source nat'ing as a virtual ip with firewalld, conntrackd and keepalived

Hi All, I have the following setup: 2 * redhat 7 servers, each has two nics. En016780032 is for the "local lan". eno33559296 is for conntrackd synchronization. I am not worried about the conntrackd nic's. Server1 = 192.168.7.21 local lan Server2 = 192.168.7.22 local lan Keepalived vip = 192.168.7.20 This server is used to proxy connections from an internal network, to a remote vendor network. i.e. Internal network = 192.168.1.xx Remote vendor gateway = 192.168.7.160, and it links to various addresses. Internal network will use the keepalived vip for failover connectivity. A connection could be like below: 192.168.1.30 -> 192.168.7.20:16076 -> which is forwarded by firewalld to the remote vendor ip 155.1.1.2:9525 using a rule such as... rich rules: rule family="ipv4" forward-port port="16076" protocol="tcp" to-port="9525" to-addr="155.1.1.2" this is working fine. But I have a problem. The vendor nat's our source ip as a single ip as per there policy. So, they will only accept connections from a single source ip. I have asked if they can do a "many to one nat" but they will not do this. The problem is that, either server, will show the source ip as the actual ip address of the local lan. So connections going out from Server1 will look like they come from 192.168.7.21, and connections from Server2 will look like they come from 192.168.7.22. This will be a problem if a failover occurs. To get around this, I'd like to be able to source nat in firewalld any outbound connections so they appear as if they come from the keepalived vip (.20). I am not sure if this is possible in a "single interface" setup, like I have, or whether masquerading could help here (although I think masquerading may just use the ip of the interface which still wouldn't help me). I am new to firewalld, so am reaching out for help on whether it's possible to source nat or masquerade in firewalld as the keepalived vip address? Appreciate any help on this. Thanks, Les