Multi public IP's and ESXi

zojka · November 5, 2014, 1:54pm

Hi,

Router OS installed on ESXi with 2 ethernets WAN/LAN
I have configured multi public IP ( 6 IP’s ) on the same interface WAN

1.1.1.1 /29 - main IP assigned to router
1.1.1.2 /29
1.1.1.3 /29
1.1.1.4 /29

I have PC behind router, connected to LAN interface and it’s IP is 172.16.1.10
I made NAT forwarding on the router:

src-nat: 172.16.1.10 → 1.1.1.2
dst-nat: 1.1.1.2 → 172.16.1.10

The problem is, that traffic to the PC is not matching by firewall (chain input), it’s looks like traffic is bypassing via firewall.
I created rule, which drop all connections to PC but I can still connect via RDP. I can’t see any logs on firewall.

Everything works, when I created drop rules for main IP ( 1.1.1.1 )

Someone had similar problem ?

andriys · November 5, 2014, 2:17pm

srcnat rule should not be required.

Use chain forward. NAT happens before the firewall, and after redirect the traffic in question goes to chain forward, not input.

zojka · November 5, 2014, 2:35pm

Yes, I saw that works but why input chain dosen’t work in the first step ?
I understand that it works:
Traffinc from Internet to 1.1.1.2 —> chain Input → chain forward → dst-nat —> 172.16.1.10

mrz · November 5, 2014, 2:40pm

You will never see the same traffic in input and in forward chains, it is either input or forward but not both.

andriys · November 5, 2014, 2:47pm

Wrong. What happens is

 dstaddr                     dstaddr       FW filter
   is     ----> dstnat ----> is now  ---->   chain  ---->
 1.1.1.2                   172.16.1.10      forward

It’s documented here (ROS v6) and here (ROS v5).

zojka · November 5, 2014, 2:51pm

Ok, so, if i want to get access by my main IP (assigned to the router) winbox, ssh, i have to configure ACL on input chain
but If i have NAT forwarding, i have to configure ACL on forward chain. Is it ?

andriys · November 5, 2014, 2:56pm

Yes, that’s correct.

zojka · November 5, 2014, 3:20pm

To understand, I made a test and created 2 filter rules:

input chain drop 1.1.1.2
forward chain drop 1.1.1.2

and next, i have configured NAT forwarding from 1.1.1.2 to 172.16.1.10

When NAT forwading was enable, all traffic match to 1.1.1.2, went to forward chain, then drop
When NAT forwading was disable, all traffic match to 1.1.1.2, went to input chain, then drop

I was convinced, that input chain is for all traffic incoming to interface, forward chain is for all traffic between interface inside the router.

Thank you for the clarification