Src NAT from Router LAN IP address to WAN IP adress

sskalsky · April 10, 2024, 8:04am

Hallo

I am new here, I hope my request will be easy to fulfill.

I want to split traffic by LAN IP address (default gateway) to WAN IP address.(src-NAT - dst-NAT vice versa)

I have 2 public WAN static adresses in one subnet and 2 LAN IP Adresses in the one subnet (as 2 default gateways for one LAN).
On a LAN1 IP address I run DHCP server providing IP adresses for part of subnet with deafult gateway LAN1.
Some servers in a LAN have static adress out of mentined DHCP range in a same subnet with a default gateway LAN2.

I would like to nat trafic direcetd to LAN1 IP address to WAN1 IP adress and LAN2 to WAN2 because I need to use dst-nat connections WAN1-LAN1 and WAN2-LAN2.
Simply allow connection from LAN default gateway 1 to WAN1 IP address and from LAN default gateway 2 to WAN2 IP address and back.

I found that is possible use src-nat with dedicated range of source adresses to dedicated WAN adress, dividing a LAN adresses to required ranges.
I do not want to divide source adress ranges, I want to split traffic by LAN IP address (default gateway) to WAN IP address if is it possibble.

Can you help me with this?

llamajaja · April 10, 2024, 2:01pm

Yes if you can explain your requirements more clearly… dont mix up config speak with requirements.

a. identify all user(s)/device(s) and groups of users/devices, including admin
b. identify the traffic they need to accomplish

Provide a network diagram showing the ISP connections, subnets, ports used etc…

sskalsky · April 11, 2024, 8:08am

Hallo, please find more information below:

My goal is to properly connect all LAN clients from single local network to the Internet, and to provide functional communication over open ports from the Internet to the local servers using a single router when 2 WAN router addresses and 2 LAN router addresses are used.

Router hEX

LAN side - bridge - eth2-eth5

LAN IP (bridge) adresses:
LAN IP1: 10.0.0.1 - DHCP server 10.0.0.61-10.0.0.254 (providing dynamic IP adresses pool with default gateway 10.0.0.1)
LAN IP2: 10.0.0.2 - no DHCP server

LAN side clients:
PCs with DHCP client - dynamic adresses 10.0.0.61-10.0.0.254, (DG:10.0.0.1)

Server1 with fixed IP 10.0.0.10. and Default gateway 10.0.0.1 open port to internet 8000

Server 2 fixed IP 10.0.0.11 default gateway 10.0.0.2 open ports to internet 25,443
Server 3 fixed IP 10.0.0.12 default gateway 10.0.0.2 open port to internet 2222

WAN side:
fixed WAN IP1: 1XX.XXX.XXX.39/27
fixed WAN IP2: 1XX.XXX.XXX.44/27
WAN default gateway:1XX.XXX.XXX.42

I would like to:

Split communication

via LAN1 IP 10.0.0.1 to WAN IP1 1XX.XXX.XXX.39/27 (using NAT)
via LAN2 IP 10.0.0.2 to WAN IP2 1XX.XXX.XXX.44/27 (using NAT)

Provide connection from internet (dst-nat) between

WAN IP1 1XX.XXX.XXX.39/27 and server 1 opening port 8000
WAN IP2 1XX.XXX.XXX.44/27 and server 2 opening ports 25, 443
WAN IP2 1XX.XXX.XXX.44/27 and server 3 opening port 2222

This router should replace earlier used two routers, first with LAN IP1 ↔ WAN IP1 and second LAN IP2 ↔ WAN IP2 providing requerd connctions from and to internet. However, the communication does not have to be strictly separated as on two separate routers unless it is necessary.
I can configure everything correctly, except routing between router addresses LAN1-WAN1 and LAN2-WAN2.
Currently, I have it configured so that I split the client IP addresses into separate ranges and use src-nat to route them to the desired WAN addresses, which more or less works. But I want to change it so that the client default gateway IP address determines the routing to the desired WAN IP.

sskalsky · April 11, 2024, 8:10am

… I cannot delete this post – HTTP ERROR 500

llamajaja · April 11, 2024, 2:24pm

Please provide the config, you have so far…

/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.. )

TheCat12 · April 12, 2024, 12:24pm

I think that the splitting between the two WANs won’t be possible only with the help of NAT - routing tables and in your case mangle rules are also necessary:

/ip firewall address-list
add list=through_WAN2 address=10.0.0.2
add list=through_WAN2 address=10.0.0.11
add list=through_WAN2 address=10.0.0.12

/ip firewall mangle
add action=mark-connection chain=prerouting src-address=10.0.0.1/24 src-address-list=!through_WAN2 connection-mark=no-mark new-connection-mark=WAN1_conn
add action=mark-routing chain=prerouting src-address=10.0.0.1/24 src-address-list=!through_WAN2 new-routing-mark=to_WAN1
add action=mark-routing chain=prerouting connection-mark=WAN1_conn new-routing-mark=to_WAN1 passthorugh=no
add action=mark-connection chain=prerouting src-address-list=through_WAN2 connection-mark=no-mark new-connection-mark=WAN2_conn
add action=mark-routing chain=prerouting src-address-list=through_WAN2 new-routing-mark=to_WAN2
add action=mark-routing chain=prerouting connection-mark=WAN2_conn new-routing-mark=to_WAN2

/routing table
add fib name=to_WAN1
add fib name=to_WAN2

/ip route
add dst-address=0.0.0.0/0 gateway=1XX.XXX.XXX.39 routing-table=to_WAN1
add dst-address=0.0.0.0/0 gateway=1XX.XXX.XXX.44 routing-table=to_WAN2

/ip firewall nat
add action=dst-nat chain=dstnat dst-address=1XX.XXX.XXX.39 protocol=tcp dst-port=8000 to-addresses=10.0.0.10 to-ports=8000
add action=dst-nat chain=dstnat dst-address=1XX.XXX.XXX.44 protocol=tcp dst-port=25,443 to-addresses=10.0.0.11
add action=dst-nat chain=dstnat dst-address=1XX.XXX.XXX.44 protocol=tcp dst-port=2222 to-addresses=10.0.0.12 to-ports=2222

anav · April 12, 2024, 12:33pm

The function of sourcenat is not ROUTING, so cat is bang on.
This is a simple case of subnet A should use WAN1 and subnet B should use WAN2.

questions.

the majority of traffic will be through WAN X ??
What happens when WANA is not available do you want all traffic to go to WANB
What happens when WANB is not available do you want all traffic to go to WANA

Do you have any servers on either LANA or LANB, that you want external users to access?
Do you have any Router services that external users may use (such as VPN)?
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

TheCat12 · April 12, 2024, 12:47pm

The task isn’t as easy as it seems because there is one LAN subnet and two gateways - DHCP clients use one and statically assigned another. It would be easier if there were actually two subnets but no. That’s why I used so many mangle rules and an address list (luckily the devices behind the second gateway are only two). As for the questions it would be best to be answered by the OP

anav · April 12, 2024, 5:32pm

Yeah scratching my head to understand WHY.
Why would anyone have such a setup?

Also the communication is not clear, its ONE LAN, some users have dhcp assigned, the rest are fixed.
He wants the dhcp users, sent to WAN1, and fixed LANIPs sent to WAN2
Also assuming users being on the same LAN should still be able to see each other??

What is the backup plan, in mind. what if WAN1 is not available or WAN2?
Which WAN has priority in a general sense still needs to be determined
a. majority of traffic is dhcp or fixed users/devices
b. most important traffic is dhcp or fixed users/devices