IP Forwarding

We have public ips (all of them)
Router is X.X.X.1
and servers are X.X.X.1 to 255

where X.X.X. are publicly routable ips (we do bgp for these)

My question is how do we do ip forwarding ?
We want all traffic for ips X.X.X.54 and X.X.X.69 port 25 to goto server X.X.X.15 . This server is an AV mailserver which routes back internally.

The servers on the internet will simply talk to x.x.x.15 port 25 and NOT have access to x.x.x.54 OR x.x.x.69 port 25 .

I know this is possible using port forwarding in IPtables and FreeBSD IPFW but how to do this in MT ?

We want all traffic for ips X.X.X.54 and X.X.X.69 port 25 to goto server X.X.X.15

/ip firewall nat add chain=dstnat action=dst-nat protocol=tcp dst-port=25 dst-address=X.X.X.54 to-addresses=X.X.X.15 to-ports=25

Tried it doesnt work eugene. Please note my ips are all PUBLIC IPS . The router does only routing no NAT.

I know this is possible using port forwarding in IPtables and FreeBSD IPFW but how to do this in MT ?

You are using public IPs, but when you want to do ‘port forwarding’ you are natting… you are performing ‘network address translation’ when you tell a packet to change its destination address in the headers. NAT doesn’t have to be from public → private, etc - it can be public → public as well.

Sam

how does this work . I put the rule in but nothing happened dont see anything happening . where could i be wrong ?

Is your firewall chain allowing the final destination port 25 ? Are you getting any hits on that NAT rule and firewall rule ?

Sam

My nat rule does not get ANY hits . I dont use the router for firewall at all.

There is nothing in my config below . I below has the ip nat rule removed …


/ ip firewall connection tracking
set enabled=no tcp-syn-sent-timeout=5s tcp-syn-received-timeout=5s tcp-established-timeout=1d tcp-fin-wait-timeout=10s
tcp-close-wait-timeout=10s tcp-last-ack-timeout=10s tcp-time-wait-timeout=10s tcp-close-timeout=10s udp-timeout=10s
udp-stream-timeout=3m icmp-timeout=10s generic-timeout=10m tcp-syncookie=no
/ ip firewall service-port
set ftp ports=210 disabled=no
set tftp ports=69 disabled=no
set irc ports=6667 disabled=no
set h323 disabled=yes
set quake3 disabled=yes
set gre disabled=yes
set pptp disabled=yes


what do I do ?

after putting the rule here is what it looks like, but there are no hits to the rule !


/ ip firewall nat
add chain=dstnat dst-address=X.X.X.54 protocol=tcp dst-port=25 action=dst-nat to-addresses=X.X.X.3 to-ports=25
comment=“” disabled=no
/ ip firewall connection tracking
set enabled=no tcp-syn-sent-timeout=5s tcp-syn-received-timeout=5s tcp-established-timeout=1d tcp-fin-wait-timeout=10s
tcp-close-wait-timeout=10s tcp-last-ack-timeout=10s tcp-time-wait-timeout=10s tcp-close-timeout=10s udp-timeout=10s
udp-stream-timeout=3m icmp-timeout=10s generic-timeout=10m tcp-syncookie=no
/ ip firewall service-port
set ftp ports=210 disabled=no
set tftp ports=69 disabled=no
set irc ports=6667 disabled=no
set h323 disabled=yes
set quake3 disabled=yes
set gre disabled=yes
set pptp disabled=yes

connection tracking is required for NAT.

thats what i was missing . It works now !!

Is it possible to use this technique to do some kind of load balancing / round robin ?

Lets say Router is X.X.X.1

3 Servers X.X.X.24 , 54 , 74

We want to anything coming to X.X.X.10 port 25 go randomly to 24,54,74

ALL ips remain public ips
I hope this will help somebody else in the near future and I will post our solution to the back on the board so ot will benefit other people

Yes, you can either use ‘nth’ property, or if ips are in contiguous block I think you can use all IPs on a single entry.

Sam

did not understand could you explain , I dont know anything about this..