I have a router that has three publics IPs assigned to the eth1 port. I have created a 1:1 map rule for private IP1 (and the computer assigned to it) so it can access the web through public IP1 and it is working fine. The second IP though is not accessible, although I am using the same rule as above but with different IPs.
Rest is a guessing game and X-Mas is still far away for crystal balls, so you should at least post the “Full” anonymized config IN CODE BRACKETS for any constructive help
Hi CZFAN, this pairing, the first line ensures all traffic from a specific LANIP is natted going out WANIP1 and thus assume one still has to make an associated routing rule.
The second line is the part I am finding confusing as I am only conversant in port forwarding to allow external users to reach internal servers.
What is the purpose of the second rule, im kinda assuming it completes one to one mapping of an ISP IP to an internal IP?
/ip firewall nat
add chain=srcnat src-address=LANIP1 action=src-nat to-addresses=WANIP1 out-interface-list=WAN
add chain=dstnat dst-address=WANIP1 action=dst-nat to-addresses=LANIP1 in-interface-list=WAN
Finally isnt normally a block of IPs, the first one assigned to the router and subsequent ones can be assigned one to one mapping??
Yes, relevant routes needs to be in place, depending on the public IPs / setup, you do not have to have multiple routes, i.e. lets say the ISP issues (Not routed to you) a /29 range, 1 address will be used for the next hop gateway with 1 default route, you can then assign the other 5 on your WAN interface and do NAT as per my post above, it will create a 1:1 (out & In) for each internal IP used in these rules.
Finally isnt normally a block of IPs, the first one assigned to the router and subsequent ones can be assigned one to one mapping??
Typically yes, you should not take where I said WANIP1 literally, just meant the first IP to be used in the NAT rules
Okay thanks, so to clarify the second line I noted is needed to complete the 1:1 Mapping, in general terms but what does it do functionally. Is it simply to ensure all incoming unsolicited traffic on that WANIP goes to LANIP1?? (as the first rule ensures outgoing traffic is appropriately marked and thus would returned (solicited) to LANIP1 already).
Correct. NAT rules handle only the initial packet of each connection, i.e. one not matching any existing connection. So for a bi-directional 1:1 NAT, you need both a src-nat rule for connections initiated from LAN side and a dst-nat rule for connections initiated from WAN (internet) side.
The NAT decision made for the initial packet is stored in the context of that connection, and applied on all subsequent packets of that connection (with respect to their direction of course).
Okay, I understand the why, but what for…
We dont blindly put a destination nat rule in for a standard LAN and single WANIP unless the intention is to accept unsolicited traffic.
But it seems you all are saying that both rules are needed regardless for one to one mapping???
(I know I am being picky but should I assume a 1:1 mapping setup is usually designed for unsolicited traffic use??)
Also we need a firewall rule to allow that type of traffic through the firewall.
Thus I am assuming the standard rule would suffice for all wanips in this scenario???
add action=accept chain=forward comment=“Allow Port Forwarding”
connection-nat-state=dstnat connection-state=new in-interface-list=WAN
It depends on the use case whether you want the setup to act as a firewall against incoming connections or not. The OP wasn’t clear about that, but yes, if you create a dst-nat rule matching on dst-address alone and keep the default “only drop what comes in from WAN if it is not dst-nated” rule in filter in place, there will effectively be no filtering.