I’m faced with a funny issue.
In general the situation is pretty straight: an outer host from internet must have an access to a service port on a target server inside local net (behind router with NAT). Obviously, the solution is to setup port forwarding on router.
But what would I do if the target server is placed inside second local subnet which is attached to the first local subnet via gateway (and doesn’t have other outbound connections)?
Let me illustrate the situations.
This is a “classic” situation: outer host
|
(internet)
|
internet router (Cisco RV042) with NAT and port forwarding
|
(subnet 1)
|
inner server
And this is my situation: outer host
|
(internet)
|
internet router (Cisco RV042) with NAT and port forwarding
|
(subnet 1)
|
inner gateway (Mikrotik RB750Gr2) without NAT
|
(subnet 2)
|
inner server
Mikrotik is configured as a transparent gateway beetween subnets, so I can’t set up a port forwarding there (or can?).
The port forwarding on Cisco can’t be directed to a server in foreign subnet (subnet 2 in my case).
So, the question is how would I set up my Mikrotik so the port forwarding will work in whole?
A “default” router between two subnets. In fact this is an RB750Gr2 with master-slave port bridging turned off and subnet 1 and subnet 2 links plugged into ether2 and ether3 respectively.
Yes, it limits. That Cisco doesn’t accept forwarding target IPs other then ones in its own local subnet (subnet 1 in this case). It doesn’t respect own static routes configuration in port forwarding setup.
Did I understand you correctly: your advice is to use RB in NAT-mode instead of router mode?
Such cascade port forwarding is an obvious way.
But I don’t have any links between Cisco and RB other than Subnet 1. If Cisco will be connected to RB using WAN port then all other hosts in Subnet 1 will use that connection too… and I will lost free access from Subnet 1 to Subnet 2. ((
I can’t find appropriate information on basic question: is it possible to set up a port forwarding in RB without fully working NAT-maquerading? Some kind of forwarding port proxy, I don’t know…
If such setup is possible that would be an err… very compact solution for my issue.
You don’t need full NAT, just dstnat rule(s) for port forwarding. Lets say your subnet 1 is 192.168.1.0/24 and subnet 2 is 192.168.2.0/24. Cisco has 192.168.1.1, RB has 192.168.1.2 and 192.168.2.1, server has 192.168.2.10 and it’s web server. You just need to do this:
Packet from comes to and Cisco forwards it to 192.168.1.2. RB takes it and forwards it to server by changing destination to 192.168.2.10. Other communication between subnets is not affected.
Btw, even if you had full outgoing NAT (i.e. all traffic from subnet 2 hosts would reach subnet 1 with 192.168.1.2 as source), you would still be able to connect from subnet 1 to 192.168.2.0/24 addresses. Just NAT by ifself does not block any traffic, it’s firewall’s job.