwarding rule configuration.

NAT reflection is enabled in port forwarding rule

Figure 21. NAT reflection is enabled in port forwarding rule

How to Configure Port Forwarding For SSH and RDP Services on Custom Ports#

Assume that a web administrator needs remote(SSH & RDP) access to the web servers from his home. He is using a static public IP address at home. Since management services such as SSH and RDP are critical and pose a high security risk, it is recommended that they are not accessible from the entire Internet. As a result, you will create a port forwarding rule to allow the web administrator's IP address to connect to the web servers. Also, because the default ports are already in use for accessing other servers, you must enable SSH and RDP services on custom ports.

Server NameExternal IPExternal PortLocal IPLocal PortClient IP
WebServer1Public Internet IP222210.10.10.13221.1.1.1
WebServer2Public Internet IP555510.10.10.1433891.1.1.1

Port Forwarding topology for SSH and RDP services

Figure 22. Port Forwarding topology for SSH and RDP services

After completing the port forwarding configurations in your OPNsense firewall, port 2222 requests coming from web administrator IP address(1.1.1.1) to your WAN IP will be redirected to the WebServer1(10.10.10.13), while port 5555 requests coming from web administrator IP address(1.1.1.1) to your WAN IP will be redirected to the WebServer2(10.10.10.14).

Port Forwarding For SSH Service of WebServer1 on Custom External Port(2222)#

To create a port forwarding rule for the SSH service of the WebServer1 on custom port(2222), you may clone the port forwarding rule for the HTTP(80) service created above and change the related settings by following the step given below.

  • Click the clone icon to copy the port forwarding rule for the HTTP(80) service created above.
  • Click the Advanced button in the Source option. This will displays the details of the Source option.
  • Select Single Host or Network from the Source dropdown menu.
  • Enter the Web Administrator's static public IP address, such as 1.1.1.1/32.
  • Leave Source Port Range as any.

Port forwarding rule configuration for SSH(2222) in OPNsense-1

Figure 23. Port forwarding rule configuration for SSH(2222) in OPNsense-1

  • Change the Destination Port Range option to 2222.
  • Set the Redirect Target Port to SSH.
  • Change the Description field to Allow SSH access to Webserver_10.10.10.13.

Port forwarding rule configuration for SSH(2222) in OPNsense-2

Figure 24. Port forwarding rule configuration for SSH(2222) in OPNsense-2

  • Verify that the Filter rule association option is set to Add associated filter rule
  • Leave other options as they are.
  • Click Save button at the bottom of the page.

Port forwarding rule configuration for SSH(2222) in OPNsense-3

Figure 25. Port forwarding rule configuration for SSH(2222) in OPNsense-3

Port Forwarding For RDP Service of WebServer2 on Custom External Port(5555)#

To create a port forwarding rule for the RDP service of the WebServer2 on custom port(5555), you may clone the port forwarding rule for the SSH(2222) service created above and change the related settings by following the step given below.

  • Click the clone icon to copy the port forwarding rule for the SSH(2222) service created above in the port forward rules list.
  • Change the Destination Port Range option to 5555.
  • Set the Redirect Target IP to WebServer2 local IP address, such as 10.10.10.14.
  • Set the Redirect Target Port to MS RDP.
  • Change the Description field to Allow RDP access to Webserver_10.10.10.14.

Port forwarding rule configuration for MS-RDP(5555) in OPNsense-1

Figure 26. Port forwarding rule configuration for MS-RDP(5555) in OPNsense-1

  • Verify that the Filter rule association option is set to Add associated filter rule
  • Leave other options as they are.
  • Click Save button at the bottom of the page.

Port forwarding rule configuration for SSH(2222) in OPNsense-3

Figure 27. Port forwarding rule configuration for SSH(2222) in OPNsense-3

Now, you have completed the port forwarding rule configurations of both management services. Your port forwarding rules list should look like this.

