1
General Discussion / NAT reflection with internal IP SNAT to WAN IP
« on: October 29, 2021, 01:20:17 am »
I am trying to build a robust redundant basic setup concept with OPNsense and got stuck when it comes to NAT reflection.
Since I'm trying to be redundant I want to use the following setup:
A Dailup Router, which obtains a static IP from an ISP and provides a configurable internal network.
This router, GW1, has 192.168.255.2 set as the exposed host IP, all external traffic will be NATed there.
GW1
-WAN [8.7.6.5/?] (the static ISP assigned IP)
-TWAN [192.168.255.1/30] (2 host subnet, internal/transfer side)
OPNsense
-TWAN
- [192.168.255.5/30] (2 host subnet for CARP on WAN interface)
- CARP [192.168.255.2/30] (same subnet as TWAN on GW1)
-EXT
- [192.168.255.9/30] (2 host subnet for CARP on EXT interface)
- CARP [8.7.6.5/32] (the static ISP assigned IP)
-LAN
- [10.123.0.2/24] (LAN subnet)
- CARP [10.123.0.1/24] (LAN gateway IP)
The Default GW is set up for the TWAN Interface to be 192.168.255.1, default traffic is sent to the GW1 via TWAN.
There is a Port Forward on the TWAN Interface in place, redirecting all IPv4 traffic to 8.7.6.5. This should DNAT 192.168.255.2 to 8.7.6.5 and therefor terminate on the EXT CARP IP.
A SSH Port Forward is created on Interface EXT with Destination 8.7.6.5 to be forwarded to a LAN IP 10.123.0.10. (DNAT, right?)
In my Experience up to this point everything is fine. Unless I want to access 8.7.6.5 from 10.123.0.11.
My desired behaviour would be for EXT CARP 8.7.6.5 to do a SNAT with every package that is from a private range (10/8, 192.168/16, etc.) and replace the source with 8.7.6.5.
The forwarded SSH connection to 10.123.0.10 then would have a source of 8.7.6.5 (and NOT 10.123.0.11). 10.123.0.10 would then again reply to 8.7.6.5, which should get NATed back to 10.123.0.11.
10.123.0.10 would only see the WAN IP of the requesting device and not try to directly answer to 10.123.0.11.
I don't seem to be able to setup a rulte for this, any suggestions?
Since I'm trying to be redundant I want to use the following setup:
A Dailup Router, which obtains a static IP from an ISP and provides a configurable internal network.
This router, GW1, has 192.168.255.2 set as the exposed host IP, all external traffic will be NATed there.
GW1
-WAN [8.7.6.5/?] (the static ISP assigned IP)
-TWAN [192.168.255.1/30] (2 host subnet, internal/transfer side)
OPNsense
-TWAN
- [192.168.255.5/30] (2 host subnet for CARP on WAN interface)
- CARP [192.168.255.2/30] (same subnet as TWAN on GW1)
-EXT
- [192.168.255.9/30] (2 host subnet for CARP on EXT interface)
- CARP [8.7.6.5/32] (the static ISP assigned IP)
-LAN
- [10.123.0.2/24] (LAN subnet)
- CARP [10.123.0.1/24] (LAN gateway IP)
The Default GW is set up for the TWAN Interface to be 192.168.255.1, default traffic is sent to the GW1 via TWAN.
There is a Port Forward on the TWAN Interface in place, redirecting all IPv4 traffic to 8.7.6.5. This should DNAT 192.168.255.2 to 8.7.6.5 and therefor terminate on the EXT CARP IP.
A SSH Port Forward is created on Interface EXT with Destination 8.7.6.5 to be forwarded to a LAN IP 10.123.0.10. (DNAT, right?)
In my Experience up to this point everything is fine. Unless I want to access 8.7.6.5 from 10.123.0.11.
My desired behaviour would be for EXT CARP 8.7.6.5 to do a SNAT with every package that is from a private range (10/8, 192.168/16, etc.) and replace the source with 8.7.6.5.
The forwarded SSH connection to 10.123.0.10 then would have a source of 8.7.6.5 (and NOT 10.123.0.11). 10.123.0.10 would then again reply to 8.7.6.5, which should get NATed back to 10.123.0.11.
10.123.0.10 would only see the WAN IP of the requesting device and not try to directly answer to 10.123.0.11.
I don't seem to be able to setup a rulte for this, any suggestions?