NAT/PAT and associated filter rules
-
Hey everyone,
I have some questions regarding automatic associated filter rule created with a NAT.
The context:
(NAT 1) I already have a NAT/PAT which forwards Radius traffic (1812/UDP) from WAN (IP let's say 10.0.0.1) to Radius Server 192.168.1.10 (LAN). This WAN IP is connected to a MAN. This is why it is a private IP, our ISP filters source IP and only allow some IP ranges to access this interface.
NAT 1
Interface: WAN
Protocol: UDP
Source Address: Any
Source Ports:Any
Dest. Address: 10.0.0.10 (VIP)
Dest. Ports: 1812
NAT IP: 192.168.1.10
NAT Ports: 1812There is also an associated rules linked to this NAT:
Rule 1
Source *
Port *
Destination 192.168.1.10
Port 1812
Gateway *(NAT 2) Now the goal is to set up a new NAT/PAT. However, this time I want to use another WAN IP 200.0.0.1 (VIP and there is no filtering by provider) on port 9999 and PAT it to 1812 and allow only one external source public IP to access my Radius server:
NAT 2
Interface: WAN
Protocol: UDP
Source Address: 100.0.0.1
Source Ports:Any
Dest. Address: 200.0.0.1
Dest. Ports: 9999
NAT IP: 192.168.1.10
NAT Ports: 1812There will be an associated filter rule linked to this NAT 2 (have not tested it yet):
Rule 2
Source 100.0.0.1
Port *
Destination 192.168.1.10
Port 9999 (or 1812 not sure)
Gateway *My questions are: what would be the impact of the NAT 1's associated filter rule on the NAT 2?
If another public IP (let's say 122.0.0.0.4) comes in to 200.0.0.1/9999, will it be allowed to access my Radius Server 192.168.1.10 because of the NAT 1's rule (Rule 1) which allow pretty much everything? Or are linked filter rules only applied to their respective NAT and hypothetically the other rules do not matter.
Thanks in advance. -
@dardou
Since both NAT rules handles different unique destination addresses they do not overlap.If another public IP (let's say 122.0.0.0.4) comes in to 200.0.0.1/9999
Both rules don't match to this. The first has a different destination IP and the second is restikt to a uniqe source IP which does not match to this.
The filter rules come into play after NAT.