NAT port forward instead of HAproxy ...

[Patrick M. Hausen]

Hi all,

I have two VLANs on my OPNsense and no WAN connection. The system is more of a VPN gateway, DNS server etc. than a firewall.

Code: [Select]

Internet/Fritzbox
192.168.1.1
      |
      |
     LAN                                     OPT1
192.168.1.4/24 ------- OPNsense ------- 217.29.46.41/29 ------- IPsec tunnel ------- TrueNAS 217.29.44.24
      |
  Graphite
192.168.1.55

The network 192.168.1.0/24 does not know about the other network. If anything from the local network 217.29.46.40/29 needs to access the Internet or anything in the RFC 1918 LAN, the connections are NATed.

Outbound, LAN, Interface address - easy.

The single system in the remote network on the other end of that tunnel - which does not know/route the 192.168.1.0/24 - is supposed to send Graphite data on port 2003. At the moment I have set up HAproxy for that.

Listen on 217.29.46.41:2003 - forward to 192.168.1.55:2003. Works. The Graphite server sees the connection coming from 192.168.1.4, of course.

So ... what's the problem?

How can I build the same with NAT instead of HAproxy? When I configure a port forward on OPT1/217.29.46.41 for port 2003, the initial SYN goes to 192.168.1.55 alright - but with a source address of 217.29.44.24. And the Graphite server does not know that network.

Is there a way to port forward and at the same time NAT the connection on the LAN interface so the Graphite server only sees 192.168.1.4 like with a proper proxy?

Thanks,
Patrick

[astuckey]

An outbound NAT rule on the LAN interface when the destination is the graphite server, to replace the source address with the interface address.