Hi All,
I have two wan addresses, lets call them WAN1 and WAN2. WAN1 goes though RB1, and WAN2 goes through RB2.
RB1 is on 192.168.88.0/16 range (duplicate configs except ip addresses)
RB2 is on 192.168.99.0/16 range
Webserver has two ethernets (if possible I'd prefer it to have just one address)
eth1 192.168.88.2. GW 192.168.88.1
eth2 192.168.99.2 GW 192.168.99.1
I have a nat from WAN1 to Webserver on RB1 which works great. (192.168.88.2)
The nat from WAN2 to Webserver on RB2 however, doesnt work. (192.168.99.2) - works internally only
Both RB's can access the webserver.
I suspect it's the return traffic, it doesn't know where to send it.
Any help would be appreciated. Thank you.
Re: Two wan addresses nat to single internal address
I assume /16 is mistake and you really mean /24, otherwise you'd have overlapping networks and it wouldn't be good.
You're right about return traffic. Webserver has only one default route and sends traffic to random a.b.c.d address from internet there. If the request came from same gateway, all is good. But if it came from the other one, reply is sent wrong way and it can't work.
The quickest fix is to add srcnat rule on second router for incoming traffic. That way all requests will look to webserver as if they were coming from 192.168.99.1 and replies will go correctly to this gateway. Obvious downside is that you won't be able to see real IP addresses of clients.
Other possibility is to do on webserver the same thing that's done on dual-WAN routers, i.e. mark incoming connections based on interface and then mark routing for reply packets based on that. But it depends on the OS used by webserver, e.g. Linux can do it for sure.
Even if you had only one IP address (and ethernet interface) on webserver, it doesn't change the problem.
You're right about return traffic. Webserver has only one default route and sends traffic to random a.b.c.d address from internet there. If the request came from same gateway, all is good. But if it came from the other one, reply is sent wrong way and it can't work.
The quickest fix is to add srcnat rule on second router for incoming traffic. That way all requests will look to webserver as if they were coming from 192.168.99.1 and replies will go correctly to this gateway. Obvious downside is that you won't be able to see real IP addresses of clients.
Other possibility is to do on webserver the same thing that's done on dual-WAN routers, i.e. mark incoming connections based on interface and then mark routing for reply packets based on that. But it depends on the OS used by webserver, e.g. Linux can do it for sure.
Even if you had only one IP address (and ethernet interface) on webserver, it doesn't change the problem.
-
-
Insanityflea
just joined
- Posts: 15
- Joined:
Re: Two wan addresses nat to single internal address
Apologies, yes it’s /24
Thank you, I’ll try your suggestions
Web server is Linux based
Thank you, I’ll try your suggestions
Web server is Linux based
-
-
Insanityflea
just joined
- Posts: 15
- Joined:
Re: Two wan addresses nat to single internal address
I'm still battling with this,
On RB1 (which has WAN1) I've tried adding a SRCNAT which hasn't worked. I'm confused as to which way to go about it.
src address would be the interface on RB2, dst. address would be webserver, action would be src-nat to RB1 ?
Route is:
WAN2 -> RB2 -> RB1 -> Webserver
This route works fine -> WAN1 -> RB1 -> Webserver
On RB1 (which has WAN1) I've tried adding a SRCNAT which hasn't worked. I'm confused as to which way to go about it.
src address would be the interface on RB2, dst. address would be webserver, action would be src-nat to RB1 ?
Route is:
WAN2 -> RB2 -> RB1 -> Webserver
This route works fine -> WAN1 -> RB1 -> Webserver
-
-
CZFan
Forum Guru
- Posts: 2098
- Joined:
- Location: South Africa, Krugersdorp (Home town of Brad Binder)
- Contact:
Re: Two wan addresses nat to single internal address
Not a good idea to have multiple gateways on same device, so remove the one and add a route for whatever traffic you want to go out 2nd network gateway
You need to understand the impact by applying srcnat, as sob said, you will not be able to see client real IP's, with a web server, I am almost sure that will bite you in the long run. As you already confirmed, it is a Linux server so rather look into marking incoming packets and routing them back accordingly as suggested by sob.
For the srcnat rule, as per sob, and sob please correct me here if i have it wrong, you must apply the on 2nd router as you had them listed in your original post, i.e.
You need to understand the impact by applying srcnat, as sob said, you will not be able to see client real IP's, with a web server, I am almost sure that will bite you in the long run. As you already confirmed, it is a Linux server so rather look into marking incoming packets and routing them back accordingly as suggested by sob.
For the srcnat rule, as per sob, and sob please correct me here if i have it wrong, you must apply the on 2nd router as you had them listed in your original post, i.e.
Code: Select all
/ip firewall nat
add chain=srcnat action=src-nat to-addresses=192.168.99.1 protocol=tcp dst-address=192.168.99.2
dst-port=80,443 log=no log-prefix=""
Who is online
Users browsing this forum: Wxjeep and 45 guests