I’ve an installation with 2 NAT Routers as Uplink and a Firewall behind.
1 of the NAT Routers is MT. I want to Masquerade all outgoing traffic
an want to dst-nat all incoming to the external IP of the Firewall.
So I made a masquerade Rule and as second a dst-nat to masquerade
all (with the exception of my own IP to allow winboxing to the MT)
incoming traffic to the firewall.
What happens is that the dst-nat rule fetches all traffic. Even the
Masqueraded connections so that the masquerading rule does not work.
So nobody can surf. When I disable the dst-nat rule masquerading
works.
Is this strange behavior or have I misunderstood the scheme of
Natting??? How can this be done?
Ste -
NAT/Masq - Basically it depends on which rule is first in the chain and which rule matches any conditions you have set.
But from your explaination below…if you dst-nat everything to the router then only the router can ‘see’ anything and that is why your users can’t see the Internet. And since the router did not make the request - it discards the packet…
When you disabled dst-nat and only have the masq rule then requests from your users inside the firewall are sent out to the Internet through the router, the Internet responds to the request, the the router gets the packet back, sees it was a masq’d packet and sends it to the original user cpu…
You’re not exactly clear what you are trying to accomplish with this setup - perhaps a little more info or what your goal is would help…