Port forwarding rules list for web servers in OPNsense

Figure 28. Port forwarding rules list for web servers in OPNsense

  • Click Apply Changes at the upper right of the page to activate the settings.
info

Since we have selected the Add associated filter rule option, the related firewall rules are created on the WAN interface automatically. To view the automatically added associated rules, navigate to the Firewall -> Rules -> WAN. Firewall rules list on WAN interfaces should look like this:

WAN firewall rules for SSH and RDP access  in OPNsense

Figure 29. WAN firewall rules for SSH and RDP access in OPNsense

Outbound NAT For Accessing a Remote Service Via Specific External IP Address#

Assume that one of your application servers (WebServer1 with the IP address 10.10.10.13) needs to connect to a MySQL database on another company network via the Internet. However, in accordance with the agreements between your company and the other company, you must ensure that the remote MySQL DB server(public IP address: 3.3.3.3) is only accessible by WebServer1 and that no other devices in your LAN can access the remote DB.

To accomplish this, firstly you need a second public IP address which will be used for providing WebServer1 access to the remote MySQL database. Because, your first public IP address is being used for Internet access of the local users and servers. We will use the 2.2.2.2 as our second IP address and WebServer1 will connect to the remote MySQL database with this external IP address.

Packet TypeSource IP Before NATDestination IP Before NATSource IP After NATDestination IP After NAT
MySQL Request10.10.10.133.3.3.32.2.2.23.3.3.3
MySQL Reply3.3.3.32.2.2.23.3.3.310.10.10.13

Outbound NAT/SNAT topology for accessing remote Database server

Figure 30. Outbound NAT/SNAT topology for accessing remote Database server

You may follow the next steps given below:

  1. Define an alias, such as RemoteCompany_DB. For more information about creating an alias, please refer to How to Configure OPNsense Firewall article.
  2. To create a Virtual IP address for your second public IP address, navigate to the Interfaces -> Virtual IPs -> Settings.
  3. Click the + icon to add Virtual IP address.

Adding Virtual IP address in OPNsense

Figure 31. Adding Virtual IP address in OPNsense

  1. Select IP Alias as Mode.
  2. Select WAN as Interface.
  3. Set Address to your second public IP address which is used for accessing the database server by your WebServer1, such as 2.2.2.2/32
  4. Enter WAN VIP_2.2.2.2 in the Description field.
  5. Leave other options as default.
  6. Click Save.

Setting Virtual IP address configuration in OPNsense

Figure 32. Setting Virtual IP address configuration in OPNsense

  1. Click Apply Changes to activate the VIPs settings.

Virtual IP address settings in OPNsense

Figure 33. Virtual IP address settings in OPNsense

  1. Navigate to the Firewall -> NAT -> Outbound to define Outbound NAT.
  2. Select Hybrid outbound NAT rule generation option.
  3. Click Save button.

Setting Outbound NAT mode in OPNsense

Figure 34. Setting Outbound NAT mode in OPNsense

  1. Click + icon to add a manual Outbound NAT rule.
  2. Set Interface to WAN.
  3. Set TCP/IP Version to IPv4.
  4. Set Protocol TCP.
  5. Set Source add to Single Host or Network
  6. Enter the WebServer1 IP address such as 10.10.10.13/32.
  7. Set Source Port to any.

Defining Outbound NAT rule in OPNsense -1

Figure 35. Defining Outbound NAT rule in OPNsense -1

  1. Select Destination Address as RemoteCompany_DB.
  2. Select Destination Port as MySQL.
  3. Select 2.2.2.2 (WAN IP_2.2.2.2) for Translation / target
  4. Enable Logging.

Defining Outbound NAT rule in OPNsense -2

Figure 36. Defining Outbound NAT rule in OPNsense -2

  1. Enter Remote MySQL DB access in Description field.
  2. Click Save
  3. Click Apply Changes to activate the Outbound NAT rule.

Your Outbound NAT rules list should look something like this:

Figure 37. Manual Outbound NAT rules in OPNsense

When WebServer1 tries to connect to a remote database server, you should see that it connects the DB using 2.2.2.2 IP address in your firewall logs. To view the firewall logs navigate to Firewall -> Log Files -> Live View. Your logs look like this.

Firewall Live Log View in OPNsense

Figure 38. Firewall Live Log View in OPNsense