Page 1 of 1

3 public IP's how to create the rules

Posted: Wed May 12, 2021 6:35 pm
by Peque
Hi Forum
I have an question regarding having 3 different public's IP - with different portforward pr ip
I should have port 80/443 open on each public IP towards 3 differnet subnets. + the ISP have added 2 Extra IP's

But the normal portforward from before adding the extra IP's are still working - But I cannot make the rules on the "new" IP's work.

The 1. public IP - is used for user network internal --> this IP is added from ISP DHCP server
The 2. public IP - is used for their mail system --> This IP is static addad from ISP
The 3. public ip - is used for the Webservers --> This IP is static addad from ISP

How do I difference on which IP should flow to - The Masquerade part is up and running, the 3 different subnets have a seperate public Ip
Notmally I create the rules etc in winbox - so cannot make the line for creating the rule
But created under firewall - NAT
Under generel:
chain=dst-nat destination-address=Public IP 2 protocol=tcp destination-port=80 in-interface=WAN
Under Action
action=dst-nat to-address= to-port=80
But with this I cannot see any trafic through the rule.

Under Routes
I see one rules created for the extra IP
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS                            1
 1 ADC  WAN                       0
 2 ADC    DMZ                       0
 3 ADC    WEB-DMZ                   0
 4 ADC   LAN-Bridge                0
 5 ADC  WAN                       0

The addresses are added manuelly under address list - to the WAN interface - but only created route for one of the IP - should this autocreated be delketed - and the add them manually ???

And the last thing I'm struggling with is - I'm able to ping the first public IP - not number 2 or 3 - but my guess it have something to do with the routing.
But What I do not get - is when the machine in the WEB-DMZ resolves to the 99 public IP
root@fws-vm02:/home/pbj# dig +short
So what am I missing here

Thanks in advance

Re: 3 public IP's how to create the rules

Posted: Mon May 17, 2021 1:49 pm
by tdw
The output of /export hide-sensitive would be more informative than just the current routing table. It is likely your dst-nat rule is not being hit as an earlier more generic rule is matching the packets.

Assuming the ISP routes the additional subnet to you there are several methods of using the addresses, e.g.
You can assign the subnet to an interface (or bridge containing several interfaces) and connect devices using the public IPs - no NAT involved, but consumes three addresses from the subnet for network, broadcast and gateway.
You can add the subnet as an unreachable or blackhole route - this prevents packets bouncing back and forth between you and the ISP until the TTL expires. You can then add NAT rules as required, to make individual addresses respond to ping they have to exist e.g. by adding each /32 to a dummy interface, or NAT ICMP packets to the target.

When using masquerade from an interface with multiple addresses the lowest is picked, to specify an address use src-nat instead.

Re: 3 public IP's how to create the rules

Posted: Tue May 18, 2021 3:04 am
by anav
For obvious reasons its very difficult for a router to know what to with an incoming port that is duplicated.
In this case if coming over from different IP addresses it should be doable.
Typically the ONE NATTED IP address can only handle one instance of an incoming port
To get around this one can use a different incoming port and translate it to the same to port.
In your case you dont need that trickery because you have separate WANIPs going to locations not on the NATTED subnet

For dynamic wanip (natted subnet)
add chain=dst-nat action=dst-nat in-interface=WAN1 protocol=tcp dst-port=1234 to-addresses=

ISP2 (one to one mapping --> public IP to private IP)
add chain=dst-nat action=dst-nat dst-address=wanip2 protocol=tcp dst port=1234 to-addresses=

ISP3 (one to one mapping --> public IP to private IP)
add chain=dst-nat action=dst-nat dst-address=wanip3 protocol=tcp dst-port=1234 to-addresses=

YOu should post your config for better answers.
/export hide-sensitive file=anynameyouwish