[SOLVED] NAT Forward

rradu92 · February 5, 2016, 4:55pm

Hello,

I have a Routerboard 750Gr2 v 6.34 (stable), and my scenario is the next:

Port 1 → WAN interface with static IP Address (10.10.10.10 > example.com)
Port 2-3 → LAN Bridge (rank 192.168.10.0/24) for my PicoStation wifi station and a switch for local computers
Port 4-5 → SERVER Bridge /rank 192.168.0.0/21) for my servers.

I have a web server, mail server, etc.

My rules are the next:

Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=srcnat action=masquerade out-interface=eth1-pub log=no log-prefix="" 

 1    chain=dstnat action=dst-nat to-addresses=192.168.1.208 to-ports=22 protocol=tcp in-interface=eth1-pub dst-port=2222 log=no log-prefix="" 

 2    chain=dstnat action=dst-nat to-addresses=192.168.1.201 to-ports=8081 protocol=tcp in-interface=eth1-pub dst-port=8081 log=no log-prefix="" 

 3    chain=dstnat action=dst-nat to-addresses=192.168.1.207 to-ports=51413 protocol=tcp in-interface=eth1-pub dst-port=51413 log=no log-prefix="" 

 4    chain=dstnat action=dst-nat to-addresses=192.168.1.240 to-ports=32400 protocol=tcp in-interface=eth1-pub dst-port=32400 log=no log-prefix="" 

 5    chain=dstnat action=dst-nat to-addresses=192.168.1.240 to-ports=5001 protocol=tcp in-interface=eth1-pub dst-port=5001 log=no log-prefix="" 

 6    chain=dstnat action=dst-nat to-addresses=192.168.1.202 to-ports=993 protocol=tcp in-interface=eth1-pub dst-port=993 log=no log-prefix="" 

 7    chain=dstnat action=dst-nat to-addresses=192.168.1.208 to-ports=443 protocol=tcp in-interface=eth1-pub dst-port=443 log=no log-prefix="" 

 8    chain=dstnat action=dst-nat to-addresses=192.168.1.202 to-ports=1194 protocol=udp in-interface=eth1-pub dst-port=1194 log=no log-prefix="" 

 9    chain=dstnat action=dst-nat to-addresses=192.168.1.202 to-ports=143 protocol=tcp in-interface=eth1-pub dst-port=143 log=no log-prefix="" 

10    chain=dstnat action=dst-nat to-addresses=192.168.1.202 to-ports=465 protocol=tcp in-interface=eth1-pub dst-port=465 log=no log-prefix="" 

11    chain=dstnat action=dst-nat to-addresses=192.168.1.202 to-ports=25 protocol=tcp in-interface=eth1-pub dst-port=25 log=no log-prefix=""

All is working ok but when a client from the LAN Bridge is trying to access to example.com gets REFUSED because the MT don’t forward to the internal IP.

For example, if anyone is trying to access to the mail server he gets an error, I tried the DNS solution but I have multiple servers with multiple IP Address.

Can anyone guide me with the setup?

Thanks you!

rradu92 · February 8, 2016, 3:00pm

Hello,

I just solved my problem, if anyone interested in the solution:

Public IP: 10.10.10.10

Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=srcnat action=masquerade out-interface=eth1-pub log=no log-prefix="" 
 1    chain=dstnat action=dst-nat to-addresses=192.168.1.208 to-ports=22 protocol=tcp dst-address=10.10.10.10 dst-port=2222 log=no log-prefix="" 
 2    chain=dstnat action=dst-nat to-addresses=192.168.1.201 to-ports=8081 protocol=tcp dst-address=10.10.10.10 dst-port=8081 log=no log-prefix="" 
 3    chain=dstnat action=dst-nat to-addresses=192.168.1.207 to-ports=51413 protocol=tcp dst-address=10.10.10.10 dst-port=51413 log=no log-prefix="" 
 4    chain=dstnat action=dst-nat to-addresses=192.168.1.240 to-ports=32400 protocol=tcp dst-address=10.10.10.10 dst-port=32400 log=no log-prefix="" 
 5    chain=dstnat action=dst-nat to-addresses=192.168.1.240 to-ports=5001 protocol=tcp dst-address=10.10.10.10 dst-port=5001 log=no log-prefix="" 
 6    chain=dstnat action=dst-nat to-addresses=192.168.1.202 to-ports=993 protocol=tcp dst-address=10.10.10.10 dst-port=993 log=no log-prefix="" 
 7    chain=dstnat action=dst-nat to-addresses=192.168.1.208 to-ports=443 protocol=tcp dst-address=10.10.10.10 dst-port=443 log=no log-prefix="" 
 8    chain=dstnat action=dst-nat to-addresses=192.168.1.202 to-ports=1194 protocol=udp dst-address=10.10.10.10 dst-port=1194 log=no log-prefix="" 
 9    chain=dstnat action=dst-nat to-addresses=192.168.1.202 to-ports=143 protocol=tcp dst-address=10.10.10.10 dst-port=143 log=no log-prefix="" 
10    chain=dstnat action=dst-nat to-addresses=192.168.1.202 to-ports=465 protocol=tcp dst-address=10.10.10.10 dst-port=465 log=no log-prefix="" 
11    chain=dstnat action=dst-nat to-addresses=192.168.1.202 to-ports=25 protocol=tcp dst-address=10.10.10.10 dst-port=25 log=no log-prefix=""