I'm trying to figure out the best (or easiest) way to do this:
routable ip: yyy.xxx.36.18/22 gateway is yyy.xxx.36.1
non-routable ip 1: 172.27.27.1/24 gateway for 172.27.27.bbb
non-routable ip 2: 10.254.254.1/24 gateway for 10.254.254.ccc
routable ip and non routable ip1 exist on the same flat network
non-routable ip 2 exists on it's own network and comes in via ether3 and ether2 which are bridged together
what works:
pinging and surfing from 10.254.254.x
port fowarding through to 10.254.254.x
pinging any other active ip in the 172.27.27.x/24 range from the terminal on the router
what doesn't work:
pinging or surfing from 172.27.27.x though 172.27.27.1 to yyy.xxx.36.18 and on to yyy.xxx.36.1 and the rest of the internet.
I'm not sure if hairpin nat is what's needed. I'm not sure what I want to do is possible. Any direction or help would be appreciated.
Setup of router (if there are better ways to present this information I'd love to know )
Code: Select all
[admin@Alarm-Tik] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 ;;; defconf
10.254.254.1/24 10.254.254.0 bridge
1 172.27.27.1/24 172.27.27.0 WAN-ether1
2 yyy.xxx.36.18/22 yyy.xxx.36.0 WAN-ether1
[admin@Alarm-Tik] > ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked log=no log-prefix=""
2 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid log=no log-prefix=""
3 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp log=no log-prefix=""
4 X ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN log=no log-prefix=""
5 ;;; defconf: accept in ipsec policy
chain=forward action=accept log=no log-prefix="" ipsec-policy=in,ipsec
6 ;;; defconf: accept out ipsec policy
chain=forward action=accept log=no log-prefix="" ipsec-policy=out,ipsec
7 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix=""
8 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked log=no log-prefix=""
9 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid log=no log-prefix=""
10 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix=""
11 ;;; drop ssh brute forcers
chain=input action=drop protocol=tcp src-address-list=ssh_blacklist dst-port=22
12 chain=input action=add-src-to-address-list connection-state="" protocol=tcp src-address-list=ssh_stage3 address-list=ssh_blacklist address-list-timeout=35w3d dst-port=22 log=no log-prefix=""
13 chain=input action=add-src-to-address-list connection-state="" protocol=tcp src-address-list=ssh_stage2 address-list=ssh_stage3 address-list-timeout=1m dst-port=22
14 chain=input action=add-src-to-address-list connection-state="" protocol=tcp src-address-list=ssh_stage1 address-list=ssh_stage2 address-list-timeout=1m dst-port=22
15 chain=input action=add-src-to-address-list connection-state="" protocol=tcp address-list=ssh_stage1 address-list-timeout=10h dst-port=22
16 ;;; drop ssh brute downstream
chain=forward action=drop protocol=tcp src-address-list=ssh_blacklist dst-port=22
[admin@Alarm-Tik] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface-list=WAN log=no log-prefix="" ipsec-policy=out,none
1 ;;; SecureNet Alarm Receiver
chain=dstnat action=dst-nat to-addresses=10.254.254.100 to-ports=9999 protocol=tcp dst-port=9999 log=yes log-prefix="SecureNet"
2 ;;; DSC IP Alarm Receiver
chain=dstnat action=dst-nat to-addresses=10.254.254.7 to-ports=3061 protocol=udp dst-port=3061 log=yes log-prefix="Alarm-p3061-"
[admin@Alarm-Tik] > ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters chain=prerouting action=passthrough
1 D ;;; special dummy rule to show fasttrack counters chain=forward action=passthrough
2 D ;;; special dummy rule to show fasttrack counters chain=postrouting action=passthrough
[admin@Alarm-Tik] > ip firewall raw print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters chain=prerouting action=passthrough
[admin@Alarm-Tik] > ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 52.119.36.1 1
1 ADC 10.254.254.0/24 10.254.254.1 bridge 0
2 ADC 52.119.36.0/22 52.119.36.18 WAN-ether1 0
3 ADC 172.27.27.0/24 172.27.27.1 WAN-ether1 0