Hi,
I am not sure if I found a bug in MT, or most probably am not correctly using a DST NAT, but here is my scenario:
Internet → (Central CCR FW, public ip, DST NAT of services to Server IP) —> MT hAP ac^2 (DST NAT to services) → Synology NAS small server
The thing is, that on a central CCR FW, we are DST-NATting directly to the Server IP/port, so no need for further DST-NAT on our hAP ac^2. But I like at least minimal FW it implements, where there is a last rule, which blocks all incoming WAN traffic, which is New and not DST-NATted:
;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix=“”
But - this rule simply blocks all WAN traffic, regardless of the DST-NAT rules present, or not. I can see counters being applied on DST-NAT rule, so it is a valid one and works. To check its validity, I changed the port of the web service and the web was not accessible anymore.
I found out, that above FW rule only works, if the central FW rule points to the IP assigned to the hAP ac^2 itself, and DST-NATted from there. But it does not catch the DST-NAT rule, if it is not using one of the IP addresses of the router itself:
;;; Web
chain=dstnat action=dst-nat to-addresses=x.x.x.x to-ports=80 protocol=tcp dst-address=x.x.x.x dst-port=80 log=no log-prefix=“”
The FW rule starts to work, if on a central CCR FW, I change it from x.x.x.x, to the hAP ac^2’s x.x.x.254. Of course I could do that, and from some point of view, it makes sense, but isn’t my DST-NAT rule a regular one anyway? Why it is not recognised by FW as a regular DST-NAT rule?
Thanks,
/Petr