Maximum amount of Outbound Static NAT?
-
I have a few outbound static NAT mapped to VIPs/Internal IPs that are working fine. in addition to the catchall using the WAN address. So Hybrid Outbound NAT with Automatic.
When I added the last server, I cant ping out when rule is enabled. When rule is disabled, I can ping out. ICMP from this subnet is allowed for any. Other traffic IPv4 TCP/UDP the same.
Any ideas?
-
It isn't about the number of rules but if what you are doing creates a conflict.
Static port outbound NAT from A->WAN and B->WAN only works so long as A and B do not try to use the exact same source port going to the same destination. You could have thousands of rules if the clients are using different ports going different places. Or just two could break if both clients are trying to hit the same remote address with an identical source port (see also: Many broken VoIP setups that have tried and failed when doing this).
I don't think that would affect ping, though, but without seeing your exact ruleset, including the problematic rule, it's hard to say.
-
Ok, that makes sense, but in my situation. the ports wouldnt overlap and conflict.
In my situation I have VIPs like this;
1.1.1.1 WAN Address, working in auto outbound NAT/Hybrid
1.1.1.2 VIP , working in static from LAN
1.1.1.3 VIP , working in static from LAN
1.1.1.4 VIP , working in static from OPT1
1.1.1.5 VIP ,NOT working in static from OPT1With all of these, I have Inbound NAT setup for 80/443/etc
-
So is that really static port outbound NAT rules or 1:1 NAT?
That sounds more like a problem with the VIP or its routing to you and not a NAT problem.
What kind of VIPs do you have setup there? What is the subnet mask and the actual last octet of the addresses? Are you certain that address isn't already in use on the segment?
-
Some may slip away into obscurity, but I owe a reply.... lol
Just reading this a couple of minutes ago. When I read your last suggestion about anyone else using IP on segment, I sort of cringed. I had looked at the Diag/arp and saw FW mac, but hadnt looked at EdgeRouter due to ssh issue last night. When I logged into router I saw that the network has been sliced to a /27, not /26 as I had thought. Added a usable IP from IPSUB and off and going.
Thank you