NAT Help

Networking
1

Here is my situation (hypothetically).

  1. I have several vlans.

  2. One vlan has a server delivering http content over a nonstandard port (8080, let’s say).

  3. I want hosts on the same vlan as that server to use 8080 while accessing it.

  4. I want hosts on all other vlans and the internet to access it using port 80.

  5. I can achieve this with outbound NAT rules on the WAN interface and each of the other vlans, but I’d rather accomplish it with a single NAT rule on the server’s vlan (inbound rule, I’m assuming?).

I have never really messed with source NAT rules (other than masquerade for a gateway), so I’m not sure how they work. I tried to make it look like the outbound rule reversed, but that didn’t work.

I’m configuring this on a Ubiquiti Edgerouter, but I’m pretty sure I’m just missing it conceptually…

2

Conceptually,

I’d rather accomplish it with a single NAT rule on the server’s vlan

is DNAT. And you would use the PREROUTING chain of the nat table. If your server’s vlan is 10.0.0.0/24 you say anything with a source address other than 10.0.0.0/24 destined for your server’s IP on tcp port 80 forward that to port 8080. If you want an iptables example, assuming your server’s ip is 10.0.0.1:

 iptables -t nat -A PREROUTING ! -s 10.0.0.0/24 -d 10.0.0.1 -p tcp --dport 80 -j DNAT --to-desitnation 10.0.0.1:8080

I can’t speak intelligently on how that command translates to an edgeos gui.

Edit: A simpler solution may be to have your server listen on both ports.

1 Like