Reply
Member
Posts: 125
Registered: ‎09-15-2016
Kudos: 25
Solutions: 1
Accepted Solution

NAT rules are eating my lunch

I had an ERPro-8 running my core network, but I upgraded it to an ER-4 yesterday for the improved processing power. I started by manually typing in all the NAT and firewall rules from my old router to my new router, but inevitably that left some things not communicating right. I finally decided to just download the ERPro-8 config and upload it to the ER-4. The problem is, my UNMS and Unifi servers that are hosted with internal IPs using their own static public IPs via NAT are no longer accessible from outside my network. I didn't change anything, so I'm not sure how that could have happened. UNMS and Unifi were working fine on my ERPro-8, but now that I copied the config over, the ER-4 won't let outside devices talk to my Unifi and UNMS servers. 

 

I will admit that NAT rules seem simple at first but end up confusing the hell out of me pretty quick. I managed to get everything working on my ERPro-8 months ago and hadn't touched the NAT rules since, but now that my new ER-4 isn't NATing properly, I've hit this delimma again. 

 

I am paying for 5 static IPs from my ISP. 2 of them are reserved for Unifi and UNMS and shared by nothing else. Both servers are on the same Hyper-V server on the same subnet as my customers (eth1). I have Unifi at 10.0.1.3 and I have UNMS as 10.0.1.2. At this point I'm assuming I will have to start over with my NAT rules since I now have 8 source NAT and 15 Destination NAT rules, so how am I supposed to create these rules to make devices and users on the public internet communicate with Unifi and UNMS?

 

Also to throw another curve ball, UCRM is on the same subnet and same Hyper-V server, and it works fine. I've tried dublicating the rules for UCRM but it makes no difference to UNMS or Unifi. 

 

eth0: Internet connection with 5 statics.

eth1: WISP customers and UNMS, UCRM, Unifi

eth2: My devices on their own network and their own static IP. 


Accepted Solutions
Veteran Member
Posts: 7,600
Registered: ‎03-24-2016
Kudos: 1977
Solutions: 871

Re: NAT rules are eating my lunch

copying over the config should be fine.

 

Maybe the ISP router remembers your old MAC address for some of your extra IPs.  Wait for it to time out, or reboot it

View solution in original post


All Replies
Veteran Member
Posts: 7,600
Registered: ‎03-24-2016
Kudos: 1977
Solutions: 871

Re: NAT rules are eating my lunch

copying over the config should be fine.

 

Maybe the ISP router remembers your old MAC address for some of your extra IPs.  Wait for it to time out, or reboot it

Highlighted
Member
Posts: 125
Registered: ‎09-15-2016
Kudos: 25
Solutions: 1

Re: NAT rules are eating my lunch

It took me entirely too long to figure it out, but your suggestion ended up being the fix. My ISP stickies the first 2 MACs it learns on the connection. I knew that going in, but what threw me off was that 3 of my IPs worked fine, including the one I use for my internet connection, so I thought there was an empty space in their ACL that my new router fit into. Turns out they have that list per static IP and somehow the list got cleared out for the first 3 but not the last 2. I ended up spoofing the MAC of my ERPro onto my new ER-4 and the other 2 IPs began working immediately.

Reply