Here's the scenario;
ISP has given us a block of IP addresses which we will call 13.14.15.16/29. ISP gateway is at .17. RB1100AH at .18, on a port we renamed "wan1". Usable IP addresses after that are 13.14.15.19, 13.14.15.20, 13.14.15.21, 13.14.15.22
Internal network is 10.0.16.0/21. RB1100AH is at 10.0.16.1 on a port we renamed "lan1".
We have an Asterisk PBX at 10.0.19.50 and several phones connecting to it (internally and externally, but internal connections are the most important). Ports 5060 and 10000-20000 need to be forwarded to the box from 13.14.15.19 to 10.0.19.50 and proper NAT happening. The Asterisk box is NAT aware and basically working since a 1:1 map from 13.14.15.19<>10.0.19.50 on a Cisco 2801 worked absolutely perfectly. However that hardware died horribly, and we replaced it with something we thought would be more flexible (the RB1000AH).
Every device on the internal network (10.0.16.0/21) needs to be src-natted out to the rest of the world. Masquerading won't work here. We will give them a single static IP in the block for the general "boxes want to talk to the rest of the world" scenario, and let's say this is going to be 13.14.15.22.
Some special cases should be forwarded to ports at the other addresses, we have several SSH connections needing to be stay at port 22 accessible publicly for various reasons, couple web interfaces for our staff worldwide.
I'm pretty good with iptables and am a Linux kernel developer and maintainer. But this is really perplexing me. And I have some questions, some RouterOS specific (we're running 15.14 or 6.0beta1), some packet flow specific.
* what's the best way to use these IP addresses at the router? My initial instinct is to give the router the .18 public address and use the prerouting chain with redirect to get packets into the right places. There's absolutely no need for the router to listen on these addresses, right? And as far as I am concerned no actual routing table needs to be set up since the src-nat/dst-nat will handle it once it's gotten past the prerouting chain rewrite.
* is there a fairly reasonable way of disabling/not listening the RouterOS services (winbox, web proxy, dns etc.) on the PUBLIC interface? For instance it only needs to work from inside the LAN, but it exposes open ports on the public interface too. Rather than manually firewall these ports by resetting when they're accessed, I'd rather they didn't listen on WAN addresses at all. I did add "available from" fields but it doesn't seem to have any effect in this regard (I can still see it from outside, even if I can't connect externally, just it gives everyone on the internet a quick way of finding out that it's a RouterOS product since the winbox port is there).
* isn't RouterOS firewall backed by iptables in the Linux kernel? In this case why do we have seperate "Filter" and "NAT" rules when iptables rules in general can be combined? Is it just that the NAT part of the firewall is explicitly set to the pre/postrouting chains for simpler rule setup or is there a more nefarious purpose?
So the big question is, what would be the correct way to set up filter and nat entries for;
* SNAT (NOT masquerade, bound to an IP address and NOT an interface) for all devices in the network worth SNATing out to a single address (which is basically everything, but since all the phone hardware is on the 10.0.19.x part of the network and only 10.0.19.50 needs to be forwarded from the public address, maybe excluding that subnet)
* Either a netmap 1:1 for the PBX to resolve all the weird NAT issues with SIP/RTP or comprehensive port forwarding without using the (broken) SIP ALG (although I have experience that says the ip_conntrack_sip/ip_nat_sip modules work fine!) such that the PBX's external IP is 13.14.15.19 any way you look at it
* port forwarding to any other box, on any other IP address (including the router's address) without anything but the router's address assigned to the wan1 port. The intent would be to have some kind of paucity of IP addresses in use, ostensibly for later expansion, since it doesn't make sense to use 4 perfectly valid IP addresses outside of the router address to forward SSH, when you can't access the router SSH from the outside anyway, to make say 10.0.17.30:22 accessible from the outside as 13.14.15.18:22 replacing the router SSH with an internal box's SSH
Our current setup, which I am not going to post here unless absolutely necessary, is basically a netmap 1:1 to the PBX but the PBX external IP (whatsmyip.com result) ends up on the SNAT for the rest of the network, and it refuses to register on the external SIP provider because of it. Adding a specific SNAT rule for the PBX fixes it's IP address as viewed by the rest of the world, but I would have thought a netmap wouldn't need that (it's specifically rewriting the headers for those two directions anyway). The seperation of "firewall" and "nat" rules is getting in the way of me writing some iptables rules and then converting them to RouterOS entries..
Any advise anyone can give would be much appreciated..