New Member
Posts: 5
Registered: ‎02-06-2018
Accepted Solution

NAT between /24 and /16 without multiple IPs on WAN interface

[ Edited ]

This may not be possible but here is what I'm looking to do. 

 

We have an EdgeMax X SFP v1.9.7 Hotfix 4. This is connected to a gateway on our companies network on eth0 on 10.10.205.0/24 network. eth1-3 are connected to 172.16.0.0/16 and eth4 is connected to a device on 10.10.205.0/24. (currently in a lab)

 

I need to setup remote connection to the devices on the 172.16.0.0/16 network (which i have working). But in order to setup the connection I need to setup DNAT and add the IP to the WAN interface.

 

My question is: Is there some way to set it up so that I don't need to put the IP in both places.

 

Putting IP 10.10.205.11 on the WAN port, then DNAT 10.10.205.11 -> 172.16.1.10 will all me remote connection

Only putting 10.10.205.100 ->172.16.1.100 in DNAT will not allow the remote connection. Which im assuming is because the router doesnt know where 10.10.205.100 is since it only exists in the DNAT table.

 

Ideally I would like the WAN port to passthrough all 10.10.205.0/24 and then NAT anything I have in the table. This router is currently under evaluation and if we decide to use it then we would have around 20 devices on the 172.16.0.0/16 network we would need remote access to. Then we would have 20-30 of these routers for different 10.10 subnets. These routers would then be moved around and we would need to go an change the IPs in both locations each time. (router will be used for the engineering departmet in manufacturing for their machines not in IT. Main function for the rouer will be NAT)

 

Again, I am just looking to see if its possible (and if it is maybe get some help setting it up) to set the IPs for NAT in 1 location

 

I have inserted my config. I have a masquerade and arp-proxy on but it is just something i am playing with and has no effect on what I am trying to do (effects are the same  with it on or off)

 

 

