Multiple IP's

jetboy · January 10, 2013, 12:20pm

I am trying to setup multiple NAT rules for services (ssh,http,https) to multiple internal hosts and I have a /28. Here is what I have so far

/ip address
add address=8.8.4.52/28 comment=“Public IP addresses” disabled=
no interface=ether1-public network=8.8.4.48
add address=8.8.4.53/28 disabled=no interface=ether1-public network=
8.8.4.48
add address=10.2.5.1/24 disabled=no interface=ether6-lan network=10.2.5.0

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=8.8.4.49 scope=
30 target-scope=10

/ip firewall nat
add action=src-nat chain=srcnat disabled=no out-interface=ether1-public
src-address=10.2.5.15 to-addresses=8.8.4.53
add action=masquerade chain=srcnat disabled=no
add action=dst-nat chain=dstnat disabled=no dst-address=8.8.4.53
dst-port=22 in-interface=ether1-public protocol=tcp to-addresses=
10.2.5.15 to-ports=22

I used to do this without having to define the 2nd public address. I could just create my rules within my public subnet and they would map in, but the only way I have been successful thus far is by having the 2nd public address added. This is currently working although I would like to not have every public address on the interface.

CelticComms · January 10, 2013, 12:25pm

Where were the additional public IPs applied in the alternate case? On the internal hosts?

jetboy · January 10, 2013, 12:50pm

From what I recall nowhere, the dst-address would redirect the port mappings properly. I only had the subnet defined on the public interface.

CelticComms · January 10, 2013, 12:58pm

That could work if the traffic for the relevant IP was being routed to another IP on the interface. If the upstream expects the IPs to all be directly ARPable then the something needs to respond to the ARP request.

jetboy · January 10, 2013, 1:07pm

Yeah I figured it was doing arp, I had tried proxy-arp to no avail. I just now disabled the IP address for .53 and the src-nat rule and was successful in connecting via ssh. I added another dst-nat rule for .54 for http to the same internal host and it would not connect. I added the public address .54 to the interface and it worked. I just now disabled both .53 and .54 addresses and rebooted the router. Upon startup I was successful in connecting via ssh to .53 and http to .54.

So at this point it seems to be working although when I go live on this network I will have about 30 public ips (I have another /24 network moving to this router next week) and am nervous that this is best practice for this scenerio or not

CelticComms · January 10, 2013, 1:12pm

If you plan to NAT the traffic anyway (i.e. not put the public IPs on the server(s)) then placing the IPs on the public interface is should always work. Otherwise you really need to know how the traffic is being passed to be sure what will work and what will not. For example, if traffic for an additional subnet of public IPs was passed to you via one of the existing addresses then there should be no need to place those new addresses on the interface. Also remember that ARPs are cached so something may appear to work then change a short while later as the ARP entry expires.

jetboy · January 10, 2013, 2:22pm

First thanks for the quick responses, much appreciated. The public addresses will not be on the servers. I am now wondering if doing it this way, putting the ip’s on the interfaces or if I should be looking at something like netmap.