Author Topic: Local NAT between VLANs (Read 344 times)

Mindflayer · « **on:** September 19, 2024, 11:18:39 am »

Hello everybody,

I am playing around with OPNsense since a few days, and I would like to try to realize a local NAT between VLANs. The way I imagine it is the following:

Interfaces:
WAN: em1 - PPPoE
LAN: em0 - 192.168.1.1
VLAN_10 (Parent: em0 - Tag: 10) - 192.168.10.1/24
VLAN_20 (Parent: em0 - Tag: 20) - 192.168.20.1/24

Hosts:
192.168.10.2 (VLAN 10 - Connected via em0 to the OPNsense)
192.168.20.2 (VLAN 20 - Connected via em0 to the OPNsense)

Scenario:
192.168.10.2 sends a UDP packet to e.g. 111.111.111.111.
OPNsense shall realize that a package, which comes from a host in VLAN_10 and which is addressed to the Destination IP Address 111.111.111.111, shall be routed locally. It must never reach the WAN interface. OPNsense shall change the source IP Address of the package from 192.168.10.2 to 111.111.111.111. Shall change the destination IP Address from 111.111.111.111 to 192.168.20.2. And shall obviously change the VLAN tag from 10 to 20. Then sending it out on em0 resp. via the VLAN_20 interface.

Vice versa, if 192.168.20.2 answers to 111.111.111.111, the package shall have Source IP 111.111.111.111, destination IP 192.168.10.2 and VLAN Tag 10.

Question
How can I achieve that as simple as possible? I think I correctly created and assigned the VLANs. So far I created a firewall rule on VLAN10, which lets any traffic coming in from "VLAN_10 net" pass. This already seems to be enough that 192.168.10.2 (on VLAN 10) can talk to 192.168.20.2 (on VLAN 20).
But how do I configure the NAT'ing? Do I need Port Forward, One-to-One or Outbound? Despite playing around with all three of them one by one for a while now, I can't get it working. The manual seems to suggest that NAT reflection is exactly what I need, but it seems to change nothing of what I see in Wireshark.

Can someone help me?

Thanks in advance.

Monviech (Cedrik) · « **Reply #1 on:** September 19, 2024, 11:30:00 am »

If you want to change the destination IP you need to use the "Port Forwarding" menu.

The DNAT has to be done by the interface that receives the packet, not by the interface that sends it.

The DNAT will match before the Firewall rules, that means the rule you create on the receiving interface has to allow the translated packet.

That's what I would focus on.

Mindflayer · « **Reply #2 on:** September 19, 2024, 11:39:46 am »

With "Port Forwarding"-NAT, I could make the message go to 192.186.20.2 on VLAN 20. But the Source IP Address remained as 192.168.10.2.

Monviech (Cedrik) · « **Reply #3 on:** September 19, 2024, 11:51:55 am »

Im unsure what you want to do is possible:

192.168.10.2 to 111.111.111.111 <-> 111.111.111.111 to 192.168.20.2

That would mean there's essentially:

111.111.111.111 <-> 111.111.111.111

Maybe I'm wrong here and somebody else has a better idea but this doesn't make sense to me.

Also the Source NAT would need to be an existing interface if you want to rewrite the source and you do not have
111.111.111.111 on any interface.

Author Topic: Local NAT between VLANs (Read 344 times)

Mindflayer

Local NAT between VLANs

Monviech (Cedrik)

Re: Local NAT between VLANs

Mindflayer

Re: Local NAT between VLANs

Monviech (Cedrik)

Re: Local NAT between VLANs