Community discussions

MUM Europe 2020
 
sveno
newbie
Topic Author
Posts: 40
Joined: Mon May 14, 2012 8:29 pm

NAT question - multiple public IP use on one subnet.(solved)

Fri Dec 05, 2014 8:40 am

Hi,

I have a public IP NATed with masquerade but I want an address of the same local subnet to use another public IP. Can I do this or do I need another network for this machine (like DMZ)?

Edit: I tried to use !192.168.1.5 as source address in the main src-nat to exclude it but still the 192.168.1.5 src-nat to the second public ip has has 0 hits.
Last edited by sveno on Tue Dec 30, 2014 8:34 pm, edited 1 time in total.
 
User avatar
rmmccann
Member Candidate
Member Candidate
Posts: 182
Joined: Tue Sep 25, 2012 11:15 pm
Location: USA

Re: NAT question - multiple public IP use on one subnet.

Fri Dec 05, 2014 8:55 pm

You can do this, however you need to create src-nat rules with action=srcnat for each public IP address you want to use. These need to sit ABOVE the masquerade rule.

Masquerade by default uses the first assigned/enumerated IP address of the MT device. So if you have 1.1.1.1, 1.1.1.2, and 1.1.1.3 assigned from your WAN, masquerade will always use 1.1.1.1. If you want client1 to use 1.1.1.2 and client2 to use 1.1.1.3, you need to create separate srcnat entries for each client and srcnat to that public ip address.
A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools. --Douglas Adams
 
sveno
newbie
Topic Author
Posts: 40
Joined: Mon May 14, 2012 8:29 pm

Re: NAT question - multiple public IP use on one subnet.

Sat Dec 06, 2014 8:29 am

Now I have the following under nat:

chain=srcnat action=src-nat to-addresses=1.1.1.2 src-address=192.168.1.5 out-interface=ether1-gateway log=no
chain=srcnat action=masquerade out-interface=ether1-gateway log=no
chain=dstnat action=dst-nat to-addresses=192.168.1.5 dst-address=1.1.1.2 log=no

addresses (edited):

192.168.1.1/24 192.168.1.0 ether2-master-local
1 1.1.1.1/29 1.1.1.6 ether1-gateway

I don't even get hits on the dstnat anymore :(
 
sveno
newbie
Topic Author
Posts: 40
Joined: Mon May 14, 2012 8:29 pm

Re: NAT question - multiple public IP use on one subnet.

Sat Dec 13, 2014 11:37 am

Bump. I'm still stumped over this. Is there anything wrong with my config or are these lines ok and the problem is elsewhere?
 
User avatar
rmmccann
Member Candidate
Member Candidate
Posts: 182
Joined: Tue Sep 25, 2012 11:15 pm
Location: USA

Re: NAT question - multiple public IP use on one subnet.

Tue Dec 16, 2014 7:20 pm

Those rules look correct to me, however it may have something to do with the order in which they are entered.

You could try moving your DST-NAT entry above masquerade and see if that helps. You may also want to specify an "in-interface" for that rule.
A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools. --Douglas Adams
 
jfvelamoscoso
Trainer
Trainer
Posts: 59
Joined: Fri Oct 25, 2013 12:52 am
Location: Arequipa - Peru

Re: NAT question - multiple public IP use on one subnet.

Tue Dec 16, 2014 7:42 pm

Please give me a diagram and the result of /ip firewall nat export compact
----------------------------------------
jfvelamoscoso@gmail.com
Network Engineer Noc Department
MTCNA, MTCTCE

If it helps please give some karma
 
sveno
newbie
Topic Author
Posts: 40
Joined: Mon May 14, 2012 8:29 pm

Re: NAT question - multiple public IP use on one subnet.

Sun Dec 21, 2014 10:13 am

Got the Dst-Nat working by adding the external IP (1.1.1.2) to addresses:
0 192.168.1.1/24 192.168.1.0 ether2-master-local 
1 1.1.1.1/29 1.1.1.6 ether1-gateway 
2 1.1.1.2/29 1.1.1.6 ether1-gateway
Still no hits on src-nat (first in table below).
Specifying TCP and a port (443) didn't change anything.

nat export compact:
add action=src-nat chain=srcnat out-interface=ether1-gateway src-address=\
    192.168.1.5 to-addresses=1.1.1.2
add action=masquerade chain=srcnat out-interface=\
    ether1-gateway
add action=masquerade chain=srcnat  out-interface=\
    LTE to-addresses=0.0.0.0
add action=dst-nat chain=dstnat dst-address=\
    1.1.1.2 in-interface=ether1-gateway to-addresses=192.168.1.5
 
sveno
newbie
Topic Author
Posts: 40
Joined: Mon May 14, 2012 8:29 pm

Re: NAT question - multiple public IP use on one subnet.

Sun Dec 21, 2014 10:37 am

Ok. A really weird thing happened. I switched the local address to another server ..and voila it is responding. I changed both the scr-nat and the dst-nat to say 192.168.1.6. The weird thing is that the src-nat still has 0 hits. So the masquerade is using 1.1.1.1 and 1.1.1.2. What is going on?

EDIT: Changing back to 192.168.1.5 and it works too. WTF is this sorcecry? src-nat is disabled and the whole thing works as it should - everyone is using the 1.1.1.1 and 192.168.1.5 is using 1.1.1.2.

Who is online

Users browsing this forum: No registered users and 29 guests