Masquerading NAT?

I think you're best of using NATTING as Bob mentioned, however I think you can also use masquerading; you don't need to masquerade an entire net, but you can also masquerade a single host to an additional address. If you do use this then make sure this masq. rule is higher on the list than the masq. rule for the entire subnet otherwise it will already be valid on the subnet masq. rule.

Thanks for the replies. I'm not doing this of course, I'm just trying to understand how the UTM works with natting.

So if I have a Lan masqueraded as above and I then DNAT to a server on it using an additional address, what ip will the server reply on? The masqueraded ip or the dnat'd ip?

Thanks for the replies. I'm not doing this of course, I'm just trying to understand how the UTM works with natting.

So if I have a Lan masqueraded as above and I then DNAT to a server on it using an additional address, what ip will the server reply on? The masqueraded ip or the dnat'd ip?

It will usually reply on the masq. IP. 

Thanks for the replies guys.

To clarify:

I have a WAN 1.1.1.1. It has an additional 5 ips 1.1.1.2 - 1.1.1.6

I have 2 web servers on the lan:

Web 1 = 192.168.1.1
Web 2 = 192.168.1.2

I have multiple clients on the same subnet that the above web servers are on (not ideal I know)
These clients 192.168.1.100 - 200 masquerade from lan to wan on 1.1.1.1 to reach the internet and browse.

I now want the webservers to be exposed to the internet and I want them to come from the address they are exposed on eg 1.1.1.2 and 1.1.1.3 rather than 1.1.1.1 (the masq ip)

So, I create 2x DNAT:

1.1.1.2 http >>> 192.168.1.1 (web 1)
1.1.1.3 http >>> 192.168.1.2 (web 2)

Now bear in mind that anything on 192.168.1.0/24 masqs to 1.1.1.1  (the web servers are on this subnet as well as the clients)

It has been stated above that the webservers will reply on 1.1.1.1 (the masq ip) rather than the DNAT'd ip's.

So, how do you get the webservers to reply on the dnat'd ip's rather than the masqueraded ip?

I believe you can make additional MASQ rules (put before the general 192.168.1.0/24!!!

These should look like:

192.168.1.1/32 MASQ to 1.1.1.2
192.168.1.2/32 MASQ to 1.1.1.3
192.168.1.0/24 MASQ to 1.1.1.1

If in this order, both servers will first find the /32 masq rule and I believe this will apply, other hosts will not apply on /32 and only apply on /24 MASQ.

If I understand Louis' question correctly, the connection tracker will send the response from the public IP in the DNAT.

Cheers - Bob

I don't think you can count on ordering masq rules in WebAdmin.  If that were the developer's intent, I think the rules would have been numbered (an "ordered" list) - that's a basic thing in the WebAdmin "culture."  In other words, your suggestion might work in some cases, but not in others.

Cheers - Bob

In that case then why is it possible to adjust the "position" when editing Masq. rules?

Also the online help says the following on masquerading:

Position: The position number, defining the priority of the rule. Lower numbers have higher priority. Rules are matched in ascending order. Once a rule has matched, rules with a higher number will not be evaluated anymore.

"rules with a higher number" - masq rules don't have numbers...

Wait!  They do!  They're just not displayed.  I looked at an Edit of a Masq rule and there are numbers.

I'm not sure when that was changed (it was in V9.2 in early 2014).  I never noticed it because I've always used SNATs for exceptions to the IP used for a particular subnet.  Now, I need to reevaluate that standard...

This would let you stop using SNAT unless the port needs to change, making the list of NAT rules shorter and more consistent.  Those advantages would seem to outweigh the disadvantage of a longer list of masq rules.

Position-sensitive masq rules rule!

Cheers - Bob