NAT Port forward wrong source address
-
Why would you not just connect to yourself?
Lets say I have Service A, Service B, and Client X.
Both Service A and Service B need to be accessible from (WAN IP) for Client X to connect.
The only way these services can do this is to communicate via (WAN IP), so they can tell Client X they are there.Yes, this is idiotic. I know. These same services even communicate locally for other operations, but for the client to work, they must run public.@Derelict:
I just had a chuckle looking at the thread title NAT Port forward wrong source address.
"wrong source address"
To the services, it is the wrong source address, and Service A drops the connection from Service B because of this.
-
To any reasonable expectation of traffic flow, it is the correct source address.
-
To any reasonable expectation of traffic flow, it is the correct source address.
You are correct. These services were originally designed to be run without any NAT. I don't have the liberty of doing such a thing.
-
I would try something like this.
I would not expect it to work.
That protocol any in the screen shot should probably be protocol TCP but I don't think that has been specified by you.
![Browser Shot-2017-08-25-12-33-23.png](/public/imported_attachments/1/Browser Shot-2017-08-25-12-33-23.png)
![Browser Shot-2017-08-25-12-33-23.png_thumb](/public/imported_attachments/1/Browser Shot-2017-08-25-12-33-23.png_thumb) -
"The only way these services can do this is to communicate via (WAN IP), so they can tell Client X they are there."
What? Makes no sense..
If your services require to be on a public - then put them on a public IP.. Do not try to run them behind a NAT..
-
"The only way these services can do this is to communicate via (WAN IP), so they can tell Client X they are there."
What? Makes no sense..
If your services require to be on a public - then put them on a public IP.. Do not try to run them behind a NAT..
If I had a 2nd IP to do this with, I would. Unfortunately my ISP makes it prohibitively expensive to add another IP.
I would try something like this.
I would not expect it to work.
That protocol any in the screen shot should probably be protocol TCP but I don't think that has been specified by you.
As you expected, it does not work.
-
If I had a 2nd IP to do this with, I would. Unfortunately my ISP makes it prohibitively expensive to add another IP.
Sounds like you've got yourself painted into a corner there.
-
"I would. Unfortunately my ISP makes it prohibitively expensive to add another IP."
Get a different ISP… Move DC/Colo - put your VPS on a different cloud.. Run it on IPv6 ;) There are bajillion options here vs trying to do something that is not meant to work in the first place.
-
Yeah you really should look to getting your /28 routed to you vs doing 1:1 Natting and such.. When a ISP just gives you a block like that its really meant that all your devices will just be on that network vs behind another router.. If you want to run your router/firewall then you should ask for that /28 to be routed to you via a transit.. This could be a /29 as Derelict mentions or even a /30, etc.
Once this /28 is routed to you then you can do whatever.. Break it up in to 2 /29 if you want.. Etc.. Cost you some IPs that way - but would allow you to assign a /29 to a specific customer.. behind pfsense.
-
Yeah you really should look to getting your /28 routed to you vs doing 1:1 Natting and such.. When a ISP just gives you a block like that its really meant that all your devices will just be on that network vs behind another router.. If you want to run your router/firewall then you should ask for that /28 to be routed to you via a transit.. This could be a /29 as Derelict mentions or even a /30, etc.
Once this /28 is routed to you then you can do whatever.. Break it up in to 2 /29 if you want.. Etc.. Cost you some IPs that way - but would allow you to assign a /29 to a specific customer.. behind pfsense.
I'll have to look in to a business line again then, because that's the only way Charter will give statics.
-
This could be a /29 as Derelict mentions or even a /30, etc.
I always recommend people ask for a /29 because:
1. It is ezpz to justify. Just tell them you need to do VRRP/CARP/HA.
2. Moar addresses is moar better. -
Did threads get merged? Something is not right.. There was a thread about the nat, and then there was a thread about /28
-
Thankfully I've found a solution specific to this set of services. Thanks for the help! I'm locking this now.