Community discussions

MUM Europe 2020
 
webguyz
newbie
Topic Author
Posts: 45
Joined: Tue May 29, 2007 7:40 pm

Having problems getting src-nat and dst-nat with a single ip

Sun Nov 04, 2012 10:26 pm

I have a debian server ip address 10.0.59.201 with minimal IPTABLES (dns, ping, ssh)

I have a Mikrotik fw that has a Public IP range 73.250.59.0/24

I want to expose this private local server to the internet and have inbound outbound traffic go thru a single IP (73.250.59.201).

I did
for outgoing:
chain=srcnat action=src-nat to-addresses=73.250.59.201 src-address=10.0.59.201 out-interface=ether7
for incoming
chain=dstnat action=dst-nat to-addresses=10.0.59.201 dst-address=73.250.59.201

I can't ping 73.250.59.201 or access ssh. From the vm server I can ping IP's. but not dns names.

I obviously am missing something but not sure what. Total noob at this.

Ultimate goal is to no longer assign Internet accessible IP's directly to my vm server interfaces and have to worry about renumbering 100's of ip's by going to each server. Want instead to have the Mikrotik FW to have the publicly accessible IP and redirect to an internal vm that has an IP address in the 10.0.59.x range. The vm's will have their own firewalls as well, just want the fw to act as a switchboard and if I have to renumber my pulblic IP's I would just have to do a replace on all files in the mikrotik instead of having to go to each VM.

Thanks!
 
CelticComms
Forum Guru
Forum Guru
Posts: 1766
Joined: Wed May 02, 2012 5:48 am

Re: Having problems getting src-nat and dst-nat with a singl

Sun Nov 04, 2012 11:26 pm

It would be useful to see the complete config - use /export compact.

As well as the src & dst NAT the traffic needs to be allowed through the forwarding chain.
Interlynx | Networking and Information Security Consultants & Trainers | Email: routerlynx@gmail.com
BGP | EIGRP | OSPF | MPLS | Firewall | VPN | IPsec | Multicast | QOS | IPv4/6 | STP | VLAN | PON | AE | M2M | and more!

 
webguyz
newbie
Topic Author
Posts: 45
Joined: Tue May 29, 2007 7:40 pm

Re: Having problems getting src-nat and dst-nat with a singl

Sun Nov 04, 2012 11:54 pm

Doing some more reading it appears I can accomplish what I need by using the action=netmap to do 1:1 mapping

1:1 mapping

If you want to link Public IP subnet 11.11.11.0/24 to local one 2.2.2.0/24, you should use destination address translation and source address translation features with action=netmap.

/ip firewall nat add chain=dstnat dst-address=11.11.11.0/24 \
action=netmap to-addresses=2.2.2.0/24

/ip firewall nat add chain=srcnat src-address=2.2.2.0/24 \
action=netmap to-addresses=11.11.11.0/24

Now I have to free up a subnet to try this command. Thanks!
 
deejayq
Member Candidate
Member Candidate
Posts: 195
Joined: Wed Feb 23, 2011 8:33 am

Re: Having problems getting src-nat and dst-nat with a singl

Mon Nov 05, 2012 2:46 pm

why not just set 73.250.59.201 to the debian serveR?
 
webguyz
newbie
Topic Author
Posts: 45
Joined: Tue May 29, 2007 7:40 pm

Re: Having problems getting src-nat and dst-nat with a singl

Mon Nov 05, 2012 4:42 pm

Thats what I'm doing now. I have over a 100 vm's all with a dedicated IPs. Lets say tomorrow I move to another data center and I am given new sets of Public Internet IP's. Now imagine having to go to each virtual server and manually changing each set of IP's. Been there and done that before and its no fun.
 
deejayq
Member Candidate
Member Candidate
Posts: 195
Joined: Wed Feb 23, 2011 8:33 am

Re: Having problems getting src-nat and dst-nat with a singl

Mon Nov 05, 2012 9:17 pm

use dhcp server ☺

Who is online

Users browsing this forum: nichky and 28 guests