📙 OPNSense

Contents

📙 OPNSense#

OPNSense

  • OPNsense is an open-source, FreeBSD-based firewall and routing platform developed by Deciso, a company based in the Netherlands that also manufactures hardware and sells support packages for the software. It was launched in January 2015 as a fork of pfSense, which itself originated from m0n0wall, a FreeBSD-based firewall project.

  • OPNsense is designed for x86-64 hardware and features a user-friendly web-based interface, making it accessible for managing network security and routing tasks.

Source NAT#

To create an outbound NAT rule for a LAN interface in OPNsense, follow these steps:

  • Navigate to Firewall > NAT > Outbound.

  • Select Hybrid outbound NAT rule generation and save the setting. This allows you to combine automatic IP-masquerading rules with manual outbound NAT rules.

  • Click the + icon to add a new outbound NAT rule.

  • Set the Interface to the LAN interface.

  • Set the TCP/IP Version to IPv4 (or IPv6 if applicable).

  • Set the Protocol to TCP or UDP, depending on your needs.

  • In the Source Address field, specify the LAN subnet (e.g., 192.168.1.0/24) or a specific host (e.g., 192.168.1.100) that should be subject to this rule.

  • In the Translation/target field, enter the external IP address (e.g., a virtual IP or public IP) that should be used as the source IP for outbound traffic from the LAN client.

  • Add a descriptive Description for the rule.

  • Click Save and then Apply Changes to activate the rule.

  • This configuration ensures that traffic originating from the LAN interface is rewritten with the specified external IP address when it leaves the network, which is essential for services that require a specific source IP, such as port forwarding with a dedicated public IP. If you are using a virtual IP (VIP) for the external address, ensure it is already configured under Interfaces > Virtual IPs.

For scenarios where internal clients need to access a server using its public IP (NAT reflection or hairpin NAT), ensure that Reflection for port forwards is enabled in Firewall > Settings > Advanced, and create a corresponding outbound NAT rule to handle the return traffic.

sudo ip r add 172.16.0.0/24 via 192.168.94.1

Contents