NAT and Port Forwarding
-
This is from a discussion with @scottalanmiller, and I figured it'd make a good thread for folks to learn.
Here's the scenario.
Edge Router Lite (with a /29 block) > Switch > Three web servers (VMs). In this environment there is no reverse proxy server.
Here's how I had stuff configured (assuming memory is serving me right) to get traffic to the web servers: 1-1 NAT of a public IP to each web server.
Is there another way to get traffic to go to each web server. Scott mentioned port forwarding, but unless you can make port forwarding rule based off of each IP address, I don't see how that would work. Since the ERL will need to know how to direct traffic from three distinct port 80 requests.
-
Why do we have three port 80s? There is only one web server that uses port 80.
-
@scottalanmiller said in NAT and Port Forwarding:
Why do we have three port 80s? There is only one web server that uses port 80.
Ah, I misremember then. In that case you'd need to forward three 443s.
-
@eddiejennings said in NAT and Port Forwarding:
@scottalanmiller said in NAT and Port Forwarding:
Why do we have three port 80s? There is only one web server that uses port 80.
Ah, I misremember then. In that case you'd need to forward three 443s.
Only one of those, too. Only one of anything that I can see.
-
Well, now I've learned we're talking about two different ERLs. :smiling_face:
In that case, I imagine that port forwarding uses less resources that NAT; thus, if you can use it, then that's the way to go.
-
@eddiejennings said in NAT and Port Forwarding:
Well, now I've learned we're talking about two different ERLs. :smiling_face:
In that case, I imagine that port forwarding uses less resources that NAT; thus, if you can use it, then that's the way to go.
It's not about resources. It's that one does everything in a single step, the other requires a lot of steps.
-
Port forwarding simply does all the magic by itself. It opens the firewall it creates the nap room all behind the scenes.
-
To do what you were doing you need a source and destination nat rule for each web server for the open ports only. Then also a firewall rule.
-
So you do not need a full 1:1 nat
-
The downside to port forwarding is that it only goes to your primary IP
-
@jaredbusch said in NAT and Port Forwarding:
The downside to port forwarding is that it only goes to your primary IP
That's what I thought. Thinking this through further, it looks like in a situation where you have a /30 network, you would just forward 80/443 to you reverse proxy, then that server forwards to the traffic to the appropriate web server.
-
@eddiejennings said in NAT and Port Forwarding:
@jaredbusch said in NAT and Port Forwarding:
The downside to port forwarding is that it only goes to your primary IP
That's what I thought. Thinking this through further, it looks like in a situation where you have a /30 network, you would just forward 80/443 to you reverse proxy, then that server forwards to the traffic to the appropriate web server.
Correct
-
@eddiejennings said in NAT and Port Forwarding:
@scottalanmiller said in NAT and Port Forwarding:
Why do we have three port 80s? There is only one web server that uses port 80.
Ah, I misremember then. In that case you'd need to forward three 443s.
@eddiejennings said in NAT and Port Forwarding:
@scottalanmiller said in NAT and Port Forwarding:
Why do we have three port 80s? There is only one web server that uses port 80.
Ah, I misremember then. In that case you'd need to forward three 443s.
You can do that and PF 3 ports and use the private IP to distinguish between the servers however note that some cheap network routers dont allow PF the same port twice.
Best route is to PF one that will act as proxy/load balancing unless those web servers are not similar in files hosted.
-
@emad-r said in NAT and Port Forwarding:
@eddiejennings said in NAT and Port Forwarding:
@scottalanmiller said in NAT and Port Forwarding:
Why do we have three port 80s? There is only one web server that uses port 80.
Ah, I misremember then. In that case you'd need to forward three 443s.
@eddiejennings said in NAT and Port Forwarding:
@scottalanmiller said in NAT and Port Forwarding:
Why do we have three port 80s? There is only one web server that uses port 80.
Ah, I misremember then. In that case you'd need to forward three 443s.
You can do that and PF 3 ports and use the private IP to distinguish between the servers however note that some cheap network routers dont allow PF the same port twice.
He is specifically using the EdgeRouter LITE as noted in the first post.
The ERL can only port forward from a single inbound IP to. Very few routers have this in the port forwarding section. Actually, no current routers that I am aware of.
The ERL, as well as everything else, can do it with a destination NAT rule and matching source NAT rule.
-
@emad-r said in NAT and Port Forwarding:
Best route is to PF one that will act as proxy/load balancing unless those web servers are not similar in files hosted.
He has a /29 block and various servers using those IPs. To do this one would have to change the DNS to use a single IP.
Otherwise, even if it was all going to a single internal proxy, you would still need the previiously mentioned destination and source NAT rules. -
@jaredbusch said in NAT and Port Forwarding:
The downside to port forwarding is that it only goes to your primary IP
Yeah, that can be very limiting. Seems like that would be easy to expand on their side.
-
@scottalanmiller said in NAT and Port Forwarding:
@jaredbusch said in NAT and Port Forwarding:
The downside to port forwarding is that it only goes to your primary IP
Yeah, that can be very limiting. Seems like that would be easy to expand on their side.
Does VyOS have this feature?
-
@jaredbusch said in NAT and Port Forwarding:
@scottalanmiller said in NAT and Port Forwarding:
@jaredbusch said in NAT and Port Forwarding:
The downside to port forwarding is that it only goes to your primary IP
Yeah, that can be very limiting. Seems like that would be easy to expand on their side.
Does VyOS have this feature?
Glancing over the wiki, it looks like it doesn't. Or rather, they say that Destination NAT is "port forwarding."
-
@eddiejennings said in NAT and Port Forwarding:
@jaredbusch said in NAT and Port Forwarding:
@scottalanmiller said in NAT and Port Forwarding:
@jaredbusch said in NAT and Port Forwarding:
The downside to port forwarding is that it only goes to your primary IP
Yeah, that can be very limiting. Seems like that would be easy to expand on their side.
Does VyOS have this feature?
Glancing over the wiki, it looks like it doesn't. Or rather, they say that Destination NAT is "port forwarding."
Well, that is what port forwarding does int he background anyway.
And port forwarding from multiple inbound IP just doens't make sense. because then you also need to do something for the source NAT.
As I stated previously, I do not know of any router that has this in the "Port Forwarding" section.
-
Is it possible to port forwarding using Aliases/Groups?
