Hi all,
I have two VLANs on my OPNsense and no WAN connection. The system is more of a VPN gateway, DNS server etc. than a firewall.
Internet/Fritzbox
192.168.1.1
|
|
LAN OPT1
192.168.1.4/24 ------- OPNsense ------- 217.29.46.41/29 ------- IPsec tunnel ------- TrueNAS 217.29.44.24
|
Graphite
192.168.1.55
The network 192.168.1.0/24 does not know about the other network. If anything from the local network 217.29.46.40/29 needs to access the Internet or anything in the RFC 1918 LAN, the connections are NATed.
Outbound, LAN, Interface address - easy.
The single system in the remote network on the other end of that tunnel - which does not know/route the 192.168.1.0/24 - is supposed to send Graphite data on port 2003. At the moment I have set up HAproxy for that.
Listen on 217.29.46.41:2003 - forward to 192.168.1.55:2003. Works. The Graphite server sees the connection coming from 192.168.1.4, of course.
So ... what's the problem?
How can I build the same with NAT instead of HAproxy? When I configure a port forward on OPT1/217.29.46.41 for port 2003, the initial SYN goes to 192.168.1.55 alright - but with a source address of 217.29.44.24. And the Graphite server does not know that network.
Is there a way to port forward and at the same time NAT the connection on the LAN interface so the Graphite server only sees 192.168.1.4 like with a proper proxy?
Thanks,
Patrick
An outbound NAT rule on the LAN interface when the destination is the graphite server, to replace the source address with the interface address.