Trying to figure out a double-masq (if you can call it that) scenario

[cybermage]

I've just started testing OPNsense and I have to say I'm completely thrilled with it's capabilities, but for the next month unless I can figure out how to do this I can't actually deploy it at my test site.  Ultimately this won't be an issue, but if I want to go ahead and deploy this now, which I do, I need to solve this first.  Currently we run a custom iptables script on a custom linux box.

The complications / description:
I need to forward a port from an external connection to an internal server that's on the other end of a VPN.
The internal server default gateway is NOT the opnsense firewall, so it's outbound Internet traffic comes out of an entirely different city and carrier.  The internal server was recently moved, but we still have a couple of customers accessing it's old IP using a DNS name that can't be redirected elsewhere due to other services on it.  We're waiting for customers to update to a new DNS name.
To make this work currently, we do a MASQ on the packets as they exit the internal network on the current firewall, so they appear to come FROM the firewall.

So it's like this:

Customer -> OPNsense -> VPN Tunnel -> Server

To force the server to send the return packets back over the tunnel and keep it from sending out using it's own default external Internet connection, we need to MASQ incoming packets to the OPNsense firewall's internal IP.

Here's a simplified version of the rules we do this with.  I'm not asking for comments on the security implications of doing this, the destination server requires RSA keys, and this is a temporary fix for about a month while waiting for a customer to update their configs.  I'm well aware this screws with source IP logging and adds latency.

Code Select Expand

$IPTABLES -t nat -A PREROUTING -i $EXT -p tcp -d $MYEXTIP --dport 1022 -j DNAT --to-destination $INTSERVER:22
$IPTABLES -t nat -A POSTROUTING -s $INTSERVER -p tcp --sport 22 -o $EXT -j SNAT --to-source $MYEXTIP:1022
$IPTABLES -t nat -A POSTROUTING -o $INT -d $INTSERVER -j MASQUERADE


Is this even going to be possible with OPNsense?

[cybermage]

Finally figured it out.  I had to set up both a port forwarding rule and a nat rule for it.

Port forward the individual port on the external interface, target internal server.
Then configure a nat rule on the VPN tunnel interface (wireguard for me) natting to the private lan address, but only when targeting the internal server address at the other end of the tunnel.  Downside is all traffic to that server from the local lan gets natted even though only external traffic needs it, but it works and it's very temporary.