NAT question - multiple public IP use on one subnet.(solved)

sveno · December 5, 2014, 6:40am

Hi,

I have a public IP NATed with masquerade but I want an address of the same local subnet to use another public IP. Can I do this or do I need another network for this machine (like DMZ)?

Edit: I tried to use !192.168.1.5 as source address in the main src-nat to exclude it but still the 192.168.1.5 src-nat to the second public ip has has 0 hits.

rmmccann · December 5, 2014, 6:55pm

You can do this, however you need to create src-nat rules with action=srcnat for each public IP address you want to use. These need to sit ABOVE the masquerade rule.

Masquerade by default uses the first assigned/enumerated IP address of the MT device. So if you have 1.1.1.1, 1.1.1.2, and 1.1.1.3 assigned from your WAN, masquerade will always use 1.1.1.1. If you want client1 to use 1.1.1.2 and client2 to use 1.1.1.3, you need to create separate srcnat entries for each client and srcnat to that public ip address.

sveno · December 6, 2014, 6:29am

Now I have the following under nat:

chain=srcnat action=src-nat to-addresses=1.1.1.2 src-address=192.168.1.5 out-interface=ether1-gateway log=no
chain=srcnat action=masquerade out-interface=ether1-gateway log=no
chain=dstnat action=dst-nat to-addresses=192.168.1.5 dst-address=1.1.1.2 log=no

addresses (edited):

192.168.1.1/24 192.168.1.0 ether2-master-local
1 1.1.1.1/29 1.1.1.6 ether1-gateway

I don’t even get hits on the dstnat anymore

sveno · December 13, 2014, 9:37am

Bump. I’m still stumped over this. Is there anything wrong with my config or are these lines ok and the problem is elsewhere?

rmmccann · December 16, 2014, 5:20pm

Those rules look correct to me, however it may have something to do with the order in which they are entered.

You could try moving your DST-NAT entry above masquerade and see if that helps. You may also want to specify an “in-interface” for that rule.

jfvelamoscoso · December 16, 2014, 5:42pm

Please give me a diagram and the result of /ip firewall nat export compact

sveno · December 21, 2014, 8:13am

Got the Dst-Nat working by adding the external IP (1.1.1.2) to addresses:

0 192.168.1.1/24 192.168.1.0 ether2-master-local 
1 1.1.1.1/29 1.1.1.6 ether1-gateway 
2 1.1.1.2/29 1.1.1.6 ether1-gateway

Still no hits on src-nat (first in table below).
Specifying TCP and a port (443) didn’t change anything.

nat export compact:

add action=src-nat chain=srcnat out-interface=ether1-gateway src-address=\
    192.168.1.5 to-addresses=1.1.1.2
add action=masquerade chain=srcnat out-interface=\
    ether1-gateway
add action=masquerade chain=srcnat  out-interface=\
    LTE to-addresses=0.0.0.0
add action=dst-nat chain=dstnat dst-address=\
    1.1.1.2 in-interface=ether1-gateway to-addresses=192.168.1.5

sveno · December 21, 2014, 8:37am

Ok. A really weird thing happened. I switched the local address to another server ..and voila it is responding. I changed both the scr-nat and the dst-nat to say 192.168.1.6. The weird thing is that the src-nat still has 0 hits. So the masquerade is using 1.1.1.1 and 1.1.1.2. What is going on?

EDIT: Changing back to 192.168.1.5 and it works too. WTF is this sorcecry? src-nat is disabled and the whole thing works as it should - everyone is using the 1.1.1.1 and 192.168.1.5 is using 1.1.1.2.