Hello I just purchased a RB1100AH, I have from my ISP some static public IP addresses. I would like to use public IP addresses for services available from outside to my LAN. I’m studying how to have a something like this:
public IP: 88.44.22.11–>RB1100AH–>Firewall office 1
public IP: 88.44.22.12–>RB1100AH–>Firewall office 2
public IP: 88.44.22.13–>RB1100AH–>Firewall office 3
I have configured the ip’s on a public interface RB1100AH
# ADDRESS NETWORK INTERFACE
0 88.44.22.11/28 88.44.22.192 ether1_WAN
1 88.44.22.12/28 88.44.22.192 ether1_WAN
2 88.44.22.13/28 88.44.22.192 ether1_WAN
and set NAT rules:
chain=srcnat action=src-nat to-addresses=88.44.22.11 src-address=192.168.1.100 to-ports=0-65535 protocol=udp comment="DMZ Firewall_Office_1"
chain=srcnat action=src-nat to-addresses=88.44.22.11 src-address=192.168.1.100 to-ports=0-65535 protocol=tcp comment="DMZ Firewall_Office_1"
chain=dstnat action=dst-nat to-addresses=192.168.1.100 to-ports=0-65535 protocol=udp
dst-address=88.44.22.11 comment="DMZ Firewall_Office_1"
chain=dstnat action=dst-nat to-addresses=192.168.1.100 to-ports=0-65535 protocol=tcp
dst-address=88.44.22.11 comment="DMZ Firewall_Office_1"
everything work fine from outside to the LAN, but the problem is that the Firewall Office 1 goes out on the internet with a different IP defined (one of IP defined on RB1100AH WAN interface) and the VPN does not work.
Some advise about my basic routing question?
cetalfio
I found a way even though I’m not sure if the best.
I have assigned different IP address to the interface ether2 used for LAN and DMZ interfaces used for DMZ’s.
something like:
LAN addresses: 192.168.188.1/24 on eth2
DMZ1 addresses= 10.88.100.1/24 on eth3
Firewall Office 1= 10.88.100.2/24
DMZ2 addresses= 10.88.101.1/24 on eth4
Firewall Office 2= 10.88.101.2/24
DMZ2 addresses= 10.88.102.1/24 on eth5
Firewall Office 1= 10.88.102.2/24
ip firewall nat/
chain=srcnat action=src-nat to-addresses=88.44.22.11 src-address=10.88.100.2
chain=srcnat action=src-nat to-addresses=88.44.22.11 src-address=10.88.100.2 to-ports=0-65535 protocol=udp comment="DMZ Firewall_Office_1"
chain=srcnat action=src-nat to-addresses=88.44.22.11 src-address=10.88.100.2 to-ports=0-65535 protocol=tcp comment="DMZ Firewall_Office_1"
chain=dstnat action=dst-nat to-addresses=10.88.100.2 to-ports=0-65535 protocol=udp
dst-address=88.44.22.11 comment="DMZ Firewall_Office_1"
chain=dstnat action=dst-nat to-addresses=10.88.100.2 to-ports=0-65535 protocol=tcp dst-address=88.44.22.11 comment="DMZ Firewall_Office_1"
..........
the same for other addresses
It appears to be correct IP address is detected on the Internet corresponds to that defined for the specific DMZ (DMZ1 88.44.22.11), I’m just curious to know if the approach is corrects or if it would be possible to use other methods.
cetalfio
Assuming this config you posted:
WAN: eth1
LAN addresses: 192.168.188.1/24 on eth2
DMZ1 addresses= 10.88.100.1/24 on eth3
Firewall Office 1= 10.88.100.2/24
DMZ2 addresses= 10.88.101.1/24 on eth4
Firewall Office 2= 10.88.101.2/24
DMZ2 addresses= 10.88.102.1/24 on eth5
Firewall Office 3= 10.88.102.2/24
And assuming that the office firewalls NAT what is behind them, all you need is:
/ip firewall nat
chain=srcnat comment="NAT for Firewall_Office_1" src-address=10.88.100.2 action=src-nat to-addresses=88.44.22.11
chain=dstnat dst-address=88.44.22.11 action=dst-nat to-addresses=10.88.100.2
chain=srcnat comment="NAT for Firewall_Office_2" src-address=10.88.101.2 action=src-nat to-addresses=88.44.22.12
chain=dstnat dst-address=88.44.22.12 action=dst-nat to-addresses=10.88.101.2
chain=srcnat comment="NAT for Firewall_Office_3" src-address=10.88.102.2 action=src-nat to-addresses=88.44.22.13
chain=dstnat dst-address=88.44.22.13 action=dst-nat to-addresses=10.88.102.2
chain=srcnat comment="NAT for LAN" src-address=192.168.188.1/24 action=masquerade
No need for separate UDP or TCP rules, these rules will NAT all L4 protocols (TCP, UDP, IPSec, GRE, etc…)
Depending on how you handle the routing/communication between the offices (the subnets which are behind firewalls), these rules may need adjusting.
Do not forget to configure the Firewall on the RouterBoard, allow stuff you need in the forward chain. Make sure you protect the input chain as well.