Zack, As I was forming a reply -- I noticed that the two inbound nat entries infact have the same destination IP (external IP) listed -- rather than being defined for separate IP addresses -- and therefor Vyatta is working just as it should due to my error.
Stan On Mon, Aug 17, 2009 at 7:12 PM, Zack Colgan <[email protected]> wrote: > Stanley, > > On 08/17/2009 02:40 PM, Stanley Brinkerhoff wrote: > > Now you've done it Rion. > > > > Do you have experience with Vyatta? I am having an issue with multiple > IP's > > bound to a single interface and port based nat/routing within Vyatta -- > and > > haven't sat down to try and figure them out. Basically I have 5 IP's > bound > > to the adapter, and I can bind 1.1.1.1:80 to 192.168.1.1:80, but if I > bind > > 1.1.1.2:80 to 192.168.1.2:80, it appears to still route to 1.1.1.1:80.. > > almost as if Vyatta can't actually do a destination based (IP+PORT) > route, > > but rather interface+port. > > I have some experience with Vyatta, handling two Internet connections > with plenty of DNAT and SNAT with multiple IPs bound to each interface. > For example, I have something like this in the NAT section to bind > those public IPs to the internal addresses: > > rule 10 { > destination { > address 1.1.1.1 > } > inbound-interface eth0 > inside-address { > address 192.168.1.1 > } > type destination > } > rule 11 { > destination { > address 1.1.1.2 > } > inbound-interface eth0 > inside-address { > address 192.168.1.2 > } > type destination > } > > Then these firewall rules to only allow the ports I want: > > rule 10 { > action accept > destination { > address 1.1.1.1 > port 80 > } > protocol tcp > } > rule 11 { > action accept > destination { > address 1.1.1.2 > port 80 > } > protocol tcp > } > > That those firewall rules (part of a set called Internet2Internal) would > then be bound to the interface: > > ethernet eth0 { > address 1.1.1.1/24 > address 1.1.1.2/24 > firewall { > in { > name Internet2Internal > } > } > } > > > -Zack >
