Learn to create a NAT firewall rule to route WAN SSH visitors to a particular LAN IP handle with OPNsense.
So you’ve gotten OPNsense put in as your firewall equipment in your knowledge heart. Now what? With the platform up and working, the next step is to begin creating firewall guidelines, to maintain your community and methods protected. How do you try this? As a result of OPNsense gives a web-based GUI, the duty is definitely fairly easy.
I’ll stroll you thru the creation of a single firewall rule, with the assistance of the OPNsense GUI. To exhibit this device, I’ll present you easy methods to permit SSH visitors from the WAN to a particular IP handle in your community. Let’s make this occur.
SEE: Hiring equipment: Database administrator (Tech Professional Analysis)
What you want
The one stuff you want are a working occasion of OPNsense, an administrator account to log in with, and a vacation spot IP handle for which to route visitors. (See: How you can set up the OPNsense Firewall/Router distribution.)
Create the rule
When you log into OPNsense with the foundation account, click on on Firewall (within the left navigation). From that expanded menu, click on NAT (Community Deal with Translation), which is able to reveal Port Ahead (Determine A).
Click on Port Ahead, which is able to open the foundations for this kind (Determine B).
So as to add a brand new NAT rule, click on Add within the prime proper nook. Within the ensuing window (Determine C), you configure the rule.
Listed here are the choices to make use of for the brand new Community Deal with Translation rule:
- Interface: WAN
- TCP/IP Model: IPv4
- Protocol: TCP
- Supply: Any
- Supply port vary: Any
- Vacation spot: LAN internet
- Vacation spot port vary: Any (for each from and to fields)
- Redirect goal IP: Single host or Community (which is able to then require you to enter the IP handle you need to route SSH visitors to)
- Redirect goal port: SSH
- Description: SSH from WAN to X (The place X is the vacation spot IP handle).
- Set native tag (Non-compulsory): SSH_NAT
- Filter rule affiliation: None
When you fill out that info, click on Save on the backside of the web page after which click on Apply modifications (so your rule will take impact). After clicking Apply modifications, your rule ought to now be working, and SSH visitors from the WAN will probably be directed to the redirect goal handle IP you set.
You possibly can, in fact, use this easy rule as a template to direct different varieties of visitors (similar to HTTP) to particular IP addresses. Utilizing the Clone button (within the rule itemizing), you’ll be able to then alter the supply and goal ports from SSH to HTTP(s) to direct visitors from the WAN to your internet server.
When you perceive easy methods to create this straightforward NAT rule, you’ll be able to then transfer as much as extra sophisticated duties with OPNsense.