I have observed an interesting behavior of ROS version 6.15 (I have not tested this with any other version) on an RB750GL router.
- I have 2 public IP addresses on ether1 connected to the internet.
- I have one NAT rule to provide NAT to my internal 192.168.1.x addresses
- I have one 1:1 NAT mapping from one of the public IPs to the internal 192.168.1.100 address
Everything is working as it should with no problems.
When I remove or disable the public IP address that is providing the 1:1 NAT to the .100 address, the traffic to and from the 192.168.1.100 address is still flowing. It seems like that binding the public IP address has no function???..
Here is the config:
/interface bridge
add l2mtu=1598 name=“LAN Bridge”
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
mac-cookie-timeout=3d
/ip pool
add name=dhcp_pool1 ranges=192.168.1.2-192.168.1.200
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=“LAN Bridge” name=dhcp1
/interface bridge port
add bridge=“LAN Bridge” interface=ether2
add bridge=“LAN Bridge” interface=ether3
add bridge=“LAN Bridge” interface=ether4
/ip address
add address=100.100.100.73/24 interface=ether1 network=100.100.100.0
add address=192.168.1.1/24 interface=“LAN Bridge” network=192.168.1.0
add address=100.100.100.74/24 disabled=yes interface=ether1 network=100.100.100.0
/ip dhcp-server config
set store-leases-disk=immediately
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=100.100.100.2,100.100.100.3 gateway=
192.168.1.1
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=64.57.96.74 to-addresses=
192.168.1.100
add action=src-nat chain=srcnat src-address=192.168.1.100 to-addresses=
100.100.100.74
add action=src-nat chain=srcnat out-interface=ether1 src-address=
192.168.1.0/24 to-addresses=100.100.100.73
/ip route
add distance=1 gateway=100.100.100.1
/ip unpin
set allow-disable-external-interface=no
/system lcd
set contrast=0 enabled=no port=parallel type=24x4
/system lcd page
set time disabled=yes display-time=5s
set resources disabled=yes display-time=5s
set uptime disabled=yes display-time=5s
set packets disabled=yes display-time=5s
set bits disabled=yes display-time=5s
set version disabled=yes display-time=5s
set identity disabled=yes display-time=5s
set “LAN Bridge” disabled=yes display-time=5s
set ether1 disabled=yes display-time=5s
set ether2 disabled=yes display-time=5s
set ether3 disabled=yes display-time=5s
set ether4 disabled=yes display-time=5s
set ether5 disabled=yes display-time=5s
As you can see, 100.100.100.74 is disabled, however, the user on 192.168.1.100 is still up and running and shows on the internet coming from 100.100.100.74.
I was under the impression that a 1:1 NAT config such as:
add action=dst-nat chain=dstnat dst-address=64.57.96.74 to-addresses=192.168.1.100
add action=src-nat chain=srcnat src-address=192.168.1.100 to-addresses=100.100.100.74
requires an IP address to be active on the relevant public interface.
Any feedback on this?
Thnaks
JB