Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    One to one nat bounces rules to different boxes

    Scheduled Pinned Locked Moved
    2.0-RC Snapshot Feedback and Problems - RETIRED
    2
    6
    1.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      isteelsoftware
      last edited by

      I may have this configured entirley wrong, and this is causing my issues.

      2.0-BETA1
      built on Thu May 6 06:50:34 EDT 2010

      What I have
      a /28 assigned by my isp

      Under Virtual IP's I have the /28 listed as a proxy arp

      Then i have One to One NAT listings for each external ip that i want routed inside

      I created aliases for the servers that i want to pass traffic to (SSH, RDP, SMTP, www)
      these aliases were created for both the external address in /32 and the internal addresses /32 per host
      (sshint, sshext, rdpint, rdpext, etc)

      I then created port forward rules under nat for each group so say interface wan protocol tcp sourcs any dest sshext port ssh redirect target ip sshint port ssh description ssh in.

      (this is the same for all aliases that i want to forward ports to. )

      What i am experiencing is that say i rdp from the outside to one external ip of the three that i have assigned i may go to another server. I then close that connection and try to rdp into that same ip then i will get the machine i want to rdp to.

      1 Reply Last reply Reply Quote 0
      • E
        Efonnes
        last edited by

        For the redirection target of the port forward, are you using an alias that contains multiple IP addresses?  If so, I think that would cause the behavior you are seeing.  It is probably picking a different one of the targets each time you connect.  If you already have 1:1 mappings set up for the machines, you don't need port forwards unless you are trying to change the port number on a connection or override the 1:1 mappings for specific ports, since the ports will already be forwarded by the 1:1 mappings.  Add firewall rules instead for the ports you want to let through.

        If you are just adding the port forwards so you can use NAT Reflection, you could try enabling the new NAT Reflection for 1:1 NAT option instead, if you are using a newer snapshot that has it.

        1 Reply Last reply Reply Quote 0
        • I
          isteelsoftware
          last edited by

          Correct i have aliases setup for the different ip addresses.

          So when using 1:1 nating i dont need the port forward functionality, just create a wan firewall rule for traffic to the 1:1. Im assuming the VIP setup is still needed.

          Another note: will this correct an issue im having with icmp not responding to the ip addresses?

          1 Reply Last reply Reply Quote 0
          • E
            Efonnes
            last edited by

            From inside the network or into your network from the outside?

            1 Reply Last reply Reply Quote 0
            • I
              isteelsoftware
              last edited by

              From the outside to the ip address that i have 1:1

              1 Reply Last reply Reply Quote 0
              • E
                Efonnes
                last edited by

                The 1:1 mappings should take care of the address translation for any traffic.  You just need firewall rules to let the traffic through that you want to go through.  Note that the destination used in the firewall rules on WAN will likely be the internal address and not the external address that is mapped to it, because firewall rules apply after translation, not before.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post