I'm pretty much a beginner... so forgive me if it's a stupid mistake. I need two dst-nat rules for web traffic, but I can only get one to work. The other one simply does not connect to the target server.
I've got the following addresses (public IPs have been changed for privacy):
Code: Select all
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
add address=62.100.31.125/27 interface=ether1 network=62.100.31.96
add address=62.100.31.123/27 interface=ether1 network=62.100.31.96
add address=192.168.1.220/24 interface=ether3 network=192.168.1.0
My NAT rules:
Code: Select all
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=62.100.31.125 dst-port=80 protocol=tcp to-addresses=192.168.88.190 to-ports=80
add action=dst-nat chain=dstnat dst-address=62.100.31.125 dst-port=443 protocol=tcp to-addresses=192.168.88.190 to-ports=443
add action=dst-nat chain=dstnat dst-address=62.100.31.123 dst-port=80 protocol=tcp to-addresses=192.168.1.202 to-ports=80
add action=dst-nat chain=dstnat dst-address=62.100.31.123 dst-port=443 protocol=tcp to-addresses=192.1.0.202 to-ports=443
I have set up the NAT that works several months ago, so maybe there is something else that's needed for this to work which I have forgotten...?
Form completeness, here are the filter rules; I believe they are the default.
Code: Select all
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN