Reply
New Member
Posts: 11
Registered: ‎03-13-2014
Solutions: 1
Accepted Solution

NAT to another subnet on another router

[ Edited ]

I get Port Forwarding (DNAT) with 1 router, but what if I want to port forward from 1 router to another router at another location that is connected via another router....maybe a diagram will help

 

Internet----RouterA-----RouterB----RouterC------WebServer(port 443)

 

Site INFO:

Site 1: Internet-->RouterA--->RouterB

PTP Link RouterB<--->RouterC

Site 2: RouterC--->RouterD--->Internet

 

Routing between all Routers is mix STATIC/OSPF.  All Routers can ping each subnets.  I can ping Webserver (192.168.0.100) from RouterA.

 

RouterA has a Firewall. 192.168.10.1/24. WAN interface is PPPOE.

 

RouterB (eth2 - 192.168.10.2/24   connected to RouterA) (eth3 - 192.168.200.1/30 Connected to RouterC)

RouterC (eth3 - 192.168.200.2/30 connected to RouterB) (eth1-192.168.0.1/24 connected to LAN that has WebServer)

 

Both RouterB and RouterC have no configured firewall as they are purely routing traffic between multiple sites. 

 

I thought I could just port forward 443 to 192.168.0.100 (webServer) and it would work...but no dice, I never had relay port forwarding and looking for some assistance. 

 

My gut tells me its a combination of SNAT and DNAT (TRIPLE NAT?) across all routers listed but if so how does that look?

 

Thanks for the time!

 

 


Accepted Solutions
Highlighted
SuperUser
Posts: 7,495
Registered: ‎01-05-2012
Kudos: 1976
Solutions: 981

Re: NAT to another subnet on another router

Fast way, once you have configured the port-forward on router A (wan.ip.address:443>>192.168.0.100:443), even via gui, assuming that on router A, the ip address 192.168.10.1 is on eth1, through SSH

Spoiler
configure
set service nat rule 5050 type masquerade
set service nat rule 5050 destination address 192.168.0.100
set service nat rule 5050 protocol tcp
set service nat rule 5050 destination port 443
set service nat rule 5050 outbound-interface eth1
commit;save

Which should result, via gui,

Spoiler
NAT.JPG

Cheers,

jonatha

 

View solution in original post


All Replies
SuperUser
Posts: 7,495
Registered: ‎01-05-2012
Kudos: 1976
Solutions: 981

Re: NAT to another subnet on another router

If router C has, has default gateway 192.168.200.1 (B), and router B has as default gateway 192.168.10.1 (A) , and Router A is aware and know how to reach the 192.168.0.0/XX network, the port-forward (DNAT) rule should be needed only on pppoe of RouterA ....
Cheers,
jonatha

New Member
Posts: 11
Registered: ‎03-13-2014
Solutions: 1

Re: NAT to another subnet on another router

RouterB has a default gateway of RouterA,  RouterC has a default gateway of another Router connected to a different internet provider.

 

Site 1: Internet-->RouterA--->RouterB

PTP Link RouterB<--->RouterC

Site 2: RouterC--->RouterD--->Internet

 

So I don't have default gateways pointed as you mentioned,  but THANKS for responding!!!

SuperUser
Posts: 7,495
Registered: ‎01-05-2012
Kudos: 1976
Solutions: 981

Re: NAT to another subnet on another router

So, the web server, will resopnd via its default-gateway, and doesn't use the reverse path, a simple trick, could be a SNAT/masquerade rule, but you'll loose the actual source ip address of incoming connections forwarded by router A... Which among A, B and C are edgerouters ?

New Member
Posts: 11
Registered: ‎03-13-2014
Solutions: 1

Re: NAT to another subnet on another router

All routers are edgeos routers.  Thanks again for taking the time.

Highlighted
SuperUser
Posts: 7,495
Registered: ‎01-05-2012
Kudos: 1976
Solutions: 981

Re: NAT to another subnet on another router

Fast way, once you have configured the port-forward on router A (wan.ip.address:443>>192.168.0.100:443), even via gui, assuming that on router A, the ip address 192.168.10.1 is on eth1, through SSH

Spoiler
configure
set service nat rule 5050 type masquerade
set service nat rule 5050 destination address 192.168.0.100
set service nat rule 5050 protocol tcp
set service nat rule 5050 destination port 443
set service nat rule 5050 outbound-interface eth1
commit;save

Which should result, via gui,

Spoiler
NAT.JPG

Cheers,

jonatha

 

Reply