0

My Linux-based router has 5 Ethernet ports. It is currently acting as a router between ports 1 & 2 and the dedicated WAN port, without NAT. Port 1 is 192.168.1.1/24, port 2 is 192.168.2.1/24, WAN port is 192.168.0.1/24.

The outgoing WAN connection goes through a logging device that keeps track of usage, then goes through a second home router that does NAT, and uses a public IP on its WAN port.

To simplify, the network is as follow, with the IP prefix 192.168.-:

server1--------Router1--------Logging device--------Router2----------
   .1.2      .1.1  .0.1                           .0.254  (public ip)

Router1 configuration works well (that's a simple router), Router2 as well (that's a simple gateway). However I would like to remove Router2, and have my NAT done between ports 3 & 4 of Router1, with port4 using my real public IP.

Would that be feasible? I would like to maintain strict isolation between ports 1-2-WAN and 3-4, to make sure all traffic goes through the logging device (with its original IP source address).

Would Transparent bridging be the solution? Could I apply source NAT to this bridge? Is the IP addressing done well?

Improve this question
1
  • This looks like a job for iptables.
    – lzam
    Commented Sep 5, 2014 at 12:13

1 Answer 1

Reset to default
0

Assuming your 5 ethernet ports on router1 are named eth0 - eth4, hence having the WAN on eth3:

iptables -t nat -A POSTROUTING --source 192.168.1.0/24 --out-interface eth3 -j MASQUERADE
iptables -t nat -A POSTROUTING --source 192.168.2.0/24 --out-interface eth3 -j MASQUERADE

If you have a fixed IP as your public IP address then replace "-j MASQUERADE" with "-j SNAT --to-source $PUBLIC_IP" (of course replace $PUBLIC_IP with your WAN address!).

Of course you will need to set your default route to eth3, but that wasn't part of the question. You'll also want to firewall incoming traffic into the public IP address.

Improve this answer
5
  • Thanks Paul for your answer. If I set my default route to eth3, traffic coming from port 1&2 (eth0 & eth1) will be routed directly to eth3 (what I called port 4), and the logging device will be bypassed. Can I avoid that?
    – user1766244
    Commented Sep 5, 2014 at 12:49
  • The logging device can't be used between router1 and the WAN? What exactly do you want to have logged? iptables also offers logging.
    – wurtel
    Commented Sep 5, 2014 at 13:21
  • The logging device needs to log before the NAT, to know the private IP associated with the packets. It also has a few other roles (DPI, IDS, SSL interception...) that I cannot do on Router1.
    – user1766244
    Commented Sep 5, 2014 at 13:31
  • I'm afraid that then you can't do without the second router, you can't send packets out of one interface and expect them to be accepted into another interface and then forward them out again through a third interface. Well, perhaps with weird policy-based routing and fw marks but that doesn't make it simpler to manage than a separate second router.
    – wurtel
    Commented Sep 5, 2014 at 13:49
  • I get that that's not very standard ("weird policy-based routing and fw marks" sounds OK to me ;), that's the kind of answer I was expecting!), but using a single router offers several other benefits... cost, energy consumption, space, maintenance, security surface. I will start by taking a look at policy-based routing, thanks for the suggestion!
    – user1766244
    Commented Sep 5, 2014 at 14:01

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .