Exclude different /24 space on same interface from NAT rules

omnicron · January 22, 2008, 12:02am

MT 2.9.28

I have a public IPs that I NAT to inside IP space.

I have two subnets that I use on my internal interface.

It seems that when two machines that to each other on different IP on the private space they are NATed.

I see the session in the connection pool in the firewall section in MT.

The reason I say this is I added an IP filter to disable everything but port 80 traffic to the IP address of the inside IP for the NAT but it also blocks internal SQL sessions when the rule is in place that another computer is trying to make to the computer from the same interface but different subnet.

I think I need a mangle rule to exclude them from being NATed but I can not wrap my head around what needs to happen and if this is even occurring.

Does this sound right or am I just CRAZY?

Public IP *.38.27.228
|
MT
Int. 192.168.1.0/24 and 10.0.0.0/24

Thanks..

changeip · January 22, 2008, 2:57am

include the in-interface our out-interface on your nat rules so you are only natting when it traverses the internet wan.

omnicron · January 22, 2008, 4:20am

It does not let you set an incomming interface for the nat rules.

See error

ingoing interface matching not possible in srcnat chain

It will let you set it for outgoing. I have that done already.

Tim

goldclick · January 23, 2008, 12:24am

Correct! in-interface is for dst-nat. Use out-interface for src-nat and specify the interface that all traffic leaves, going to the internet.