1
General Discussion / One to One NAT/Port Forward to Virtual IP in a LAN interface
« on: November 03, 2023, 05:14:46 pm »
I'm trying to set up a NAT that will allow me to reach devices behind a local LAN interface using a Virtual IP (IP Alias) or a non-WAN IP. The goal is to be able to reach devices behind this NAT using a VPN tunnel.
Say I have a /29 subnet on the LAN side of Site B and I want to to reach local-only devices through a Virtual IP that is part of the /29 through a NAT.
Site A OPNSense 172.0.0.1/29
Site A Virtual IP#1 172.0.0.3 -> Site A local device 10.0.0.1
Site A Virtual IP#2 172.0.0.2 -> Site A local device 192.168.1.1
I can't route the Site A local device IPs across the tunnel, I would like to reach them using an IP that is part of the /29 that is already routed across the tunnel. Getting to the local devices should be achieved by either adding a Virtual IP in the same subnet to the LAN interface, or using a separate interface that lives on the same local subnet as the device.
The problem I'm running into is that most NAT guides and documentation are for a NAT on the WAN interface. Looking at the NAT rules with pfctl when trying different iterations doesn't seem to be showing me the flow I'm expecting.
In the end I want to be able to reach 10.0.0.1 using 172.0.0.3, and 192.168.1.1 using 172.0.0.4 across the tunnel. I can reach the OPNsense 172.0.0.1 IP across the tunnel, no problem. I can ping the Virtual IPs, but getting the NAT working is what is failing me. I can get to the virtual IPs across the tunnel, but they are acting like extensions of the OPNsense LAN IP, ie, I can open the OPNSense Web GUI on both Virtual IPs, which is not desired.
Is what I want to achieve doable? It should be. I know I can do this on a Fortigate or a Cisco ASA, I just can't seem to translate this into OPNsense.
Say I have a /29 subnet on the LAN side of Site B and I want to to reach local-only devices through a Virtual IP that is part of the /29 through a NAT.
Site A OPNSense 172.0.0.1/29
Site A Virtual IP#1 172.0.0.3 -> Site A local device 10.0.0.1
Site A Virtual IP#2 172.0.0.2 -> Site A local device 192.168.1.1
I can't route the Site A local device IPs across the tunnel, I would like to reach them using an IP that is part of the /29 that is already routed across the tunnel. Getting to the local devices should be achieved by either adding a Virtual IP in the same subnet to the LAN interface, or using a separate interface that lives on the same local subnet as the device.
The problem I'm running into is that most NAT guides and documentation are for a NAT on the WAN interface. Looking at the NAT rules with pfctl when trying different iterations doesn't seem to be showing me the flow I'm expecting.
In the end I want to be able to reach 10.0.0.1 using 172.0.0.3, and 192.168.1.1 using 172.0.0.4 across the tunnel. I can reach the OPNsense 172.0.0.1 IP across the tunnel, no problem. I can ping the Virtual IPs, but getting the NAT working is what is failing me. I can get to the virtual IPs across the tunnel, but they are acting like extensions of the OPNsense LAN IP, ie, I can open the OPNSense Web GUI on both Virtual IPs, which is not desired.
Is what I want to achieve doable? It should be. I know I can do this on a Fortigate or a Cisco ASA, I just can't seem to translate this into OPNsense.