Hallo
I am new here, I hope my request will be easy to fulfill.
I want to split traffic by LAN IP address (default gateway) to WAN IP address.(src-NAT - dst-NAT vice versa)
I have 2 public WAN static adresses in one subnet and 2 LAN IP Adresses in the one subnet (as 2 default gateways for one LAN).
On a LAN1 IP address I run DHCP server providing IP adresses for part of subnet with deafult gateway LAN1.
Some servers in a LAN have static adress out of mentined DHCP range in a same subnet with a default gateway LAN2.
I would like to nat trafic direcetd to LAN1 IP address to WAN1 IP adress and LAN2 to WAN2 because I need to use dst-nat connections WAN1-LAN1 and WAN2-LAN2.
Simply allow connection from LAN default gateway 1 to WAN1 IP address and from LAN default gateway 2 to WAN2 IP address and back.
I found that is possible use src-nat with dedicated range of source adresses to dedicated WAN adress, dividing a LAN adresses to required ranges.
I do not want to divide source adress ranges, I want to split traffic by LAN IP address (default gateway) to WAN IP address if is it possibble.
Can you help me with this?
Re: Src NAT from Router LAN IP address to WAN IP adress
Yes if you can explain your requirements more clearly......... dont mix up config speak with requirements.
a. identify all user(s)/device(s) and groups of users/devices, including admin
b. identify the traffic they need to accomplish
Provide a network diagram showing the ISP connections, subnets, ports used etc.........
a. identify all user(s)/device(s) and groups of users/devices, including admin
b. identify the traffic they need to accomplish
Provide a network diagram showing the ISP connections, subnets, ports used etc.........
Re: Src NAT from Router LAN IP address to WAN IP adress
Hallo, please find more information below:
My goal is to properly connect all LAN clients from single local network to the Internet, and to provide functional communication over open ports from the Internet to the local servers using a single router when 2 WAN router addresses and 2 LAN router addresses are used.
Router hEX
LAN side - bridge - eth2-eth5
LAN IP (bridge) adresses:
LAN IP1: 10.0.0.1 - DHCP server 10.0.0.61-10.0.0.254 (providing dynamic IP adresses pool with default gateway 10.0.0.1)
LAN IP2: 10.0.0.2 - no DHCP server
LAN side clients:
PCs with DHCP client - dynamic adresses 10.0.0.61-10.0.0.254, (DG:10.0.0.1)
Server1 with fixed IP 10.0.0.10. and Default gateway 10.0.0.1 open port to internet 8000
Server 2 fixed IP 10.0.0.11 default gateway 10.0.0.2 open ports to internet 25,443
Server 3 fixed IP 10.0.0.12 default gateway 10.0.0.2 open port to internet 2222
WAN side:
fixed WAN IP1: 1XX.XXX.XXX.39/27
fixed WAN IP2: 1XX.XXX.XXX.44/27
WAN default gateway:1XX.XXX.XXX.42
I would like to:
Split communication
1. via LAN1 IP 10.0.0.1 to WAN IP1 1XX.XXX.XXX.39/27 (using NAT)
2. via LAN2 IP 10.0.0.2 to WAN IP2 1XX.XXX.XXX.44/27 (using NAT)
Provide connection from internet (dst-nat) between
- WAN IP1 1XX.XXX.XXX.39/27 and server 1 opening port 8000
- WAN IP2 1XX.XXX.XXX.44/27 and server 2 opening ports 25, 443
- WAN IP2 1XX.XXX.XXX.44/27 and server 3 opening port 2222
This router should replace earlier used two routers, first with LAN IP1 <-> WAN IP1 and second LAN IP2 <-> WAN IP2 providing requerd connctions from and to internet. However, the communication does not have to be strictly separated as on two separate routers unless it is necessary.
I can configure everything correctly, except routing between router addresses LAN1-WAN1 and LAN2-WAN2.
Currently, I have it configured so that I split the client IP addresses into separate ranges and use src-nat to route them to the desired WAN addresses, which more or less works. But I want to change it so that the client default gateway IP address determines the routing to the desired WAN IP.
My goal is to properly connect all LAN clients from single local network to the Internet, and to provide functional communication over open ports from the Internet to the local servers using a single router when 2 WAN router addresses and 2 LAN router addresses are used.
Router hEX
LAN side - bridge - eth2-eth5
LAN IP (bridge) adresses:
LAN IP1: 10.0.0.1 - DHCP server 10.0.0.61-10.0.0.254 (providing dynamic IP adresses pool with default gateway 10.0.0.1)
LAN IP2: 10.0.0.2 - no DHCP server
LAN side clients:
PCs with DHCP client - dynamic adresses 10.0.0.61-10.0.0.254, (DG:10.0.0.1)
Server1 with fixed IP 10.0.0.10. and Default gateway 10.0.0.1 open port to internet 8000
Server 2 fixed IP 10.0.0.11 default gateway 10.0.0.2 open ports to internet 25,443
Server 3 fixed IP 10.0.0.12 default gateway 10.0.0.2 open port to internet 2222
WAN side:
fixed WAN IP1: 1XX.XXX.XXX.39/27
fixed WAN IP2: 1XX.XXX.XXX.44/27
WAN default gateway:1XX.XXX.XXX.42
I would like to:
Split communication
1. via LAN1 IP 10.0.0.1 to WAN IP1 1XX.XXX.XXX.39/27 (using NAT)
2. via LAN2 IP 10.0.0.2 to WAN IP2 1XX.XXX.XXX.44/27 (using NAT)
Provide connection from internet (dst-nat) between
- WAN IP1 1XX.XXX.XXX.39/27 and server 1 opening port 8000
- WAN IP2 1XX.XXX.XXX.44/27 and server 2 opening ports 25, 443
- WAN IP2 1XX.XXX.XXX.44/27 and server 3 opening port 2222
This router should replace earlier used two routers, first with LAN IP1 <-> WAN IP1 and second LAN IP2 <-> WAN IP2 providing requerd connctions from and to internet. However, the communication does not have to be strictly separated as on two separate routers unless it is necessary.
