Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
24.1 Legacy Series
»
Can I use LAN-WAN-LAN to change a destination port?
« previous
next »
Print
Pages: [
1
]
Author
Topic: Can I use LAN-WAN-LAN to change a destination port? (Read 463 times)
gctwnl
Jr. Member
Posts: 60
Karma: 0
Can I use LAN-WAN-LAN to change a destination port?
«
on:
June 09, 2024, 11:43:12 pm »
I need certain systems on my LAN to be able to go to a WAN interface (so take the 'outside' route). They have to connect to a server that has two DNS services, one normal for the LAN and one is ACME-DNS for letsencrypt, it is running on port 953. The system that connects only connects to port 53.
I.e. I have a NAT rule that allows (w = wan, public IP addresses, p = lan, private IP addresses)
I have a NAT rule: w1.w2.w3.w4 53 --> p1.p2.p3.p4 953 and from the outside that works.
But now I need machines on the inside to be able to do this:
LAN:p1.p2.p3.p5 -> WAN:w1.w2.w3.w4 53 --> LAN:p1.p2.p3.p4 953
In effect I cannot change their use of port 53, and I want to use NAT to make it possible. Can I?
Logged
securid
Jr. Member
Posts: 71
Karma: 1
Re: Can I use LAN-WAN-LAN to change a destination port?
«
Reply #1 on:
June 10, 2024, 06:57:17 am »
You can simply make a NAT rule on your LAN interface and redirect to whatever you want.
Logged
gctwnl
Jr. Member
Posts: 60
Karma: 0
Re: Can I use LAN-WAN-LAN to change a destination port?
«
Reply #2 on:
June 10, 2024, 02:53:26 pm »
I do not fully understand your suggestion, sorry (not too regular work for me, this).
Suppose the router is at 192.168.2.2.
There is a mail server running on 192.168.2.15:25, which on the outside is 100.100.100.53:25 and in between is haproxy on 192.168.2.2
There is a DNS server running on 192.168.2.16:953, which on the outside is 100.100.100.54:53
There is a DNS server running on 192.168.2.16:53, which is LAN-only
There is a HTTPS server running on 192.168.2.16:443, which on the outside is 100.100.100.54:443
If I go outside to the WAN, to somewhere else, my outgoing traffic seems to come from
100.100.100.53 if it is going to port 25 (outgoing NAT rule so that my mail server's DNS name fits the reverse DNS when connecting other mail servers
100.100.100.51 for all other traffic
I want system 192.168.2.10 go to 192.168.2.16:953, but it should arrive there as if it comes from src 100.100.100.51 and it tries to connect to 100.100.100.54:53
Currently, with my setup, I can connect to the mail server from the LAN to the WAN address
```
gerben@192.168.2.10% nc -v 100.100.100.53 25
Connection to 100.100.100.53 port 25 [tcp/smtp] succeeded!
220 mail.rna.nl
```
But the postfix mail server's log says (uit knows about haproxy)
```
Jun 10 14:23:54 hermione smtp_haproxy/postscreen[95404]: CONNECT from [192.168.2.10]:61001 to [192.168.2.2]:25
```
And all other public IPs and ports fail, e.g.
```gerben@192.168.2.10 nc -v 100.100.100.54 443``` simply hangs.
From an outside machine it works:
```
$ nc -v -z 100.100.100.54 443
Ncat: Version 7.92 (
https://nmap.org/ncat
)
Ncat: Connected to 100.100.100.54:443.
Ncat: 0 bytes sent, 0 bytes received in 0.04 seconds.
```
How setting up a NAT rule on the LAN helps here, I do not understand.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
24.1 Legacy Series
»
Can I use LAN-WAN-LAN to change a destination port?