ok I am currently working on a case with a WAN link with Multiple Public IP, e.g. 1.2.3.x/29, which I would end up with 1.2.3.x1-1.2.3.x5 usable public IP.
Now I need to:
DEST Port NAT traffic from 0.0.0.0/0 to 1.2.3.x1 port 80, 443 to an Internal Server IP
All full IP DEST NAT Traffic from 0.0.0.0/0 to 1.2.3.x2 to another internal IP
And so on…
how do I construct the NAT rules so that when the traffic returns, it gets SRC NAT to the correct Public IP?
PS: The situation get more complicated with 2 WAN link and PPOE dialup with multiple Public IP but I think I will ask that in another thread.
Just add dstnat rules and let connection tracking do its magic, it will work automatically. You only need to set up srcnat rules for connections initiated from internal servers to internet.
how do you route through the router without any NAT as all the server has the internal IP, sitting behind the LAN Interface, and the WAN Interface has another set of Public IP?
For outgoing connections, it would still work, i.e. processes running on server would to able to connect to resources on internet, but all would use the same source address (1.2.3.xx). Some people use it like this and it’s ok according to them. Others (myself included) prefer servers to use same outgoing address as incoming. For that, just replace masquerade with:
/ip firewall nat
add action=src-nat chain=srcnat src-address=<internal server 1> to-addresses=1.2.3.x1
add action=src-nat chain=srcnat src-address=<internal server 2> to-addresses=1.2.3.x2
add action=src-nat chain=srcnat to-addresses=1.2.3.x5 comment="everything else not covered by previous rules"
If router has public ip of 1.1.1.2/24 on its “WAN” interface and you have been given public addresses 2.2.2.0/29 (the “WAN” address is irrelevant to you as the isp only uses it to route to your subnet)
Create bridge (effectively LAN side of your router) with ip 2.2.2.1/29
Connect servers to what would effectively be your local network
Assign 2.2.2.2-2.2.2.5 to the servers with a gateway of 2.2.2.1 and you do not need NAT. This only works if you have all public IPS.
Unless I am reading yur OP wrong?
You have a public IP and then a routed subnet?
I know my above approach works in certain situation without NAT as I have recently set 2 customers up like this on CCR and RB3011 devices like this.
For the record, I’m working with “whole /29 on WAN” scenario and honoring the request for dstnat. If the /29 is routed, then config without NAT described by Steveocee may be better solution.
just add dst nat - with dst-address and port to fit your needs and action dst-nat to your internal ip with correct port. Also add correct protocol TCP/UDP eg eg.
let say you have 2 web servers at 10.10.10.1 and 10.10.10.2 And you have the public ip - 100.100.100.1 and 100.100.100.2 You want internal web swerver to respond to on ip each. this would be the ruleset:
The said solution actually works for another case, if you had work with those peplink WAN load balancer and they had something called drop-in mode for WAN, this is actually the solution I used. No NAT needed from either end and it works all well. But I dont think this will work with PPOE dialup. What happened was when I dial to my ISP, it would assign an IP of 2.2.2.2 with GW of 2.2.2.1. So any IP with the DEST of 2.2.2.3-5 from internet would “pipe” through the PPOE from the ISP. I dont think I can create a bridge and add a PPOE dialer into the bridge.
I dont think that would works because both 2.2.2.0/29 and 1.1.1.0/29 address sit on the same Interface of your router and I dont see how the traffic can be NAT.
But if you are talking about adding 1.1.1.1/29 to your Interface and 1.1.1.2/29 to your customer router interface, then technically you can do that as long as your end and your customer end are “connected” in a way.
@CZFan: If customer is already connected and you as ISP want to give another /29 to them, it’s better to really route it to them, i.e. “/ip route add dst-address=2.2.2.0/29 gateway=1.1.1.2” on your side.
If you add 2.2.2.1/29 to your router, then you waste three of eight addresses (network, gateway, broadcast) and only five can be used by customer. On top of that, you expect them to be all directly reachable on the link between you and customer. Not that it would be too hard for customer to route them anywhere else with help of proxy ARP, but it’s unnecessary extra step.
If you route the whole subnet to customer, they can use all eight addresses if they want. There are different ways, they can assign them somewhere on router as /32 and use them with NAT, route them anywhere in their network, etc. Or they can just assign 2.2.2.1/29 to some of their internal interfaces and waste three addresses themselves, if they want. Important is that they have a choice. And even if they do this, the three addresses are not completely lost to them, they can still use them in limited way, because packets coming from internet don’t know that the address is actually e.g. broadcast in internal network, so it’s possible to use dstnat to send them somewhere else. And same for srcnat. The only problem is that machines with other 2.2.2.x/29 addresses won’t be able to connect to services on what to them are network and broadcast addresses. But it’s easy for customer to plan it in a way to not need this.
Zing… just flew over my head but if you want to stop in on the PSD attributes thread to be wildly entertained with my EXTRA TAB questions (weight and limit) - then yes feel free to provide enlightenment. Oh and stay tuned for a VLAN/Bridge setup thread where I pose my scenario/setup and ask what is the most efficient method…
PS. Am I allowed to give advice in the GENERAL forum. I may not have the rank to do so!
Well. It seems like we need a lession in using rfc1918 and public ip’s - since the q qould differ inf its internal rfc1918 addresses or public ip’s (or just the same)
IF isp 1 and isp 2 use the same internal 1918 ip’s - use nat as described.
