Hi - Have a straightforward setup where I am already port forwarding in from the opnsense WAN interface to servers private IP's behind the LAN connections on port 443. When opnsense gets a connection on the WAN it port forwards it to the internal server and the internal server see the original public source IP.
The caveat is the private ip server behind the LAN have a different default gateway from the opnsense device
How can I configure source nat on the inbound port forward so that when opensense forwards the connection to the internal server, it changes the source ip to be the opnsense LAN IP as the source ip? I understand this means that when it port forwards connections to the internal servers all of them will see the opnsense LAN IP as the source ip. That is what is wanted so the internal servers default gateway is not a factor
I tried to configure a rule under the "NAT-Outbound" section like this:
Interface: Lan
Source: WAN net
Destination: Server private ip
Destination Port: 443
NAT address: Lan address
Nat Port: *
but it doesnt seem to work.
Appreciate any assistance
How about doing that via a reverse proxy running on OpnSense? This does not need to terminate TLS or HTTP, it could well be a TCP-only proxy.
HAproxy can do that.
Otherwise, you would probably need an additional NAT rule that rewrites the outgoing packets on the LAN destined for that specific IP to use the OpnSense LAN IP. However, IDK if outbound (D)NAT rules are being applied to traffic that has been SNATed before...
Interesting idea with a reverse proxy. You were right the issue was the additional NAT rule.
Somewhat misleading that it is under the "Outgoing NAT" section when sometimes it applies to incoming like in this case.
I was able to get it to work by changing the source net from WAN net to any.
Thanks for the tips