Print Page - 1:1 NAT not forwarding - checking what the NAT entry should look like

Title: 1:1 NAT not forwarding - checking what the NAT entry should look like
Post by: Stilez on February 02, 2019, 04:59:33 PM

I understand the principles and have read various man pages + posts, but I'm still not geting 1:1 NAT working in this scenario.

I have two LANs - one trusted (office) and the other untrusted (domestic/family).There's a a single device that unavoidably has to be physically connected via the untrusted network, but needs to behave as if it's connected to the trusted network's subnet.

Getting the device to behave as if on the trusted LAN should be easy (virtual IP + 1:1 NAT) but isn't working for me.

To make it simple, let's give some hypothetical IPs:

The "trusted" LAN is on NIC <em0> "OFFICE_NET", which has subnet 10.20.0.5/16, and the "untrusted" LAN is on NIC <em1> "HOUSE_NET", with subnet 10.50.0.5/16.
Devices on HOUSE_NET are all forced onto VLAN 6 by the switches, except for the device I'm trying to fix, which is forced onto VLAN 7. Filter rules block any traffic at VLAN 6 from reaching VLAN 7.
The device needs to be accessible from OFFICE_LAN via IP 10.20.0.100. (I don't care if it has a different IP locally on VLAN 7).
At the router, I've created VLAN 6+7 and their interfaces for . I've set up rules so that VLAN 6 traffic can't reach VLAN 7. I've assigned VLAN 7 the subnet 10.51.0.5/16, and enabled DHCP on that interface to issue the device with IP 10.51.0.100. I've created a virtual IP for 10.20.0.100 on OFFICE_NET.

In theory, all that's left is creating a 1:1 BINAT (symmetrical) entry on OFFICE_NET, so that

any packets from OFFICE_NET with source in 10.20.0.5/16 and destination 10.20.0.100 that arrive at the router, are NATed to appear as destination=10.51.0.100 and arrive at VLAN 7 where they are forwarded to the device.

and
any packets from VLAN 7 with source 10.51.0.100 and destination in 10.20.0.5/16 that arrive at the router, are NATed to appear as source = 10.20.0.100 and arrive at OFFICE_NET where they are forwarded to their destination. (This is less common but possible, eg ping, syslog, snmp, spanning tree protocols, etc)

But I can't get this to work - meaning, I can ping the virtual IP at 10.20.0.100 from the LAN, and I can access http://10.51.0.100 (http://10.51.0.100) from the LAN, but I can't access http://10.20.0.100 (http://10.20.0.100) from the LAN.

I'm not sure what I'm doing wrong, or what else might be needed. It shouldn't have a routing problem, as I can reach the device via its VLAN 7 IP 10.51.0.100. It's just that when I access the virtual IP, whether or not it's NATing it to dest=10.51.0.100, it's not then forwarding it to VLAN 7, as it does when I enter that IP directly.

What should I have in my NAT config, to make this last step work?

OPNsense Forum

Archive => 19.1 Legacy Series => Topic started by: Stilez on February 02, 2019, 04:59:33 PM