1:1 mapping

riverman2 · April 17, 2008, 7:52pm

can someone give a more detailed explanation of what this does with a couple of “practical” examples maybe?

Example of 1:1 mapping
If you want to link Public IP subnet 11.11.11.0/24 to local one 2.2.2.0/24, you should use destination address translation and source address translation features with action=netmap.

/ip firewall nat add chain=dstnat dst-address=11.11.11.1-11.11.11.254
action=netmap to-addresses=2.2.2.1-2.2.2.254

/ip firewall nat add chain=srcnat src-address=2.2.2.1-2.2.2.254
action=netmap to-addresses=11.11.11.1-11.11.11.254

SurferTim · April 17, 2008, 11:44pm

Greetings!

This allows you to “translate” a public network subnet to a private network subnet. It allows you to expose servers behind your router as if they were on the public side of the router.

The example you posted is a good one. With those rules, if you were on the public net, and entered http://11.11.11.1 in your browser address bar, then the server on the local net with the IP 2.2.2.1 would respond to that request. And if that server needs to contact the public net, it will appear as if it is 11.11.11.1.

The same for 11.11.11.2, The server with the localnet IP 2.2.2.2 would respond to those requests. If it needs anything from the outside world, it will appear as 11.11.11.2. And so on…

riverman2 · April 17, 2008, 11:49pm

Thanks surferjim you answered my question completely.

alex_rhys-hurn · May 2, 2008, 5:04am

One small thing to note here.

If you are doing a combination of 1:1 mapping on your network and just regular NAT for users who dont need a public ip address, you need to be careful that you do your src-nat properly.

Things will “sort” of work if you have the basic masquerade rule for your normal non 1:1 clients, but this will not properly map the 1:1 clients…

The rul that can cause confusion is:

chain=srcnat action=masquerade out-interface=ether1

This is a generic masquerade rule…

SweetSunday · May 2, 2008, 7:58am

In the ‘Port forrward’ thread below someone suggested using net-mapping for port forwarding which I thought made sense but couldn’t get it to work, ie.

ip firewall nat add chain=dstnat action=netmap protocol=tcp dst-port=5555 dst-address=[your client address here] to-ports=5555

Anyone care to pick up the last post to that thread and let me know where I’m still going wrong in the mapping business?

krigevr · May 2, 2008, 6:56pm

ip firewall nat add chain=dstnat action=src-nat protocol=tcp dst-port=5555 dst-address=[your router WAN address] to-ports=5555 to-address=[your client address]

Try that.

SurferTim · May 3, 2008, 11:38am

I think krigevr might have the right idea if it is just one port on one computer you are looking to redirect. But I think the action is incorrect. It should be action=dst-nat (not src-nat).

krigevr · May 3, 2008, 12:15pm

Oops… My bad!

Thanks for noticing, SurferTim.