I can configure everything correctly, except routing between router addresses LAN1-WAN1 and LAN2-WAN2.
Currently, I have it configured so that I split the client IP addresses into separate ranges and use src-nat to route them to the desired WAN addresses, which more or less works. But I want to change it so that the client default gateway IP address determines the routing to the desired WAN IP.
Last edited by sskalsky on Thu Apr 11, 2024 12:02 pm, edited 21 times in total.
Re: Src NAT from Router LAN IP address to WAN IP adress
... I cannot delete this post -- HTTP ERROR 500 
Re: Src NAT from Router LAN IP address to WAN IP adress
Please provide the config, you have so far......
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.. )
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.. )
Re: Src NAT from Router LAN IP address to WAN IP adress
I think that the splitting between the two WANs won't be possible only with the help of NAT - routing tables and in your case mangle rules are also necessary:
Code: Select all
/ip firewall address-list
add list=through_WAN2 address=10.0.0.2
add list=through_WAN2 address=10.0.0.11
add list=through_WAN2 address=10.0.0.12
/ip firewall mangle
add action=mark-connection chain=prerouting src-address=10.0.0.1/24 src-address-list=!through_WAN2 connection-mark=no-mark new-connection-mark=WAN1_conn
add action=mark-routing chain=prerouting src-address=10.0.0.1/24 src-address-list=!through_WAN2 new-routing-mark=to_WAN1
add action=mark-routing chain=prerouting connection-mark=WAN1_conn new-routing-mark=to_WAN1 passthorugh=no
add action=mark-connection chain=prerouting src-address-list=through_WAN2 connection-mark=no-mark new-connection-mark=WAN2_conn
add action=mark-routing chain=prerouting src-address-list=through_WAN2 new-routing-mark=to_WAN2
add action=mark-routing chain=prerouting connection-mark=WAN2_conn new-routing-mark=to_WAN2
/routing table
add fib name=to_WAN1
add fib name=to_WAN2
/ip route
add dst-address=0.0.0.0/0 gateway=1XX.XXX.XXX.39 routing-table=to_WAN1
add dst-address=0.0.0.0/0 gateway=1XX.XXX.XXX.44 routing-table=to_WAN2
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=1XX.XXX.XXX.39 protocol=tcp dst-port=8000 to-addresses=10.0.0.10 to-ports=8000
add action=dst-nat chain=dstnat dst-address=1XX.XXX.XXX.44 protocol=tcp dst-port=25,443 to-addresses=10.0.0.11
add action=dst-nat chain=dstnat dst-address=1XX.XXX.XXX.44 protocol=tcp dst-port=2222 to-addresses=10.0.0.12 to-ports=2222
Re: Src NAT from Router LAN IP address to WAN IP adress
The function of sourcenat is not ROUTING, so cat is bang on.
This is a simple case of subnet A should use WAN1 and subnet B should use WAN2.
questions.
1. the majority of traffic will be through WAN X ??
2. What happens when WANA is not available do you want all traffic to go to WANB
3. What happens when WANB is not available do you want all traffic to go to WANA
Do you have any servers on either LANA or LANB, that you want external users to access?
Do you have any Router services that external users may use (such as VPN)?
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
This is a simple case of subnet A should use WAN1 and subnet B should use WAN2.
questions.
1. the majority of traffic will be through WAN X ??
2. What happens when WANA is not available do you want all traffic to go to WANB
3. What happens when WANB is not available do you want all traffic to go to WANA
Do you have any servers on either LANA or LANB, that you want external users to access?
Do you have any Router services that external users may use (such as VPN)?
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Re: Src NAT from Router LAN IP address to WAN IP adress
The task isn't as easy as it seems because there is one LAN subnet and two gateways - DHCP clients use one and statically assigned another. It would be easier if there were actually two subnets but no. That's why I used so many mangle rules and an address list (luckily the devices behind the second gateway are only two). As for the questions it would be best to be answered by the OP
Re: Src NAT from Router LAN IP address to WAN IP adress
Yeah scratching my head to understand WHY.
Why would anyone have such a setup?
Also the communication is not clear, its ONE LAN, some users have dhcp assigned, the rest are fixed.
He wants the dhcp users, sent to WAN1, and fixed LANIPs sent to WAN2
Also assuming users being on the same LAN should still be able to see each other??
What is the backup plan, in mind. what if WAN1 is not available or WAN2?
Which WAN has priority in a general sense still needs to be determined
a. majority of traffic is dhcp or fixed users/devices
b. most important traffic is dhcp or fixed users/devices
Why would anyone have such a setup?
Also the communication is not clear, its ONE LAN, some users have dhcp assigned, the rest are fixed.
He wants the dhcp users, sent to WAN1, and fixed LANIPs sent to WAN2
Also assuming users being on the same LAN should still be able to see each other??
What is the backup plan, in mind. what if WAN1 is not available or WAN2?
Which WAN has priority in a general sense still needs to be determined
a. majority of traffic is dhcp or fixed users/devices
b. most important traffic is dhcp or fixed users/devices