I have the following situation:
ETH1: 1.1.1.1 (LAN1)
ETH2: 1.1.2.1 (LAN2)
ETH10: WAN (2 public ip, one for LAN1, the other is for LAN2)
ETH1->ETH10 src-nat to public ip1
ETH2->ETH10 src-nat to public ip2
LAN1 and LAN2 is separated, no traffic is allowed between them. There is a hosted server in LAN1, port 80 is dst-nat from public ip1 to 1.1.1.2
My problem is the following: when I would line reach this server from LAN2, it does not work. If I log the traffic, I can see, that this traffic goes to the input chain and not into the forward chain, so the dst-nat is not working. If I try to reach the server from outside, it works perfect.
from your description it seems perfect, since you say.
LAN1 and LAN2 is separated, no traffic is allowed between them.
so if you want just one service to avail from lan2 then you could do an jump rule before your “drop” rule, as i would assume you drop all data from the one lan range with a dest to the other lan range?
Yes, you are right, all traffic is blocked between the 2 LANs. My big problem is that the name server resolves the external ip address of the LAN1. From LAN2, this public ip is on the same router (but on the other interface), and as I can see, the router interprets this traffic as INPUT. But in this situation the port 80 should be dnatted into LAN1 (via the common interface). I don’t know how to setup the router to handle this situation.
What I would like to do: from LAN2->ETH10(public ip1:80)->LAN1(1.1.1.2:80)
add an static dns entry to the tik (if both the lans use the tik as dns) for the www.domain.com to 1.1.1.2 that way both the lans will just pop strait back in for the dns request.
allow 1.1.1.2:80 from lan2
the base is to allow the :80 between to 2 lans as well. so in your drop rule you can do the following
from lan2 to lan1 !port 80 (not port 80) drop, and that would drop all the traffic not to :80 so then it will arrive at the server,
you can also do an very un neat fix like
dest 1.1.1.2:80 masq as rule 1, or an jump or as rule 1 might be neater. that way the drop rules wont be processed, if that makes sence, i dont know how you dropping traffic between he 2 ranges, since you can do that with multiple routing tables and so forth as well, you can also maybe do an netmap,
so there is a few ways.
if you want to see whats happening you can mark the traffic and look for it in the con-track area.
Thanks for the help. But the problem is more complex, because I wrote just an example, but there are other services: for example, I have the same problem with the e-mail servers (LAN1 and LAN2 have an internal mail server, when LAN1 wants to send an email to LAN2, the MX record of the LAN2 will be the external ip, and I’m in the same situation as above). I would like to setup a general solution…
us the “jump” or so forth for the services you want to exclude? as rule 1 2 and so forht before you drop the traffic, i suppose the right thing to do is remove the blocks between the lans, and then test that everything works before you continue?
if you read the firewall manual you will see how to skip some devices for blocks.
