Having problems getting src-nat and dst-nat with a single ip

webguyz · November 4, 2012, 8:26pm

I have a debian server ip address 10.0.59.201 with minimal IPTABLES (dns, ping, ssh)

I have a Mikrotik fw that has a Public IP range 73.250.59.0/24

I want to expose this private local server to the internet and have inbound outbound traffic go thru a single IP (73.250.59.201).

I did
for outgoing:
chain=srcnat action=src-nat to-addresses=73.250.59.201 src-address=10.0.59.201 out-interface=ether7
for incoming
chain=dstnat action=dst-nat to-addresses=10.0.59.201 dst-address=73.250.59.201

I can’t ping 73.250.59.201 or access ssh. From the vm server I can ping IP’s. but not dns names.

I obviously am missing something but not sure what. Total noob at this.

Ultimate goal is to no longer assign Internet accessible IP’s directly to my vm server interfaces and have to worry about renumbering 100’s of ip’s by going to each server. Want instead to have the Mikrotik FW to have the publicly accessible IP and redirect to an internal vm that has an IP address in the 10.0.59.x range. The vm’s will have their own firewalls as well, just want the fw to act as a switchboard and if I have to renumber my pulblic IP’s I would just have to do a replace on all files in the mikrotik instead of having to go to each VM.

Thanks!

CelticComms · November 4, 2012, 9:26pm

It would be useful to see the complete config - use /export compact.

As well as the src & dst NAT the traffic needs to be allowed through the forwarding chain.

webguyz · November 4, 2012, 9:54pm

Doing some more reading it appears I can accomplish what I need by using the action=netmap to do 1:1 mapping

1:1 mapping

If you want to link Public IP subnet 11.11.11.0/24 to local one 2.2.2.0/24, you should use destination address translation and source address translation features with action=netmap.

/ip firewall nat add chain=dstnat dst-address=11.11.11.0/24
action=netmap to-addresses=2.2.2.0/24

/ip firewall nat add chain=srcnat src-address=2.2.2.0/24
action=netmap to-addresses=11.11.11.0/24

Now I have to free up a subnet to try this command. Thanks!

deejayq · November 5, 2012, 12:46pm

why not just set 73.250.59.201 to the debian serveR?

webguyz · November 5, 2012, 2:42pm

Thats what I’m doing now. I have over a 100 vm’s all with a dedicated IPs. Lets say tomorrow I move to another data center and I am given new sets of Public Internet IP’s. Now imagine having to go to each virtual server and manually changing each set of IP’s. Been there and done that before and its no fun.

deejayq · November 5, 2012, 7:17pm

use dhcp server