OPNSense site to site with SNAT
First of all let me provide some insights on why the need of such a setup.
It is often the case that the server behind the vpn is a windows machine and it is often then case where the vpn setup requires for the server to have the exact windows ip as a source traffic.
Because of how windows routing works, it is not possible to configure such straight on without a complex network setup scenario.
For such cases we can assign a new ip on the vpn machine that will intercept traffic coming from the windows machine and forward it onto the ipsec channel.
This new ip is called NAT ip, as it is used in a network translation. The destination server from the other peer will receive traffic as coming from the windows machine itself and not the nat ip.
However windows machine will have to use the nat ip to reach out to the other peer.
This is a working setup to demonstrate the way SNAT is configured in OPNSENSE
Included servers in the Setup:
~Left Side~
1 VPN Server in LEFT_SIDE_SERVER: 99.99.99.99
NAT IP: 99.99.99.100
1 Test server in LEFT_SIDE_SERVER: 99.99.99.101
____________________________________________________________
~Right Side~
1 VPN Server in RIGHT_SIDE_SERVER: 98.98.98.98
NAT IP: 98.98.98.100
1 Test server in RIGHT_SIDE_SERVER: 98.98.98.101
Step-by-step guide
Requirements:
enable Firewall in Opnsense
update Opnsense to latest version to patch SNAT bugs/problems in old versions
On the VPN in LEFT_SIDE_SERVER (99.99.99.99) the following needs to be configured:
1.1 add the NAT IP in Aliases and Virtual IP(in firewall)
1.2 Configure Hybrid Outbound NAT rules to allow for manual rules as well
1.3 Add an Outbound Rule as follows
Interface: WAN
TCP/IP Version: IPv4
Protocol: any
Source invert: unchecked
Source address: Single host: 98.98.98.101 (RIGHT SIDE test's server ip)
Source Port: any
Destination invert: unchecked
Destination address: Single host: 99.99.99.101 (LEFT SIDE test's server ip)
Destination port: any
Translation/target: 99.99.99.100 (LEFT SIDE NAT IP)
1.4 Add a Port Forward Rule in Firewall as follows
Interface: WAN
TCP/IP version: IPv4
Protocol: TCP
Source: leave it as default Advanced
Destination/Invert: Unchecked
Destination port range: other: 1 to 65535
Redirect target ip: Single host Network: 98.98.98.101
Redirect target port: other : 1 to 65535
On the VPN in RIGHT_SIDE_SERVER (98.98.98.98) configure the following:
2.1 add the NAT ip in Aliases and Virtual IP (in Firewall)
2.2 Configure Hybrid Outbound NAT rules to allow for manual rules as well
2.3 Add an Outbound Rule as follows
Interface: WAN
TCP/IP Version: IPv4
Protocol: any
Source invert: unchecked
Destination: 99.99.99.100 (LEFT SIDE NAT IP)
Source address: Single host: 99.99.99.101 (LEFT SIDE test server ip)
Source Port: any
Destination invert: unchecked
Destination address: Single host: 98.98.98.101 (RIGHT SIDE test server ip)
Destination port: any
Translation/target: 98.98.98.100 (RIGHT SIDE NAT IP)
2.4 Add a Port Forward Rule in Firewall as follows
Interface: WAN
TCP/IP version: IPv4
Protocol: TCP
Source: leave it as default Advanced
Destination/Invert: Unchecked
Destination: 98.98.98.100 (RIGHT SIDE NAT IP)
Destination port range: other: 1 to 65535
Redirect target ip: Single host Network: 99.99.99.101 (LEFT SIDE test server IP)
Redirect target port: other : 1 to 65535
Do you need assistance with configuring such on your device ? Let us know.
