Translate outgoing request for external IP to internal IP?

[benm]

Hello, I'm running OPNsense 19.7.10_1-amd64 with a LAN subnet of 192.168.1.0/24 and DHCP.

I need to connect to a webserver on 10.0.0.100, which I am supposed to access via a VPN.  Unfortunately this VPN is broken and cannot be fixed.  It's out of my control.

As a workaround, I have set up a computer at 192.168.1.100 with an ssh port forward to 10.0.0.100.  Thus I can access the webserver on 192.168.1.100.  The problem is that the IP address is wrong.

Is there any way to configure OPNsense so that requests for 10.0.0.100 get translated to 192.168.1.100, and the response gets translated back?

I think I need to use some sort of NAT.  However, since the main use case for NAT is between an internal and external network, I haven't managed to find examples of how to send outbound traffic back in.  I'm not experienced enough to understand all the settings.  Would anyone be willing to help me out?

Thanks so much!
-Ben

[mimugmail]

I would rewrite dns so clients resolve 192 directly

[benm]

@mimugmail, I agree, that would have been the sensible way to proceed.  Unfortunately everything has already been set up with hard-coded references everywhere to the IP address.  >:(  I would have done it differently, but that's out of my control.

[mimugmail]

Do a Port Forward on OPN LAN to internal IP and also an outbound Nat on LAN for internal clients to internal IP

[benm]

@mimugmail, thanks so much!!!  My colleague managed to implement your suggestion, and we are very grateful.

To elaborate on the solution, his settings are as follows:

Port Forward:
  Interface: LAN
  Proto: TCP
  Source Address: *
  Source Ports: *
  Destination Address: 10.0.0.100
  Destination Ports: 80
  NAT IP: 192.168.1.100
  NAT Ports: 5580  [port of SSH tunnel]

Outbound:
  Mode: Hybrid outbound NAT rule generation
  Manual rules:
    Interface: LAN
    Source: any
    Source Port: *
    Destination: 192.168.1.100/32
    Destination Port: 5580
    NAT Address: Interface Address
    NAT Port: *
    Static Port: NO

I hope this helps in case anyone else has the same question.  I don't yet understand what's going on, but I hope he can explain tomorrow.   ;D

[mimugmail]

You connect to the firewall with the external IP (should be clear), the firewall sends the packet back to the internal network sind the host is internal (should be clear). Without the outbound NAT, the internal server sends the reply packet directly to the initial client since it's on the same net and then your initial client see's the IP of internal host, which wasn't the one he tried to contact. Thats's why to nat the outgoing packet to the interal server replies to the firewall (which tracks the state) and can send the packet back to you.

Easy?  8)

[benm]

Wow, thanks so much for the speedy response!!!

Unfortunately I am used to configuring consumer-grade routers, not professional ones like OPNsense.  Thus my experience with NAT is roughly that everything is automatically configured, except for port forwards where I simply provide a list of internal IPs and ports.  All the new options are wonderful but overwhelming.

In this specific case, my confusion is about which packet headers are getting rewritten by which rule.  If I correctly understand your explanation, when I send a packet from 192.168.1.50 to 10.0.0.100, the "Port Forward" rule rewrites "Destination" from 10.0.0.100 to 192.168.1.100, but it leaves "From" as 192.168.1.50.  So then the "Outbound" rule would somehow rewrite "Source" from 192.168.1.50 to 192.168.1.1.  But I don't understand how the given rule makes this happen.

Is it a pipeline where Port Forward comes first, changing the destination?  And next the Outbound rule is applied, and it matches since we just changed the destination to 192.168.1.100?