RUTX 1-to-1 NAT: Difference between revisions
m (Made corrections for the title's formatting) |
(Added images for the IP settings) |
||
Line 28: | Line 28: | ||
* Router's WAN IP address: 192.168.2.1/24 | * Router's WAN IP address: 192.168.2.1/24 | ||
* Computer's IP address: 192.168.2.2/24 | * Computer's IP address: 192.168.2.2/24 | ||
In order to edit the WAN IP address of the device, you will need to go to '''Network → Interfaces''' and then click on the '''Edit''' [[File:Networking rutx manual edit button v1.png|frameless]] button for the '''WAN''' connection. | |||
[[File:Network Interfaces WAN Edit.png|frameless|1100x1100px]] | |||
After clicking on '''Edit''', a new window will open. Here, you will need to click on '''DHCP''' as shown in point 1, and then click on '''Static''', as shown in point 2. | |||
[[File:DHCP to Static.png|frameless|1062x1062px]] | |||
Next, you will need to fill out the IP address fields, first, with the IP address '''192.168.2.1''' and the netmask '''255.255.255.0'''. | |||
[[File:Entering IP addresses.png|frameless|1045x1045px]] | |||
Then finally, click on the [[File:Save & Apply Button.png|frameless]] button to save the changes. | |||
Once you have set up the IP addresses for the devices, you can continue over to the next step. | Once you have set up the IP addresses for the devices, you can continue over to the next step. |
Revision as of 21:25, 31 March 2022
Introduction
1-to-1 NAT is a mode of NAT which maps one external address to one internal address. This article contains step-by-step instructions on how to configure a 1-to-1 NAT between a LAN device and a WAN interface on RUTX devices. This setup can be useful for applications such as exposing email servers to the internet, while preserving private communication in the LAN network.
Prerequisites
- Any device which acts as a Server
- A RUTX device
- A computer to configure the Router
Configuration Scheme
Overview
This configuration makes use of a source and destination NAT to allow connectivity through the device’s WAN IP address, and it forwards all traffic from all ports to the LAN device. Please be aware that this approach exposes the server completely to the WAN, nullifying any firewall rules which are imposed over the WAN interface, so be cautious.
Configuring Static IP addresses for the devices
In this scenario, we will need static IP addresses both for LAN and WAN, as we will create static rules between the two.
First, we will configure a static IP address for the LAN and a static IP address for the WAN interface, as well as for the computer involved in the setup.
For this scenario, on the LAN side the IP addresses are the following:
- Router's gateway: 192.168.1.1/24
- Server: 192.168.1.2/24
From the WAN side, the IP addresses are the following:
- Router's WAN IP address: 192.168.2.1/24
- Computer's IP address: 192.168.2.2/24
In order to edit the WAN IP address of the device, you will need to go to Network → Interfaces and then click on the Edit button for the WAN connection.
After clicking on Edit, a new window will open. Here, you will need to click on DHCP as shown in point 1, and then click on Static, as shown in point 2.
Next, you will need to fill out the IP address fields, first, with the IP address 192.168.2.1 and the netmask 255.255.255.0.
Then finally, click on the button to save the changes.
Once you have set up the IP addresses for the devices, you can continue over to the next step.
Configuring Custom Rules for the NAT
Custom rules are needed to make a two-way NAT forwarding. This means that all traffic coming to the WAN IP will be forwarded to the LAN device, and the LAN device will respond to this by forwarding its traffic as if it was coming from the WAN IP.
In turn, this makes the LAN server reachable through the WAN interface, through every port possible, and to be also reachable through other LAN devices. Be aware that this also exposes the LAN device completely to the WAN, so be aware of which ports are open on the device, as this forwarding nullifies the Firewall rules which apply to the WAN interface.
After setting the static IP addresses, you must head to Network→Firewall→Custom Routes to add the following custom rules.
A more comprehensive analysis of this custom rule would be:
iptables -t nat -I PREROUTING -d [ROUTER'S_WAN_IP] -j DNAT --to-destination [SERVER'S_LAN_IP] iptables -t nat -I POSTROUTING -s [SERVER'S_LAN_IP] -j SNAT --to-source [ROUTER'S_WAN_IP]
After saving and applying the rules, the end-user should be able to reach the LAN device when trying to connect to the WAN interface, which in this case is 192.168.2.1, trough every port available.