I'm running VMWare ESXi Free and have Zentyal SBS 3.2 running as a Gateway.
I have 5 Public IPS (CIDR/29, let's call them 69.1.1.1 – 69.1.1.5) and currently Zentyal is bound to 69.1.1.1 as the Gateway, with the other 4 Public IPs set as Virtual Interfaces in Zentyal (wan2-wan5)
I have machines sitting on the Private Network (10.34.251.x) that, when going Outbound (to Google for instance) should be seen by the Internet as an IP other than the Gateway (69.1.1.1), this is because our machines need to be able to communicate with 3rd party APIs that expect these requests to come from a specific IP.
From what I could find, SNAT (Source NAT) in Zentyal is used to achieve this, but I'm not sure how to configure it and cannot find a specific piece of Documentation for it at Zentyal.
I've tried setting this up a couple different ways, with no results and at this point I have no idea if I'm going about this completely wrong, or my lack of experience with networking and the associated terminology is preventing me from placing the correct values in the correct fields.
I get the following form to set up "SNAT" rules in Zentyal:
Perhaps someone can offer some guidance and definitions for the fields above?
SNAT Address Is this the Public IP I want to masquerade?
Outgoing Interface Should this by my External NIC (one connected to Public 'Net), or is it the "Private" interface? It sounds as though this should be the External interface as I want the traffic from the internal network sent Out over this Interface (using a different IP than normal, anyway)
Source Is the the Source on the internal network (one of the private IPs?), a public IP I want to masquerade as, or something else entirely?
Destination Is this a place on the Internet (eg, "Only do this for the Site Google.com"/IP) or am I allowing myself to become confused again?
Service I'm assuming this allows me to restrict which services this rule will apply to, but is it for a service on the internal network or a service being accessed on the external network?
If I can offer any further details or information to make what I'm trying to do more clear, I will happily do so.
Honestly any kind of help here would be very appreciated. I'm not a NetOps or anything even close, I spend most of my day writing code and my entire "team" at this company consists of "me, myself, and I" so while I try to broaden my KB at every possible opportunity, I can only learn so much, so fast and I feel like with networking especially there's just so much, coupled with a learning curve for each solution that likes to (from my limited perspective) use slightly different terminology that what I'm used to (and I don't exactly have the necessary experience to cross reference this stuff with the stuff I already know in context).
Best Answer
After "Brute Forcing" the configuration (for the second time) I've managed to get this to work.
The first time I tried to configure this every conceivable way I could think of, I didn't have the Virtual Interfaces assigned to the WAN interface. Apparently in Zentyal (an possibly the networking world entirely), the router/gateway/whatever it's called technically, isn't completely "aware" of the other IPs in your CIDR (assuming you have something other than a /32 with more than 1 IP)
After I'd assigned the Virtual Interfaces (called wan2 -> wan4, not important really), I didn't even think to try to configure this again right away, as, due to my lack of networking experience, I didn't think they were important, nor did I know what they even were (still don't, really, nor do I understand why it's important).
With the all of the Extra IPs in the CIDR assigned to you by your ISP/DC/ARIN assigned to Virtual Interfaces (I think other solutions like PFSense calls them Virtual NICs or vNICs, for reference), you can follow the configuration guide below. Keep in mind that I'm completely useless when it comes to networking and I did "brute force" this config until it worked (I tried everything) so Your Mileage May Vary (significantly). I could be completely wrong and have just gotten lucky.
That said, definitions!:
SNAT address This is the IP you're trying to "Masquerade" as when you connect to a site like Google.
Outgoing Interface I wanted to send the traffic out over the public network, so I left this set as my "External" interface. This worked for my purpose.
Source This is the IP of the Machine/VM sitting Behind your Private network that you want to be seen on the Internet as having the address defined above in the SNAT address field.
Destination I believe you would use this to change which site sees which IP. So if I only wanted to show 69.1.1.2 to Google and wanted Facebook to see the Router/Zentyal IP, I could set that here (Google uses Round Robin DNS, so probably a bad example as you don't always connect to the same IP when you visit google, not sure how you would handle that!)
Service Presumably this works similarly to Destination, except I have no idea if it affects the Local Service, or the Remote Service. Since it's immediately after the Denstination field, it might be safe to assume it affects the Destination address.
Above you can see my configuration using placeholders, this is working and tested from a Windows 7 Enterprise client, testing by typing "My IP" into Google (who graciously shows which IP they're seeing).
Also, I saw mention during my Googling that to use "SNAT" (Source NAT) rules, you need a "DNAT" (Destination NAT) rule that corresponds, so traffic can return. If there's anything else that needs to happen for the traffic to be returned to the correct VM/Machine, Zentyal will do this for you (I think, as it's working right now as one would expect without any further configuration).
If I can be more specific, or if anything in here is completely wrong, please let me know.
UPDATE: If you're still having trouble with this, make sure you click the Save button in the Top Right of the Zentyal Admin Portal after you make just about any change in Zentyal as Zentyal doesn't write the configuration files (or restart the service so it uses the new config) when you "save" the setting on the current page. Presumably this allows you make a bunch of changes at once that could conflict and then "commit" them all at once. Honestly this can be frustrating when debugging as it's easy to forget to do this and you're left smashing your face on a keyboard wondering why it "won't work."