You can help support this website by buying me a coffee!
3 minutes reading time
(566 words)
Set up NAT Port Forwarding with Outbound NAT in OPNsense
How to set up NAT port forwarding with outbound NAT in OPNsense. Including an outbound NAT example using a Virtual WAN IP.
What is Outbound NAT?
Outbound NAT changes the source IP address of packets which allows outbound traffic to come back to the same source IP address. Outbound NAT is also known as Source NAT or SNAT.
When do you need to use Outbound NAT?
If you have multiple WAN IPs you will most likely want to configure outbound NAT. This will allow you to have some servers/services using their own dedicated WAN IPs.
Outbound NAT is used with inbound NAT port forwarding so any inbound traffic to a LAN server IP address will also go outbound on the same external WAN IP address.
You can read more about the different NAT options in the OPNsense docs
Network Address Translation
https://docs.opnsense.org/manual/nat.html
If you do not have multiple WAN IPs then you won't need to configure outbound NAT.
Outbound NAT example
In this example I'm configuring a NAT port forward rule to allow external Internet access to a server on my LAN for HTTP port 80 and HTTPS port 443. I have multiple external IPs and this server is using its own virtual WAN IP so I will also need to configure outbound NAT to allow traffic back to the same source WAN IP.
e.g. Any inbound traffic to the web server on LAN IP .25 will go outbound on the WAN IP of .235
Create Virtual WAN IP
I need to create a Virtual IP for each of my external WAN IP addresses. For the address I'm using the external IP address range and subnet mask that has been allocated to me by my Internet provider.
Interfaces - Virtual IPs - Settings - Add
Mode IP Alias
Interface WAN
Type Single Address
Address - enter the WAN IP address and subnet mask
Give the virtual IP a description that identifies what its being used for
Leave the other settings as the defaults
Create Firewall NAT Port Forward Rule
Firewall - NAT - Port Forward - Add
Interface WAN
TCP/IP Version IPv4
Protocol TCP
Destination - Virtual WAN IP
Destination Port range HTTP
Redirect target IP - Single host or network, LAN IP address of server
Redirect target port HTTP
Configure Outbound NAT
Give the port forwarding rule a description
Leave the other settings as the defaults
Repeat the above steps to also create a NAT port forwarding rule for HTTPs port 443
Both NAT port forwarding rules for HTTP and HTTPS have been created
Configure Outbound NAT
Firewall - NAT - Outbound
Select Hybrid outbound NAT rule generation - Save
Then add a new Outbound NAT rule
Interface WAN
TCP/IP Version IPv4
Protocol TCP
Source address - Single host or network, LAN IP address of server
Translation/target - Virtual WAN IP address
Give the outbound NAT rule a description
Leave the other settings as the defaults
Outbound NAT has now been configured so any inbound traffic to our web server on LAN IP .25 will go outbound on the WAN IP of .235
Comments