Forwarding Public Ip to specific nated private IPs

sjwrick · Wed Jun 29, 2011 9:56 pm

I want to forward a number of different Public IPs to specific private ips behind my router. One to one. Each public IP needs to be mapped to a specific private IP. I have the basic functionality in place, however my non-public ip clients also reflect that they are coming from the public IP assigned to another client. They should be using the general Public IP.

For this example x represents Public IP and y represents nated internal Private IP.

x.x.x.x = general public ip for all clients. For example y1.y1.y1.y1 and y2.y2.y2.y2 use x.x.x.x

Except for client y3.y3.y3.y3

x3.x3.x3.x3 maps to y3.y3.y3.y3 explicitly and non-othesr.

However, at times y1 and y2 show as coming from x3.

How can I resolve this? I can make the adjustment in /ip addresses. I work through my public ips disabling and re-enabling while watching the /ip routes . Eventually after I work thought the address list of public ips the preferred source comes up as x.x.x.x instead of one of the other x#.x#.x#.x# ips which are designated for a specific client.

How can I restrict general clients to x.x.x.x and not specific client's assigned ips.

Thanks
Rick

fewi · Wed Jun 29, 2011 10:02 pm

Because it's less confusing with numbers rather than the same letters, let's assume you have the following requirements:

- LAN is 192.168.0.0/24, router is .1
- WAN is 1.1.1.2/24, and you have all those IPs available to you other than .1, which is the ISP
- 192.168.0.10 should be mapped to 1.1.1.10
- 192.168.0.11 should be mapped to 1.1.1.11
- everyone else in 192.168.1.0/24 should be mapped as overloaded to 1.1.1.2

/ip address
add interface=LAN address=192.168.0.1/24
add interface=WAN address=1.1.1.2/24
add interface=WAN address=1.1.1.10/24
add interface=WAN address=1.1.1.11/24
/ip firewall nat
add chain=srcnat out-interface=WAN src-address=192.168.0.10 action=src-nat to-address=1.1.1.10
add chain=srcnat out-interface=WAN src-address=192.168.0.11 action=src-nat to-address=1.1.1.11
add chain=srcnat out-interface=WAN src-address=192.168.0.0/24 action=src-nat to-address=1.1.1.2
add chain=dstnat in-interface=WAN dst-address=1.1.1.10 action=dst-nat to-address=192.168.0.10
add chain=dstnat in-interface=WAN dst-address=1.1.1.11 action=dst-nat to-address=192.168.0.11

That assumes bidirectional forwarding for the two 1:1 mapped hosts for inbound traffic originated from the outside. If you don't need that leave out the dstnat rules, NAT will automatically be undone in destination NAT for return traffic in connections initiated by an inside host.

Your issue is either rule ordering, or that you use 'masquerade' (which means "perform source NAT by magically picking an address") rather than src-nat with a manually selected IP.

sjwrick · Wed Jun 29, 2011 10:09 pm

OK so instead of

action=masquerade

use

action=src-nat to-address=x.x.x.x

Cool - need to learn something new every day.

Thanks - Rick

sjwrick · Thu Jun 30, 2011 4:47 am

Confirming that solution worked.

Thanks

Rick

bashkimi · Sat Jul 02, 2011 11:40 am

I do this all same in my network, but when i use srcnat instead of masquerading the internet stops working.
Any help ??

fewi · Sat Jul 02, 2011 8:11 pm

Post the output of "/ip address print detail", "/ip route print detail", "/interface print", "/ip firewall export", and an accurate network diagram.

cybertron · Fri Jun 01, 2012 6:20 am

If you wanted to set in-interface to LAN (assuming that's the name you've given it), would that work, but is not needed?

Forwarding Public Ip to specific nated private IPs

Forwarding Public Ip to specific nated private IPs

Re: Forwarding Public Ip to specific nated private IPs

Re: Forwarding Public Ip to specific nated private IPs

Re: Forwarding Public Ip to specific nated private IPs

Re: Forwarding Public Ip to specific nated private IPs

Re: Forwarding Public Ip to specific nated private IPs

Re: Forwarding Public Ip to specific nated private IPs

Who is online