Page 1 of 1
NAT question - multiple public IP use on one subnet.(solved)
Posted: Fri Dec 05, 2014 8:40 am
by sveno
Hi,
I have a public IP NATed with masquerade but I want an address of the same local subnet to use another public IP. Can I do this or do I need another network for this machine (like DMZ)?
Edit: I tried to use !192.168.1.5 as source address in the main src-nat to exclude it but still the 192.168.1.5 src-nat to the second public ip has has 0 hits.
Re: NAT question - multiple public IP use on one subnet.
Posted: Fri Dec 05, 2014 8:55 pm
by rmmccann
You can do this, however you need to create src-nat rules with action=srcnat for each public IP address you want to use. These need to sit ABOVE the masquerade rule.
Masquerade by default uses the first assigned/enumerated IP address of the MT device. So if you have 1.1.1.1, 1.1.1.2, and 1.1.1.3 assigned from your WAN, masquerade will always use 1.1.1.1. If you want client1 to use 1.1.1.2 and client2 to use 1.1.1.3, you need to create separate srcnat entries for each client and srcnat to that public ip address.
Re: NAT question - multiple public IP use on one subnet.
Posted: Sat Dec 06, 2014 8:29 am
by sveno
Now I have the following under nat:
chain=srcnat action=src-nat to-addresses=1.1.1.2 src-address=192.168.1.5 out-interface=ether1-gateway log=no
chain=srcnat action=masquerade out-interface=ether1-gateway log=no
chain=dstnat action=dst-nat to-addresses=192.168.1.5 dst-address=1.1.1.2 log=no
addresses (edited):
192.168.1.1/24 192.168.1.0 ether2-master-local
1 1.1.1.1/29 1.1.1.6 ether1-gateway
I don't even get hits on the dstnat anymore
Re: NAT question - multiple public IP use on one subnet.
Posted: Sat Dec 13, 2014 11:37 am
by sveno
Bump. I'm still stumped over this. Is there anything wrong with my config or are these lines ok and the problem is elsewhere?
Re: NAT question - multiple public IP use on one subnet.
Posted: Tue Dec 16, 2014 7:20 pm
by rmmccann
Those rules look correct to me, however it may have something to do with the order in which they are entered.
You could try moving your DST-NAT entry above masquerade and see if that helps. You may also want to specify an "in-interface" for that rule.
Re: NAT question - multiple public IP use on one subnet.
Posted: Tue Dec 16, 2014 7:42 pm
by jfvelamoscoso
Please give me a diagram and the result of /ip firewall nat export compact
Re: NAT question - multiple public IP use on one subnet.
Posted: Sun Dec 21, 2014 10:13 am
by sveno
Got the Dst-Nat working by adding the external IP (1.1.1.2) to addresses:
0 192.168.1.1/24 192.168.1.0 ether2-master-local
1 1.1.1.1/29 1.1.1.6 ether1-gateway
2 1.1.1.2/29 1.1.1.6 ether1-gateway
Still no hits on src-nat (first in table below).
Specifying TCP and a port (443) didn't change anything.
nat export compact:
add action=src-nat chain=srcnat out-interface=ether1-gateway src-address=\
192.168.1.5 to-addresses=1.1.1.2
add action=masquerade chain=srcnat out-interface=\
ether1-gateway
add action=masquerade chain=srcnat out-interface=\
LTE to-addresses=0.0.0.0
add action=dst-nat chain=dstnat dst-address=\
1.1.1.2 in-interface=ether1-gateway to-addresses=192.168.1.5
Re: NAT question - multiple public IP use on one subnet.
Posted: Sun Dec 21, 2014 10:37 am
by sveno
Ok. A really weird thing happened. I switched the local address to another server ..and voila it is responding. I changed both the scr-nat and the dst-nat to say 192.168.1.6. The weird thing is that the src-nat still has 0 hits. So the masquerade is using 1.1.1.1 and 1.1.1.2. What is going on?
EDIT: Changing back to 192.168.1.5 and it works too. WTF is this sorcecry? src-nat is disabled and the whole thing works as it should - everyone is using the 1.1.1.1 and 192.168.1.5 is using 1.1.1.2.