Traffic not flowing for hosts behind NAT - Edge Router Lite

EddieJennings

To check my understanding of NAT.

IIS Server

• Public: 65.254.219.165
• Private: 172.16.254.12

PostFix Server

• Public: 65.254.219.166
• Private: 172.16.254.14

Static 1:1 NAT is what's needed, and I'd have two rules for each host.

Rule 1 would be destination NAT. A packet enters the eth0 interface bound for the public IP address for the intended server. The ERL translates the destination address of this packet to the private IP address of the intended server.

Rule 2 would be a source NAT. A pack exits the eth0 interface bound for the Internet from a server with the source address as the server's private IP address. The ERL translates the source address of the pack to the public IP address of the server.

So the above example for the IIS server would look like this.

Rule 1. If a packet's destination is 65.254.219.165 is ingress to eth0, translate that packet's destination to 172.16.254.12, then send packet on to have firewall rules checked.

Rule 2. If a packet's source is 172.16.254.12 is to egress from eth0, translate that packet's source to 65.254.219.165, then send the packet on its way.

JaredBusch

going to my office in a few minutes. will be able to help.

JaredBusch

Delayed by kids. Putting them to bed now though

EddieJennings

@jaredbusch said in Traffic not flowing for hosts behind NAT - Edge Router Lite:

Delayed by kids. Putting them to bed now though

Worry not. I’m turning early myself. As always, I appreciate the wisdom whenever it comes.

JaredBusch

@eddiejennings said in Traffic not flowing for hosts behind NAT - Edge Router Lite:

@jaredbusch said in Traffic not flowing for hosts behind NAT - Edge Router Lite:

Delayed by kids. Putting them to bed now though

Worry not. I’m turning early myself. As always, I appreciate the wisdom whenever it comes.

They are going to bed. Not me.

anyway. post deluge incoming.

JaredBusch

Dashboard, view showing eth0 (WAN port)

JaredBusch

The Port forwarding rules only work against the first IP listed on the specified port.

In this case the .42 on eth0
FYI: .1.14 is the internal Exchange server and .0.20 is the HAProxy server for Exchange. I am only proxying SSL.

JaredBusch

I have a few firewall groups setup

JaredBusch

The only LAN firewall rules are to block SMTP.

JaredBusch

For anything you are going to NAT in to something other than the first IP address on the default masquerade, you have to have both firewall rules and NAT destination rules.

For anything that you want to go out something other than the default masquerade, you have to have a NAT source rule.

This is the WAN_IN and is likely part of your problem.

This is the NAT (source and destination) rules that are the other part of your problem.

JaredBusch

For the screenshots above, the default NAT traffic will show a "What is my IP" as 12.XXX.XXX.42 as that is the first IP listed in the config of the eth0 port.

All traffic goes out through the default NAT masquerade (shown as order 4 in the Source NAT section) unless there is a Source NAT rule to override it.

As I have more than one thing happening here, we will just focus on the Nginx ones as the stuff not going through the default masquerade.

A Source NAT is used for outbound traffic. You are the source of the traffic.
A Destination NAT is used for inbound traffic. You are the destination of the traffic.

So to send traffic from the server with an internal IP address of 10.202.1.16 out the external IP address of 12.XXX.XXX.43 instead of the default masquerade external IP of 12.XXX.XXX.42 we need to make a Source NAT rule.

Make a rule and fill it out like this. Obviously, there are a lot more options here than I am going over. If you have multiple machines that you need to use this IP outbound, then create a firewall group and select the Src Address Group drop down instead of specifying the IP address as I did here.

Now if you check your What is my IP from the specified server, it should return the 12.XX.XXX.43

JaredBusch

The inbound is harder because you have to setup both a Destination NAT rule as well as allow it on the firewall's WAN_IN rule.

First make the Destination NAT rule as you are already on this screen from making the Source NAT rule.

As you can see you simply reverse what you did in the Source NAT rule. This time the local IP goes in the Translation and the WAN IP goes in the Dest Address field. Anything coming in on this destination IP will be translated to this local IP.

As you can also see, I further restricted this translation to only be TCP/UDP and only ports included in a firewall port group.

In case you are curious, here are the ports in that firewall port group.

JaredBusch

Now make a firewall rule in the policy assigned to the IN direction of your WAN interface.

The wizards name this rule WAN_IN by default.

You want to make the settings match when it comes to the protocol and port settings. But the destination is now the internal IP address as the translation has already happened by the NAT rules before the firewall rules see it.

JaredBusch

Now you should have traffic properly flowing to and from your alternate IP addresses.
And yes, I noticed..

Mike Davis

Well done Jared.

Dashrender

When I tried this last night, my new NAT rules were all below the default masquerade one. I tried moving (click and drag) above but it wouldn't actually move.

I then added a third rule (just some fake crap), then upon having three rules I was able to move my desired rule above the default one.

I'm on firmware v1.9.7-hotfix.4

EddieJennings

@jaredbusch said in Traffic not flowing for hosts behind NAT - Edge Router Lite:

Now you should have traffic properly flowing to and from your alternate IP addresses.

Thanks for the above. I'm comparing that to my configuration now.

And yes, I noticed..

Ah, then you know the commercials.

EddieJennings

@dashrender said in Traffic not flowing for hosts behind NAT - Edge Router Lite:

When I tried this last night, my new NAT rules were all below the default masquerade one. I tried moving (click and drag) above but it wouldn't actually move.

I then added a third rule (just some fake crap), then upon having three rules I was able to move my desired rule above the default one.

I'm on firmware v1.9.7-hotfix.4

Even though it didn't move, did the rule order number change?

Dashrender

@eddiejennings said in Traffic not flowing for hosts behind NAT - Edge Router Lite:

@dashrender said in Traffic not flowing for hosts behind NAT - Edge Router Lite:

When I tried this last night, my new NAT rules were all below the default masquerade one. I tried moving (click and drag) above but it wouldn't actually move.

I then added a third rule (just some fake crap), then upon having three rules I was able to move my desired rule above the default one.

I'm on firmware v1.9.7-hotfix.4

Even though it didn't move, did the rule order number change?

good question - I don't recall. I did see the issue where when making firewall Ruleset changes, when I would drag and drop them, the order on screen would change to some jumble, but the actual numerical value would be the desired change. Saving the rule order would fix the display to display them in numerical order.

Dashrender

I just tried it again now
https://i.imgur.com/ZmoxUun.png

This is what is normally looks like
https://i.imgur.com/yi1wL5G.png

As you can see in the top image, I can't even see the other line item to move it above or below. I've zoomed the page in and out, no option there allows me to see where I'm placing it.
Additionally, after dropping it somewhere, the numerical order does not change.

As mentioned above, creating a third entry allowed me to work around this.