I have a need to apply SNAT and DNAT to the same connection. The reason is that I have a RB150 behind 3 DSL routers. Each DSL has telnet and http interface and I need access from external while securing this. I also need to be able to access the interface on one router from connection of one of the others e.g. to diagnose or configure by remote.

My plan is to allocate 6 ports on the RB itself as follows: tcp 8901-8903 amd tcp 8801-8803. I want to map these to redirect to the DSL routers on tcp:80 and tcp:23

At present the workflow I have is as follows:

1. I add a filter on the input chain of the RB to allow connection to ports 8901-8903 and 8801-8803 from src address in an address list used to restrict access to the ports.
2. I add a dstnat on the RB to change the destination IP and port. In this case if external address of RB is 1.1.1.1 and DSL router is 2.2.2.2 I set a dst nat to map src: 1.1.1.1:8901 to dest: 2.2.2.2:80
3. I add a masquerade rule applied to traffic destined for 2.2.2.2:80 so that it masquerades with the IP address of the router

All of this seems to make sense and has worked on numerous occasions. The problem I have is that I cannot get it to operate consistently and I am not sure why.

Does anyone have any thoughts or opinions on the best way to implement this redirect function or if there is any mistake in my logic?

Thanks in advance for any assistamce

mangle -> prerouting, mark your new connections to selected ports (state=new)
then dst and src (masquerade) nat'em =)

it works fine for me

Thanks for comment. I assume you are doing it for similar reasons? I had not been using connection mark and I think from recent RoS experience that connection/packet/route marking is the way to get maximum flexibility and function.

yes, I redirect IRC and Web traffic from the Internet to our local servers, and it's working perfect =)

mangling rulez =)