Port Forward with SNAT and DNAT?

[ciori]

Hi, I have added a port forward configuration so that I can reach a specific LAN endpoint (server and port) from an external client (mobile smartphone, laptop, etc...), therefore the public IP of the modem/router is being "translated" into the private IP of the server (which should be DNAT, right?).

Now the problem is that, because of a particular setup I have in that server, I need the internal part of the traffic to not carry the public IP of the client connecting to the server, instead I would like it to be masqueraded with the private IP of the OPNsense router (which should be SNAT, right?), so that the server sees the connection as coming from LAN.

Is it possible to do it from the OPNsense web interface, or does it requires some manual/cli editing??

[Monviech (Cedrik)]

Look at the SNAT rule in these docs and adjust it to your needs.

https://docs.opnsense.org/manual/how-tos/nat_reflection.html#start-of-the-how-to-section

[ciori]

Ok thanks, I made it work.

It was confusing for me at first because I was thinking about the differences between port forward and outbound in a strict sense (and I wasn't able to find settings for "incoming" packets), but really the solution was quite simple, I just needed to create an outbound rule assigned to the LAN interface with the needed protocol and port, any as source and the LAN IP of the server as destination with the translation being done with the LAN address of the router.

[Monviech (Cedrik)]

Great job, NAT is always confusing. IPv6 yaaay. IPv4 naaay.