NAT rule with dynamic IP

ymartin · December 1, 2012, 2:57am

Hi,

I have a dynamic address and I could not find how to set the dynamic IP in the rule for src-nat.

Here are the rules :

/ip firewall nat

add action=dst-nat chain=dstnat comment=NAS dst-address-type=local dst-port=
25,110,143,993,995,80,443,5000-5006,6690,7001 protocol=tcp to-addresses=
192.168.0.22 to-ports=25-7001

add action=src-nat chain=srcnat dst-address=192.168.0.22 dst-port=
25,110,143,993,995,80,443,5000-5006,6690,7001 protocol=tcp to-addresses=
96.20.106.43 to-ports=0-65535

I’m using a dyndns script, working fine and I get ‘current_ip’ variable I can use in the Address List, but I don’t know how to do with src-nat for the “To Addresses” (support only IP address). Any Idea?

CelticComms · December 1, 2012, 4:18am

You can SRC NAT based on the interface rather than a specific IP so I’m not sure exactly what you are trying to achieve. The “To Addresses” is often the server on a private RFC1918 IP behind the firewall so typically dynamic IPs is not an issue there.

Could you sketch out the overview so we have a better understanding of the situation?

ymartin · December 1, 2012, 2:35pm

See picture. How to replace “To Addresses” by dynamic IP?

CelticComms · December 1, 2012, 5:20pm

I think you are using the wrong rule/action. What are you trying to do? If this is to SRC NAT your outbound traffic then set a SRC-NAT rulke on the relevant outbound interface (with any restrictions for say source IP that you wish) and chose action=Masquerade.

If that isn’t it then please explain what you are trying to achieve.

ymartin · December 2, 2012, 12:14am

I have a small NAS server in the house with different services and DynDns script working fine. I can use ‘current_IP’ from DynDns for the address List (Dst or Dst).

I would like to make available my server from outside, but also on the loacal network using the dns (this is why this rule, but I am perhaps wrong).

CelticComms · December 2, 2012, 12:34pm

Where does the NAS server get its IP number from? Is it on a private IP or a public IP?

Can you sketch the relationship of the NAS server to the Routerboard?

ymartin · December 3, 2012, 12:55pm

The NAS has his own local static IP. On the NAS, we have different services like file server, camera server, email server, Photo album, etc… Each service use a different ports (25,110,143,993,995,80,443,5000-5006,6690,7001) to be reachable from outside, on the same public IP, through the NAT. “current_IP” is generated by the DynDNS script as a global variable and is the external public IP.

PS: The 2 first rules in the first msg. works perfectly, except when the IP change :

/ip firewall nat

add action=dst-nat chain=dstnat comment=NAS dst-address-list=current_IP
dst-port=25,110,143,993,995,80,443,5000-5006,6690,7001 protocol=tcp to-addresses=192.168.0.22 to-ports=25-7001

add action=src-nat chain=srcnat dst-address=192.168.0.22 dst-port=25,110,143,993,995,80,443,5000-5006,6690,7001
protocol=tcp to-addresses=123.45.678.90 to-ports=25-7001

CelticComms · December 3, 2012, 4:34pm

OK - I’m about the need to SRC-NAT. Two points:

On the DST-NAT you probably only have to specify the dst-address if you have multiple IPs on an interface - otherwise just specify the In Interface.

On the SRC-NAT, if the NAS device has this router’s 192.168.0.0/24 address set as its default gateway then you would not normally have to SRC NAT the traffic. From the rule it looks as if you are trying to set the source address to the router’s WAN address regardless of where the traffic actually originates. Is that really what you are trying to do?