Source IP & NAT questions

Hi,

A recent change in our LAN - we replaced an older Planet router with a Routerboard + ROS based - introduced 2 previously unseen problems. The router’s role in the LAN is doing the srcnat/dstnat kind of the work. It has 1x LAN and 2x WAN interfaces for failover connection (haven’t actually tested it yet). The WAN ports have 2 IP addresses per port. We need this hack to differentiate the incoming connections. Now, the problem(s):

• Every packet which comes from outside (WAN) to inside and goes through the dstnat chain gets it’s source IP changed from some WAN IP to the router’s LAN interface’s IP (192.168.xxx.xxx). It’s not good, because the machines in the LAN sometimes have to know from which part of the internet the packet arrived (for example our SMTP server).
  
  
  
• Maybe as a consequence of having two WAN IP-s for both of the WAN interfaces there’s a second problem - the outbound traffic is srcnatted then randomly sent from one of the WAN IP addresses (both addresses share the same interface). Is it possible to change the packet’s source IP tag or address this problem with some firewall rules?

Thank you for any suggestions.

Look up Routing Rules. You will want to say anything from the subnet of WAN1, needs to go out this gateway and the same for the second. This way, when a packet comes in on WAN1, it will go back out WAN1, and vise versa.

It’s not good, because the machines in the LAN sometimes have to know from which part of the internet the packet arrived (for example our SMTP server).

That is probably the source of your problems. You should not be src-natting inbound traffic. If your servers are seeing a private src address then you need to fix that part first. Everything else will probably work properly after that.

Sam