Spoiler

firewall {                                                                      
    all-ping enable                                                             
    broadcast-ping disable                                                      
    group {                                                                     
        address-group 172network {                                              
            address 172.16.0.0/16                                               
            description ""                                                      
        }                                                                       
    }                                                                           
    ipv6-receive-redirects disable                                              
    ipv6-src-route disable                                                      
    ip-src-route disable                                                        
    log-martians enable                                                         
    name WAN_IN {                                                               
        default-action accept                                                   
        description "WAN to internal"                                           
        rule 20 {                                                               
            action accept                                                       
            description "Accept All"                                            
            log disable                                                         
            p2p {                                                               
                all                                                             
            }                                                                   
            protocol all
            state {                                                             
                established enable                                              
                invalid enable                                                  
                new enable                                                      
                related enable                                                  
            }                                                                   
        }                                                                       
    }                                                                           
    name WAN_LOCAL {                                                            
        default-action accept                                                   
        description "WAN to router"                                             
        rule 1 {                                                                
            action accept                                                       
            description "Accept All"                                            
            log disable                                                         
            p2p {                                                               
                all                                                             
            }                                                                   
            protocol all                                                        
            state {                                                             
                established enable                                              
                invalid enable                                                  
                new enable
                related enable                                                  
            }                                                                   
        }                                                                       
    }                                                                           
    name WAN_OUT {                                                              
        default-action accept                                                   
        description "WAN to network"                                            
        rule 20 {                                                               
            action accept                                                       
            description "Accept All"                                            
            log disable                                                         
            p2p {                                                               
                all                                                             
            }                                                                   
            protocol all                                                        
            state {                                                             
                established enable                                              
                invalid enable                                                  
                new enable                                                      
                related enable                                                  
            }                                                                   
        }                                                                       
    }
    receive-redirects disable                                                   
    send-redirects enable                                                       
    source-validation disable                                                   
    syn-cookies enable                                                          
}                                                                               
interfaces {                                           
    ethernet eth0 {                                                             
        description WAN                                                         
        duplex auto                                                             
        firewall {                                                              
            in {                                                                
                name WAN_IN                                                     
            }                                                                   
            local {                                                             
                name WAN_LOCAL                                                  
            }                                                                   
            out {
                name WAN_OUT                                                    
            }                                                                   
        }                                                                       
        ip {                                                                    
        }                                                                       
        poe {                                                                   
            output off                                                          
        }                                                                       
        speed auto                                                              
    }                                                                           
    ethernet eth1 {                                                             
        description Comp1                                                  
        duplex auto                                                             
        poe {                                                                   
            output off                                                          
        }                                                                       
        speed auto                                                              
    }                                                                           
    ethernet eth2 {                                                             
        description Comp2                                                         
        duplex auto                                                             
        poe {                                                                   
            output off
        }                                                                       
        speed auto                                                              
    }                                                                           
    ethernet eth3 {                                                             
        description "NAS 172"                                               
        duplex auto                                                             
        poe {                                                                   
            output off                                                          
        }                                                                       
        speed auto                                                              
    }                                                                           
    ethernet eth4 {                                                             
        description "NAS 10"                                                 
        duplex auto                                                             
        poe {                                                                   
            output off                                                          
        }                                                                       
        speed auto                                                              
    }                                                                           
    ethernet eth5 {                                                             
        duplex auto                                                             
        speed auto                                                              
    }
    loopback lo {                                                               
    }                                                                           
    switch switch0 {                                                            
        address 172.16.0.1/16                                                   
        address 10.10.205.2/24                                                  
        address 10.10.205.11/24                                                 
        description Local                                                       
        firewall {                                                              
            in {                                                                
                name WAN_IN                                                     
            }                                                                   
            local {                                                             
                name WAN_LOCAL                                                  
            }                                                                   
            out {                                                               
                name WAN_OUT                                                    
            }                                                                   
        }                                                                       
        ip {                                                                    
            enable-proxy-arp                                                    
        }                                                                       
        mtu 1500                                                                
        switch-port {
            interface eth0 {                                                    
            }                                                                   
            interface eth1 {                                                    
            }                                                                   
            interface eth2 {                                                    
            }                                                                   
            interface eth3 {                                                    
            }                                                                   
            interface eth4 {                                                    
            }                                                                   
            vlan-aware disable                                                  
        }                                                                       
    }                                                                           
}                                             
port-forward {                                                                  
    auto-firewall disable
    hairpin-nat disable                                                         
    wan-interface eth0                                                          
}                                                                               
protocols {                                                                     
    static {                                                                    
    }                                                                           
}                                                                               
service {                                                                       
    dns {                                                                       
        forwarding {                                                            
            cache-size 150                                                      
            listen-on switch0                                                   
        }                                                                       
    }                                                                           
    gui {                                                                       
        http-port 80                                                            
        https-port 443                                                          
        older-ciphers enable                                                    
    }                                                                           
    nat {                                                                       
        rule 1 {                                                                
            description Comnp1                                              
            destination {
                address 10.10.205.11                                            
            }                                                                   
            inbound-interface switch0                                           
            inside-address {                                                    
                address 172.16.1.11                                             
            }                                                                   
            log disable                                                         
            protocol all                                                        
            type destination                                                    
        }                                                                       
        rule 2 {                                                                
            description Comp2                                                     
            destination {                                                       
                address 10.10.205.100                                           
            }                                                                   
            inbound-interface eth+                                              
            inside-address {                                                    
                address 172.16.1.100                                            
            }                                                                   
            log disable                                                         
            protocol all                                                        
            type destination                                                    
        }
        rule 5001 {                                                             
            description "172 Network"                                           
            exclude                                                             
            log disable                                                         
            outbound-interface switch0                                          
            protocol all                                                        
            source {                                                            
                group {                                                         
                    address-group 172network                                    
                }                                                               
            }                                                                   
            type masquerade                                                     
        }                                                                       
    }                                                                           
    ssh {                                                                       
        port 22                                                                 
        protocol-version v2                                                     
    }                                                                           
    unms {                                                                      
        disable                                                                 
    }                                                                           
}                                                                               
system {
    gateway-address 10.10.205.1                                                 
    host-name ubnt                                                              
    ip {                                                                        
        arp {                                                                   
            table-size 8192                                                     
        }                                                                       
    }                                                       
    static-host-mapping {                                                       
    }                                                                           
    syslog {                                                                    
        global {                                                                
            facility all {                                                      
                level notice                                                    
            }                                                                   
            facility protocols {                                                
                level debug                                                     
            }                                                                   
        }                                                                       
    }                                                                           
    time-zone America/Chicago                                                   
    traffic-analysis {                                                          
        dpi disable                                                             
        export disable                                                          
    }                                                                           
}             

 


Accepted Solutions
Veteran Member
Posts: 7,970
Registered: ‎03-24-2016
Kudos: 2077
Solutions: 912

Re: NAT between /24 and /16 without multiple IPs on WAN interface

Without assigning the extra address,  it won't work as remote devices on 10.10.205.x network can't ARP for the missing address.

 

NAT and firewall rules will work fine, it's the remote host missing ARP entry that blocks successfull communication.  For test, adding static ARP entry will do the trick.

 

But it's easier and it makes more sense to just add extra IPs to WAN port

 

View solution in original post


All Replies
Veteran Member
Posts: 7,970
Registered: ‎03-24-2016
Kudos: 2077
Solutions: 912

Re: NAT between /24 and /16 without multiple IPs on WAN interface

Without assigning the extra address,  it won't work as remote devices on 10.10.205.x network can't ARP for the missing address.

 

NAT and firewall rules will work fine, it's the remote host missing ARP entry that blocks successfull communication.  For test, adding static ARP entry will do the trick.

 

But it's easier and it makes more sense to just add extra IPs to WAN port

 

New Member
Posts: 5
Registered: ‎02-06-2018

Re: NAT between /24 and /16 without multiple IPs on WAN interface

Thank you. Thats what I was also thinking, I just wasn't sure if there was anything different that I could do such as adding the 10.10 /24 network address somewhere to forward it or have the proxy arp (which im not too familiar with) respond to ARP for those addresses in the NAT