[SOLVED] Problems setting up masquerading

[xarior]

Hi,

i have the following scenario:

There is an IoT device which can explicitly only have the IP 192.168.9.100 and can only be talked to via 192.168.9.133. The device is on OPT1 Port, which is forwarded to the OPT2 network, specifically to 192.168.57.1. If a package gets sent by 192.168.57.1 it will be forwarded to 192.168.9.100.
Everything works, packets are being routed through, but on the other side Source IP is still the one from the original Network. I tried to set up a outbound NAT rule but it seems not to work. I was hoping you could point out what i am doing wrong here.

I have attached my configured ruleset that i tried.

Thanks a lot!

[Saarbremer]

Hi,

this scenario is super weird, what kind of IoT dev is this?

Nevertheless, you probably need two things:

1. Port forward towards 192.168.9.100 from 192.168.57.1 which seems to be already up and running
2. Outbound NAT for all traffic that goes TO 192.168.9.100 (source any, destination 192.168.9.100, NAT-Address 192.168.9.133). That also means that your OPNsense needs a virtual IP 192.168.9.133 on OPT1.

Not tested, no idea if this works.

HTH

[xarior]

Hey,

thanks for your reply. It is indeed an unusual scenario. I only resorted to it because of the need of having to be able to talk to multiple of those devices. The IP constraints led me to the idea of using the router to set up a NAT.
OPT1 already has 192.168.9.133 assigned as a fixed IP. Do i still need a virtual IP in that case?

As initially packages get sent to 192.168.57.10 and should be forwarded to 192.168.9.100 i had thought i need to set up outbound nat accordingly. Also i need to set up a second rule for packages coming from 192.168.9.100 going to 192.168.57.1.

Forwarding works both ways already, only source ip is not masqueraded. I.E. coming from the device, source IP should not be 192.168.9.100 but rather 192.168.57.10. In the other direction then 192.168.9.133 instead of 192.168.57.1.

Thanks again for your assistance!

[Saarbremer]

Hi,

the virtual IP is only needed if not already assigned to the IF.

In any case, your outbound NAT has to do the source translation. Given your remarks in your answer that affects both outgoing interfaces OPT1 and OPT2 then?

But again, not tested, no idea if it works.

Make sure you turn on logging for all FW rules involved and inspect what happens.

[xarior]

Hello again,

just in case someone else is in need to find a solution like me:
The trick was that i needed to change the destination IP in the outbound rules to match the one i had configured in port forwarding rules.
That is because Port forwarding applies PRE routing, meaning its processed when the package enters the firewall. Outbound NAT apllies POST routing, so when the package is about to leave again. So i had to set the IP accordingly as it had been changed already then.