Hi,
I have 1 wan interface and 4 Public IP addresses, there is one inside LAN subnet on interface 2. I would like everyone to have the same public IP and traffic to go out with this IP. But I have one machine in the subnet to use one of the other public IPs for port forwarding from the internet.
I'm pretty sure I can do this just not sure how!
Do I use the src NAT masquarade rule with the whole LAN subnet. Then a ruke just before it, have the src nat src address - the 1 inside IP mapped to dst address of the other public IP and allow?
Cheers!
Re: 1 WAN interface multiple IP's
Hi just so I understand.
You have one physical WANIP connection.
Your ISP provider has given you four WAN IPs to use as you see fit.
You have one LAN (on physical ethernet 2).
You want all the LAN users to use a specific WANIP.
You want one device on the LAN (probably a server of some type) to be able to accept port forwardings.
However you want that port forwarding to come in on a different WANIP.
Question? Does that particular Device(machine) require access to the standard WANIP (that everybody uses) the rest of the time, or will ALL traffic from this device be through the alternate WANIP?
You have one physical WANIP connection.
Your ISP provider has given you four WAN IPs to use as you see fit.
You have one LAN (on physical ethernet 2).
You want all the LAN users to use a specific WANIP.
You want one device on the LAN (probably a server of some type) to be able to accept port forwardings.
However you want that port forwarding to come in on a different WANIP.
Question? Does that particular Device(machine) require access to the standard WANIP (that everybody uses) the rest of the time, or will ALL traffic from this device be through the alternate WANIP?
Re: 1 WAN interface multiple IP's
Yes thats all correct. I think we would probably want this device to use one of the different WAN IP for all their traffic. Seems like the most sensible option.
Re: 1 WAN interface multiple IP's
Lets assume WAN interface with 4 ips 24.100.20.101/102/103/104
LAN1 is 192.168.10.0/24
Machine IP is 192.168.10.50
SourceNAT Rules.
(1) add chain=srcnat action=src-nat to-addresses=24.100.20.101 out-interface=WAN
(2) add chain=srcnat src-address=192.168.10.50 action=src-nat to-addresses=24.100.20.102 out-interface=WAN
( I dont think you need to explicitly exclude the machine IP from the first rule and hoping someone else can clarify but if necessary
( (1) add chain=srcnat src-address=!machineIP action=src-nat to-addresses=IP1 out-interface=WAN
Step 1: So this explains the private to public translations to the router.
Step2: Need to tell the router the routing paths
Step3: Need to port forward - Destination NAT
Step3:
Add chain=dstnat (protocol tcp or udp) Destination address=24.100.20.102 Destination port(s) in-interface=wan action=dst-nat to-addresses=192.168.0.50
(if you can its best to limit who on the internet can access this server by creating an address list called "server access"
server access - ip1
server acess - ip2
server access - ip3
server access - ip range
and then the rule would look like
Add chain=dstnat (protocol tcp or udp) Destination address=24.100.20.102 Destination port(s) in-interface=wan \
src-address-list=server access action=dst-nat to-addresses=192.168.0.50
Step 2. Thats a bit harder, but since you dont require failover............ it may be best to.
a. mark connections for the machine IP Called "server traffic", and then associate these connections with a routing mark called "MachineMark".
b. use the routing mark in a routing rule along with preferred source of 24.100.20.102
You would need two rules,,,,,,,,,, one for the general LAN
add distance=2 dst-address=0.0.0.0/0 gateway=of WAN scope=10 preferred source=24.100.20.101
and one for the machine.
add distance=4 dst-address=0.0.0.0/0 gateway=of WAN scope=10 routing-mark=MachineMark preferred source=24.100.20.102
Notes:
1- I am not sure if one needs to put the general LAN distance lower (higher priority) as the preferred source is marked but I dont think it does any harm.
2- I am unsure of what to put in for dst-address but the OP in this case.
LAN1 is 192.168.10.0/24
Machine IP is 192.168.10.50
SourceNAT Rules.
(1) add chain=srcnat action=src-nat to-addresses=24.100.20.101 out-interface=WAN
(2) add chain=srcnat src-address=192.168.10.50 action=src-nat to-addresses=24.100.20.102 out-interface=WAN
( I dont think you need to explicitly exclude the machine IP from the first rule and hoping someone else can clarify but if necessary
( (1) add chain=srcnat src-address=!machineIP action=src-nat to-addresses=IP1 out-interface=WAN
Step 1: So this explains the private to public translations to the router.
Step2: Need to tell the router the routing paths
Step3: Need to port forward - Destination NAT
Step3:
Add chain=dstnat (protocol tcp or udp) Destination address=24.100.20.102 Destination port(s) in-interface=wan action=dst-nat to-addresses=192.168.0.50
(if you can its best to limit who on the internet can access this server by creating an address list called "server access"
server access - ip1
server acess - ip2
server access - ip3
server access - ip range
and then the rule would look like
Add chain=dstnat (protocol tcp or udp) Destination address=24.100.20.102 Destination port(s) in-interface=wan \
src-address-list=server access action=dst-nat to-addresses=192.168.0.50
Step 2. Thats a bit harder, but since you dont require failover............ it may be best to.
a. mark connections for the machine IP Called "server traffic", and then associate these connections with a routing mark called "MachineMark".
b. use the routing mark in a routing rule along with preferred source of 24.100.20.102
You would need two rules,,,,,,,,,, one for the general LAN
add distance=2 dst-address=0.0.0.0/0 gateway=of WAN scope=10 preferred source=24.100.20.101
and one for the machine.
add distance=4 dst-address=0.0.0.0/0 gateway=of WAN scope=10 routing-mark=MachineMark preferred source=24.100.20.102
Notes:
1- I am not sure if one needs to put the general LAN distance lower (higher priority) as the preferred source is marked but I dont think it does any harm.
2- I am unsure of what to put in for dst-address but the OP in this case.
Re: 1 WAN interface multiple IP's
I was under the impression, if you switch round the order its fine. So unless your IP is 192.168.10.50, you go to the next rule?
(1) add chain=srcnat action=src-nat to-addresses=24.100.20.101 out-interface=WAN
(2) add chain=srcnat src-address=192.168.10.50 action=src-nat to-addresses=24.100.20.102 out-interface=WAN
( I dont think you need to explicitly exclude the machine IP from the first rule and hoping someone else can clarify but if necessary
( (1) add chain=srcnat src-address=!machineIP action=src-nat to-addresses=IP1 out-interface=WAN
Also, do you need the distance rules? If the NAT rules are in place, and the port forwards, that covers inbound and outbound?
Thanks!
Re: 1 WAN interface multiple IP's
Good questions!I was under the impression, if you switch round the order its fine. So unless your IP is 192.168.10.50, you go to the next rule?
(1) add chain=srcnat action=src-nat to-addresses=24.100.20.101 out-interface=WAN
(2) add chain=srcnat src-address=192.168.10.50 action=src-nat to-addresses=24.100.20.102 out-interface=WAN
( I dont think you need to explicitly exclude the machine IP from the first rule and hoping someone else can clarify but if necessary
( (1) add chain=srcnat src-address=!machineIP action=src-nat to-addresses=IP1 out-interface=WAN
Also, do you need the distance rules? If the NAT rules are in place, and the port forwards, that covers inbound and outbound?
Thanks!
I would think order in ip firewall rules is very important.
I would think order in routing rules is not important, the route will determine the best path from what are the available routes.
However, IP NAT I am not sure about, ie if order is important ?????
In that case I would err on the side of caution and put the 192.168.0.50 rule first in srcnat.