[ previous ] [ next ] [ threads ]
 
 From:  "James W. McKeand" <james at mckeand dot biz>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Issues with Server NAT & 1:1 for port fwding
 Date:  Fri, 9 Dec 2005 17:13:48 -0600
Ben R. Serebin wrote:
> Hello All,
> 
> Wow... great UI.... note sarcasm. (If you want me to contribute info
> to docs, let me know.) Found the problem with Server NAT. One must
> not select the External Address for the 2nd WAN IP on Inbound NAT
> rules. Leave it at "Interface address" for Server NAT under
> Firewall:NAT rule.    
> 
> Example of how to add protocol after adding IP in Server NAT.
> 
> Interface: WAN
> External address: (leave it on Interface address)
> Protocol: select protocol (e.g. SMTP)
> External port range: (e.g. SMTP)
> NAT IP: (e.g. internal IP of server hosting protocol)
> Local port: (e.g. SMTP)
> Description: (e.g. SMTP on Server 2)
> [check this box] Auto-add a firewall rule to permit traffic through
> this NAT rule [select Apply changes]
> 

This will allow traffic to your WAN IP to be NATed to your Internal
server. Not the 2nd WAN IP...

Example:

WAN IP assigned 192.168.1.1/29 will NAT to SMTP server 1 (SMTP1)
Want to NAT 192.168.1.2 for 2nd SMTP server

Inbound NAT for SMTP1 is what you have above.

For Second SMTP server (SMTP2)
Add Server NAT for 192.168.1.2
Add Proxy ARP for 192.168.1.2 (may not be needed - but shouldn't
hurt...)
Add Inbound NAT:
  Interface: WAN
  External address: Use Server NAT Here
  Protocol: select protocol (e.g. SMTP)
  External port range: (e.g. SMTP)
  NAT IP: (e.g. internal IP of server hosting protocol)
  Local port: (e.g. SMTP)
  Description: (e.g. SMTP on Server 2)
  [check this box] Auto-add a firewall rule to permit traffic through
this NAT rule
  [select Apply changes]

As I mentioned in previous post, it may take some time to take effect
(upstream ARP caches must expire). But once it is done you should be
able to connect to 192.168.1.1 ***AND*** 192.168.1.2 on port 25. I think
rebooting the ISPs gear (modem/router) may speed this along. This is
much like the 15 Minute rule with old Microsoft networks - 15 minutes
before a new workstation shows up in the domain (Master Browser
refreshed every 15 minutes)

_________________________________
James W. McKeand