Beta4 NAT 1:1

dplamb

I don't seem to be having any luck getting NAT 1:1 working in beta 4. (I don't have beta3 so I can't check and see if it's changed).

External WAN 66.210.85.0/24
-router 66.210.85.1
-firewall 66.210.85.2

Internal 10.0.0.0/16

I have several webservers that I wanted 1:1 mapping for, so I added rules for them. Once rules are added they cannot see past the firewall.

What I really wanted to be able to do was something like the Watchguard where you can say on the 1:1 start at this ip address and automagically add this # of hosts to the mapping, i.e. start at 10.0.0.3 and add 250 1:1 mappings. Am I missing something really obvious here?

hoba

Did you only create 1:1 NAT entries or did you create VIPs for the additional public IPs?

The correct way to do it is:
1. Create a VIP for your additional public IPs (The type you have to choose depends on how your connection is set up; Other just accepts the IPs without generating Layer2 responses for the additional IP; ProxyARP and CARP create Layer2 replies)
2. Add a 1:1 NAT to translate your VIP to an internal IP
3. Create Firewallrules to allow the traffic. Keep in mind NAT comes first, then the rules are applied, so you have to use the internal IP as destination in your rules.

dplamb

Yep. Did all that.

VIP: 66.210.85.20/32 (other)
1:1 Nat: WAN -> 66.210.85.20/32 -> 10.0.0.20/32

I have the default ANY outbound rule and a icmp outbound rule (any to any). I added an ANY inbound rule (blocked with logging) and an icmp one, so that I could see what was attempting to come through.

From the 10.0.0.20 it I try to access anything beyond the firewall it won't connect. And if I try and access it from the outside, I don not get any messages in the log for .20.

hoba

Like I said, type other doesn't create fake layer2 replies, it just accepts this IP if it is routed to you anyway. Try using ProxyARP or CARP.

dplamb

Changed to Proxy ARP 66.210.85.20/32.

Still doesn't see the outside world.

Since I've logged everything though, I'm getting messages that it passed traffic. But I don't get anything returned. And when I ping it from an external source, I don't get any messages in the log at all. (I've changed the inbound rule to allow anything to anything and log it).

hoba

Sounds to me the IPs are not routed to you. Try tracerouting from an external location to your real WAN IP. Then traceroute to your additional IP and see if it takes the same route.
Btw, you are sure External WAN 66.210.85.0/24 is correct for your WAN? /24 subnet?

hoba

Looks like it is wokring to me?

5    10 ms    10 ms    10 ms  so-2-0-0.ar2.FRA2.gblx.net [67.17.134.113]
  6    94 ms    94 ms  111 ms  so1-0-0-2488M.ar3.jfk1.gblx.net [67.17.72.26]
  7    94 ms    94 ms    94 ms  qwest-1.ar3.JFK1.gblx.net [208.50.13.170]
  8    94 ms    93 ms  122 ms  jfk-core-01.inet.qwest.net [205.171.30.13]
  9    *        *        *   
10  141 ms  142 ms  142 ms  dal-edge-09.inet.qwest.net [205.171.25.122]
11  152 ms  153 ms  152 ms  72.164.70.18
12    *      147 ms  147 ms  COX-66-210-85-20.coxinet.net [66.210.85.20]
13  148 ms  148 ms  148 ms  COX-66-210-85-20.coxinet.net [66.210.85.20]

dplamb

Forgot something that matters greatly. Clear the arp cache on the router.

hoba

Cool, bump the green button if your issues are solved  ;D