Secondary WAN IP on Edgerouter

brandon220

I have an Edgerouter with some public-facing services behind it. I added another public address to the eth0 interface and NAT rules. I can reach the services behind the router from the secondary WAN IP if I am not on the LAN. If you go to the public IP from the LAN, it brings up the login page for the router itself. I know there is a setting somewhere but I'm not having any luck. Do I need SNAT and DNAT combined to make this work?

JaredBusch

@brandon220 said in Secondary WAN IP on Edgerouter:

Do I need SNAT and DNAT combined to make this work?

Yes. Let me see if I can pull this out of my ass right quick. If not I'll get it later.

JaredBusch

No access to the GUI from where I am right now. But here is what I have configured to handle something similar.

In this case,
eth0 = WAN - 107.182.76.27
eth1 = LAN1 (10.8.25.0/24) - My network with webservers and stuff 10.8.25.100 = Nginx proxy
eth2 = LAN2 (10.99.0.0/24) - Friend's network with his own router behind this (yes, he's double NAT'd).

Friend uses his own DNS and thus when he tries to get to one of my webservers, he attempts to hit the public IP. The router understands this but cannot hairpin because he is on a different LAN than the port-forward rules.

set port-forward auto-firewall enable
set port-forward hairpin-nat enable
set port-forward lan-interface eth1
...rules here...
set port-forward wan-interface eth0

So I had to make hairpin rules for him. Your setup would be similar.

Rule 1 (port 443) and rule 2 (port 80) are looking for traffic coming in on eth2 that are destined for the WAN IP and sending the traffic to the Nginx Proxy instead.

set service nat rule 1 description 'Dwarf LAN HTTPS Hairpin'
set service nat rule 1 destination address 107.182.76.27
set service nat rule 1 destination port 443
set service nat rule 1 inbound-interface eth2
set service nat rule 1 inside-address address 10.8.25.100
set service nat rule 1 inside-address port 443
set service nat rule 1 log disable
set service nat rule 1 protocol tcp
set service nat rule 1 type destination
set service nat rule 2 description 'Dwarf LAN HTTP Hairpin'
set service nat rule 2 destination address 107.182.76.27
set service nat rule 2 destination port 80
set service nat rule 2 inbound-interface eth2
set service nat rule 2 inside-address address 10.8.25.100
set service nat rule 2 inside-address port 80
set service nat rule 2 log disable
set service nat rule 2 protocol tcp
set service nat rule 2 type destination

I don't recall why I made masquerade rules (5001 & 5002) I am not sure these are needed. I was significantly not sober when this was implemented.

set service nat rule 5001 description 'Dwarf LAN HTTPS Hairpin'
set service nat rule 5001 destination address 10.8.25.100
set service nat rule 5001 destination port 443
set service nat rule 5001 log disable
set service nat rule 5001 outbound-interface eth2
set service nat rule 5001 protocol tcp
set service nat rule 5001 source address 10.99.0.0/24
set service nat rule 5001 type masquerade
set service nat rule 5002 description 'Dwarf LAN HTTP Hairpin'
set service nat rule 5002 destination address 10.8.25.100
set service nat rule 5002 destination port 80
set service nat rule 5002 log disable
set service nat rule 5002 outbound-interface eth2
set service nat rule 5002 protocol tcp
set service nat rule 5002 source address 10.99.0.0/24
set service nat rule 5002 type masquerade
set service nat rule 5999 description 'masquerade for WAN'
set service nat rule 5999 outbound-interface eth0
set service nat rule 5999 type masquerade

No firewall rules at this time. I still need to implement that to keep his stuff off my network except for the proxy. Maybe I'll go drink with him tonight and do that.