Hi all,
I have been struggling to get this working and I cannot understand for the life of me why I cannot seem to find a solution. This is a representation of the setup, I'm working on:
client_LAN(192.168.3.0/24) --> (192.168.3.51)RB750(192.168.4.116) ---> (192.168.4.6)GW(196.44.141.116) ---> INTERNET
Okiedoke- ports 85,110,446,25 etc... are forwarded from the GW(196.44.141.116/192.168.4.6 - an IPCOP, linux box) to 192.168.4.116, which is the RB.
Now I need to forward those ports further onto 192.168.3.55, which is on the client's LAN.
I know there are no services listening on those ports on the RB, so how can I accomplish this? The IPCOP box, which forwards requests for these ports from the Internet into the network is not on the same LAN as the client; and therefor it cannot see the client's LAN. It can only "see" the interface of the RB750 on it's own segment and so any ports it needs to forward to the client's network has to be forwarded onto the RB first. I think I'm a bit confused here...
Still doesn’t work. To test it, I changed www to listen on port 85 and then I tried to telnet to the RB to test it, from 192.168.4.199:
telnet 192.168.4.116 85
… and it times out.
I then tried to access the URL(http://mail.(client_name).net:85, from a machine in public address space and still it doesn’t work, but when i telnet into the destination on port 85, it worx?
Is it necessary to do NAT on the RB? I mean- both of the interfaces are not in public address space. Obviously, I am doing it because I don’t want to propogate broadcasts- but is it necessary?I’m sure the firewall or something else interferes somehow.
EDIT: Sorry, forgot to mention- the client LAN(192.168.3.0/24) is connected to eth1, while eth0(192.168.4.116) is connected to my LAN (192.168.4.0/24).
No, it is not necessary to NAT on the RouterBoard as long as the GW marked device will NAT traffic sourced from 192.168.3.0/24 before it leaves to the Internet. NAT has nothing to do with where broadcasts do, other than NAT often being implemented on routers, which connect broadcast domains. If you turn off NAT, broadcasts from 192.168.3.0/24 will not go past the RouterBoard. You don’t need any firewall rules, either.
You don’t have any dst-nat rules in your “/ip firewall nat” section in your first post so you weren’t forwarding any ports then. Post the ones you implemented since.
Alternatively, if you have control over GW, it’s considerably more elegant to have GW dst-nat directly to the client’s IP address on 192.168.3.0/24 instead of to your RouterBoard first. As long as you make sure that GW knows that 192.168.3.0/24 is reachable via 192.168.4.116 either via a routing protocol or even static routes that would work fine and you wouldn’t have to configure NAT on the RouterBoard at all.
Hi fewi,
I plan to do just that- forward ports from the GW directly to wherever on 192.68.3.0/24. For now though, I need to test this and get it working, so I can be more familiar with it, since we plan on using these routers from now on.
Anyhow... This is my nat rule for traffic destined to port 85 on the RB, to be forwarded to 192.168.3.55: