How to NAT between 2 network interfaces without impacting routing

0

My Linux-based router has 5 Ethernet ports. It is currently acting as a router between ports 1 & 2 and the dedicated WAN port, without NAT. Port 1 is 192.168.1.1/24, port 2 is 192.168.2.1/24, WAN port is 192.168.0.1/24.

The outgoing WAN connection goes through a logging device that keeps track of usage, then goes through a second home router that does NAT, and uses a public IP on its WAN port.

To simplify, the network is as follow, with the IP prefix 192.168.-:

server1--------Router1--------Logging device--------Router2----------
   .1.2      .1.1  .0.1                           .0.254  (public ip)

Router1 configuration works well (that's a simple router), Router2 as well (that's a simple gateway). However I would like to remove Router2, and have my NAT done between ports 3 & 4 of Router1, with port4 using my real public IP.

Would that be feasible? I would like to maintain strict isolation between ports 1-2-WAN and 3-4, to make sure all traffic goes through the logging device (with its original IP source address).

Would Transparent bridging be the solution? Could I apply source NAT to this bridge? Is the IP addressing done well?

user1766244

Posted 2014-09-05T11:39:12.023

Reputation: 1

This looks like a job for iptables.

– lzam – 2014-09-05T12:13:35.697

Answers

0

Assuming your 5 ethernet ports on router1 are named eth0 - eth4, hence having the WAN on eth3:

iptables -t nat -A POSTROUTING --source 192.168.1.0/24 --out-interface eth3 -j MASQUERADE
iptables -t nat -A POSTROUTING --source 192.168.2.0/24 --out-interface eth3 -j MASQUERADE

If you have a fixed IP as your public IP address then replace "-j MASQUERADE" with "-j SNAT --to-source $PUBLIC_IP" (of course replace $PUBLIC_IP with your WAN address!).

Of course you will need to set your default route to eth3, but that wasn't part of the question. You'll also want to firewall incoming traffic into the public IP address.

wurtel

Posted 2014-09-05T11:39:12.023

Reputation: 1 359

Thanks Paul for your answer. If I set my default route to eth3, traffic coming from port 1&2 (eth0 & eth1) will be routed directly to eth3 (what I called port 4), and the logging device will be bypassed. Can I avoid that? – user1766244 – 2014-09-05T12:49:20.993

The logging device can't be used between router1 and the WAN? What exactly do you want to have logged? iptables also offers logging. – wurtel – 2014-09-05T13:21:22.173

The logging device needs to log before the NAT, to know the private IP associated with the packets. It also has a few other roles (DPI, IDS, SSL interception...) that I cannot do on Router1. – user1766244 – 2014-09-05T13:31:27.873

I'm afraid that then you can't do without the second router, you can't send packets out of one interface and expect them to be accepted into another interface and then forward them out again through a third interface. Well, perhaps with weird policy-based routing and fw marks but that doesn't make it simpler to manage than a separate second router. – wurtel – 2014-09-05T13:49:45.723

I get that that's not very standard ("weird policy-based routing and fw marks" sounds OK to me ;), that's the kind of answer I was expecting!), but using a single router offers several other benefits... cost, energy consumption, space, maintenance, security surface. I will start by taking a look at policy-based routing, thanks for the suggestion! – user1766244 – 2014-09-05T14:01:30.753

Asked: 2014-09-05T11:39:12.023

Viewed: 2 450 times

Active: 2020-01-18T20:01:30.177