I need certain systems on my LAN to be able to go to a WAN interface (so take the 'outside' route). They have to connect to a server that has two DNS services, one normal for the LAN and one is ACME-DNS for letsencrypt, it is running on port 953. The system that connects only connects to port 53.
I.e. I have a NAT rule that allows (w = wan, public IP addresses, p = lan, private IP addresses)
I have a NAT rule: w1.w2.w3.w4 53 --> p1.p2.p3.p4 953 and from the outside that works.
But now I need machines on the inside to be able to do this:
LAN:p1.p2.p3.p5 -> WAN:w1.w2.w3.w4 53 --> LAN:p1.p2.p3.p4 953
In effect I cannot change their use of port 53, and I want to use NAT to make it possible. Can I?
You can simply make a NAT rule on your LAN interface and redirect to whatever you want.
I do not fully understand your suggestion, sorry (not too regular work for me, this).
Suppose the router is at 192.168.2.2.
There is a mail server running on 192.168.2.15:25, which on the outside is 100.100.100.53:25 and in between is haproxy on 192.168.2.2
There is a DNS server running on 192.168.2.16:953, which on the outside is 100.100.100.54:53
There is a DNS server running on 192.168.2.16:53, which is LAN-only
There is a HTTPS server running on 192.168.2.16:443, which on the outside is 100.100.100.54:443
If I go outside to the WAN, to somewhere else, my outgoing traffic seems to come from
- 100.100.100.53 if it is going to port 25 (outgoing NAT rule so that my mail server's DNS name fits the reverse DNS when connecting other mail servers
- 100.100.100.51 for all other traffic
I want system 192.168.2.10 go to 192.168.2.16:953, but it should arrive there as if it comes from src 100.100.100.51 and it tries to connect to 100.100.100.54:53
Currently, with my setup, I can connect to the mail server from the LAN to the WAN address
```
gerben@192.168.2.10% nc -v 100.100.100.53 25
Connection to 100.100.100.53 port 25 [tcp/smtp] succeeded!
220 mail.rna.nl
```
But the postfix mail server's log says (uit knows about haproxy)
```
Jun 10 14:23:54 hermione smtp_haproxy/postscreen[95404]: CONNECT from [192.168.2.10]:61001 to [192.168.2.2]:25
```
And all other public IPs and ports fail, e.g.
```gerben@192.168.2.10 nc -v 100.100.100.54 443``` simply hangs.
From an outside machine it works:
```
$ nc -v -z 100.100.100.54 443
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Connected to 100.100.100.54:443.
Ncat: 0 bytes sent, 0 bytes received in 0.04 seconds.
```
How setting up a NAT rule on the LAN helps here, I do not understand.