I have a question about dstnat. We have a /28 network on our public interface and a nat'ed /16 on our private. I can get dstnat working from public numbers to private but my question is whether I need to have a srcnat rule in addition for each server/service. I have several services served up on different public IP's that go to the same private IP/server. SMTP to a SPAM proxy is one. I would think it good to have the reply to a request come from the IP where the request was sent. Example:
scrnat:
10.4.x.x -> 144.92.249.226
dstnat:
144.92.249.226:25 -> 10.4.2.1:25
144.92.249.228:25 -> 10.4.2.21:25
In the above when traffic comes to 144.92.249.228:25 what IP does the response come from? .249.228 or .249.226? Do I need to add an IP number to the SMTP server (10.4.2.2) and then change the rule to look like this:
scrnat:
10.4.2.2 -> 144.92.249.228
10.4.x.x -> 144.92.249.226
dstnat:
144.92.249.226:25 -> 10.4.2.1:25
144.92.249.228:25 -> 10.4.2.2:25
Re: Correct dstnat setup
Maybe misunderstood, but try to use netmap instead:
Code: Select all
/ip firewall nat
add action=src-nat chain=srcnat comment="" disabled=no src-address=\
10.4.1.0/24 to-addresses=144.92.249.226
add action=src-nat chain=srcnat comment="" disabled=no src-address=10.4.2.2 \
to-addresses=44.92.249.228
add action=netmap chain=dstnat comment="" disabled=no dst-port=25 protocol=\
tcp src-address=144.92.249.226 to-addresses=10.4.2.1 to-ports=25
add action=netmap chain=dstnat comment="" disabled=no dst-port=25 protocol=\
tcp src-address=144.92.249.228 to-addresses=10.4.2.21 to-ports=25
Re: Correct dstnat setup
fball -
enk's solution won't work as the first src-nat rule will get excuted before the netmap src-nat rules will be seen....the order in which the rules are applied are important....
Your idea is more correct...however.......
scrnat:
10.4.2.2 -> 144.92.249.228
10.4.x.x -> 144.92.249.226
dstnat:
144.92.249.226:25 -> 10.4.2.1:25
144.92.249.228:25 -> 10.4.2.2:25
Would more properly read;
scrnat:
10.4.2.2:25 -> 144.92.249.228 ;These two rules will ONLY get excuted if the src-port is 25
10.4.2.1:25 -> 144.92.249.226 ;otherwise the packet will fall through to the next rule....
add other src-nat rules go here and finally your 'general' src-nat rule for everything not already nat'd that you want to src-nat is last.
dstnat:
144.92.249.226:25 -> 10.4.2.1:25
144.92.249.228:25 -> 10.4.2.2:25
Same idea for dst nat, put them in the order you want them excuted in.
R/
enk's solution won't work as the first src-nat rule will get excuted before the netmap src-nat rules will be seen....the order in which the rules are applied are important....
Your idea is more correct...however.......
scrnat:
10.4.2.2 -> 144.92.249.228
10.4.x.x -> 144.92.249.226
dstnat:
144.92.249.226:25 -> 10.4.2.1:25
144.92.249.228:25 -> 10.4.2.2:25
Would more properly read;
scrnat:
10.4.2.2:25 -> 144.92.249.228 ;These two rules will ONLY get excuted if the src-port is 25
10.4.2.1:25 -> 144.92.249.226 ;otherwise the packet will fall through to the next rule....
add other src-nat rules go here and finally your 'general' src-nat rule for everything not already nat'd that you want to src-nat is last.
dstnat:
144.92.249.226:25 -> 10.4.2.1:25
144.92.249.228:25 -> 10.4.2.2:25
Same idea for dst nat, put them in the order you want them excuted in.
R/