The world awaits...

OPNSense and One-to-One NAT

This is mostly a technical note to others struggling with One-to-One NAT on OPNsense.

The Answer

You want to setup public, routable IPs that map 1:1 to a private, non-routable IP. First, setup the Virtual IP on the external WAN interfface. Then setup the 1:1 NAT to your internal IP. 

OPNsense will let you setup the One-to-One NAT first, but it won't work. You need to assign the public, routable IP on the WAN interface by using Virtual IP for the 1:1 mapping to work. And leave it at BINAT in the 1:1 NAT settings.  

On my system, it took 15 to 30 seconds for ARP, routing, and everything to work once the Virtual IP was setup along with the 1:1 NAT mapping.

The Struggle

I wanted to expose some of the internal machines to the outside world. What I wanted to do was setup a completely separate interface for the "public" machines. However, given I only have a single IPv4 /27 to use, one either has to subnet it, losing more valuable IPs or figure out another way. The WAN and PUBLIC interfaces would be in the same /27 network, which will confuse routing, at least.

I read the docs, setup one-to-one NAT and expected it to work. Turns out 1:1 NAT only sets up the internals and NAT mappings. After thinking through the issue, and reading a more, I realized the WAN interface really wants multiple IPs assigned. The way to do this in opnsense is through virtual IPs and IP aliases.

Once this setup, eveything worked. For IPv6, everything just works as expected since the ISP gave us a /48 range. With that size, you can just break the v6 ranges into /64 and assign away. I could've asked the ISP for a /26 or some larger range, but this virtual ip/1:1 nat mapping solution works just as well.