I would like to map a /24 public subnet on WAN interface to interface-DMZ;
On the same interface there is a /32 public subnet which is used for LAN on interface-1. There are no issues with that.
Would something like below work? Or if there is a better alternative which could be used.
If you want to link Public IP subnet 123.241.124.0/24 to local one 123.241.124.0/24, you should use destination address translation and source address translation features with action=netmap.
/ip firewall nat add chain=dstnat dst-address=123.241.124.1-123.241.124.254 \
action=netmap to-addresses=123.241.124.1-123.241.124.254
/ip firewall nat add chain=srcnat src-address=123.241.124.1-123.241.124.254 \
action=netmap to-addresses=123.241.124.1-123.241.124.254
Re: How to map public subnet on interface-WAN to interface-D
1.) With netmap you need to feed it FULL subnets, it cannot be a range, this means both broadcast and network IP addresses must be useable. So if you want to use netmap, in your case of a /24, the biggest rule you could have is a /26. You can then break it up into smaller subnets with more rules.
2.) NAT means you change the header of the packet, what your rules are doing bellow is just rewriting it to the same thing, that does you no good. Typically you rewrite the header so it goes to a different subnet, like 172.16.0.0/24
3.) Netmap doesn't really give you any control over what IP address on one subnet is assigned to another, so may not be well suited for your goals.
What are you trying to do specifically? Are you trying to assign real IP addresses to devices on your DMZ? Better solutions are these: See if you can get that subnet routed to you, then you can assign the addresses wherever you want. If that is not possible, contact your ISP and see if turning on proxy-arp will cause problems for them. If not then there are some tricks you can use for that, but it can cause a fair number of problems.
2.) NAT means you change the header of the packet, what your rules are doing bellow is just rewriting it to the same thing, that does you no good. Typically you rewrite the header so it goes to a different subnet, like 172.16.0.0/24
3.) Netmap doesn't really give you any control over what IP address on one subnet is assigned to another, so may not be well suited for your goals.
What are you trying to do specifically? Are you trying to assign real IP addresses to devices on your DMZ? Better solutions are these: See if you can get that subnet routed to you, then you can assign the addresses wherever you want. If that is not possible, contact your ISP and see if turning on proxy-arp will cause problems for them. If not then there are some tricks you can use for that, but it can cause a fair number of problems.
Re: How to map public subnet on interface-WAN to interface-D
Thanks Feklar,
I thought there was a better option.
Yes, I am trying to assign real IP addresses to devices on our DMZ.
The both public IP subnets are on the WAN port as provided by the ISP.
This did work with Zywall70 which is now replaced with RB1100.
I would appreciate if you can list the commands to route this public subnet from interface-WAN to interface-DMZ.
I thought there was a better option.
Yes, I am trying to assign real IP addresses to devices on our DMZ.
The both public IP subnets are on the WAN port as provided by the ISP.
This did work with Zywall70 which is now replaced with RB1100.
I would appreciate if you can list the commands to route this public subnet from interface-WAN to interface-DMZ.
Re: How to map public subnet on interface-WAN to interface-D
Your /24 would have to be routed to you by the ISP, probably by a /30. Then you would have your /30 on your WAN, and the /24 on the "DMZ."
The proxy-arp method is an ugly hack, but is possible. I would contact your ISP first and see if turning on proxy-arp would cause a problem for them. I have the post saved somewhere how to do it, but not available right now. If you want I can link it tomorrow.
The proxy-arp method is an ugly hack, but is possible. I would contact your ISP first and see if turning on proxy-arp would cause a problem for them. I have the post saved somewhere how to do it, but not available right now. If you want I can link it tomorrow.
Re: How to map public subnet on interface-WAN to interface-D
INBOUND:
Ok, I can now reach a server on the DMZ-interface from public internet and open a ssh session.
All I needed to do was to add the public subnet to ip route table.
internet---->wan/RB1100/dmz--------server1(123.240.24.118)
OUTBOUND:
Which is all good, now only issue is when I telnet out to a public server from server 123.240.24.118, my IP address appears as the first public subnet which is 60.240.48.245.
I need 123.240.24.118 to appear as the originator.
Ok, I can now reach a server on the DMZ-interface from public internet and open a ssh session.
All I needed to do was to add the public subnet to ip route table.
internet---->wan/RB1100/dmz--------server1(123.240.24.118)
OUTBOUND:
Which is all good, now only issue is when I telnet out to a public server from server 123.240.24.118, my IP address appears as the first public subnet which is 60.240.48.245.
I need 123.240.24.118 to appear as the originator.
Re: How to map public subnet on interface-WAN to interface-D
Restrict your src-nat rule to not include your DMZ subnet. That should take care of it.