I have a Welding machine that has 2 internal devices with IP’s in the 192.168.10.x/24 range. The subnet of the building is in the 10.23.0.x range. Our Engineers would like to be able to connect to and manage the devices. Can the internal device at 192.168.10.x be mapped to a 10.23.0.x address with a 1:1 NAT so our engineers can connect to it by a 10.23.0.x address? If possible, what are the steps to configure.
Hello,
Yes, this should be possible with IPtable (firewall) rules. Please, take a look at our wiki page here, as well as these forum posts here and here for reference.
Let me know if you encounter any issues!
Kind Regards,
Thanks you for the references. I looking to do exact like the picture below.
DO I need to assign an address to the WAN interface and LAN interfaces?
Hello,
Yes, it’s necessary to assign IP addresses to both the WAN and LAN interfaces for the network to function properly. The NETMAP rules, as discussed in the linked topics, are utilized to modify the source and destination IP addresses of the data packets.
For your specific situation, you should set up a rule to change the destination IP of incoming packets from 10.23.0.X to 192.168.10.X. Here, while the ‘X’ remains constant, the network segment of the IP address needs to be rewritten. Then, a second rule should be created to adjust the source IP from 192.168.10.X back to 10.23.0.X for the outgoing packets. This makes sure that other devices on different networks can know where the data came from and where to send the data back to. So these rules can be used to logically map 10.23.0.X and 192.168.10.X IP addresses.
Kind Regards,
I thought NETMAP rules were for an entire subnet, not single IP addresses. I would like to do what is shown in the picture. What would be the iptables commands to make it happen?
Hello,
Yes, you can use NETMAP for entire subnet. You define the mask, for example, /24 in the rules. In this case:
- 10.23.0.5 → 192.168.10.5
- 10.23.0.10 → 192.168.10.10
- 10.23.0.150 → 192.168.10.150
And so on. The last host part will persist, and the first 24 bits (netmask) will change.
Kind Regards,
How would i set this up?
Hello,
Configure LAN network to be in 192.168.10.0/24 subnet. For this, edit the LAN interface in Network → LAN.
By default, the WAN interface will obtain an IP address via DHCP. If your network requires you to set a static IP address on the WAN interface, you can do so by editing your WAN interface in Network → WAN.
Now, you can add the NETMAP rules to Network → Firewall → Custom rules. The rules should look like this:
iptables -t nat -I PREROUTING -d 10.23.0.0/24 -i eth1 -j NETMAP --to 192.168.10.0/24
iptables -t nat -I POSTROUTING -s 192.168.10.0/24 -o eth1 -j NETMAP --to 10.23.0.0/24
Note: the physical eth1 interface is the logical WAN interface. Use eth1 in these rules for WAN.
Of course, the other routers in the network need to have a route to 10.23.0.0/24 network via WAN port of RUT300. Then, when packets arrive on the WAN interface of RUT300, they will be sent to the device on 192.168.10.0/24 network in LAN. For instance, packet received on the WAN interface for 10.23.0.3 device will be forwarded to the 192.168.10.3 device in LAN of RUT300.
Also, if your LAN devices use static IP address and do not use DHCP, then make sure that they have a default gateway configured towards RUT300 (LAN IP of RUT300).
Kind Regards,
Thank you. I dont want to use this for the entire subnet only these 2 addresses I have many other devices on the 10.23.0.x network. Again, I am trying to mimic the picture I posted just a 1 to 1 mapping:
10.23.0.14 → 192.168.10.70
10.23.0.15->192.168.10.71
Would this work:
iptables -t nat -A (or -I) PREROUTING -d 10.23.0.14 -j DNAT --to-destination 192.168.10.70
iptables -t nat -A (or -I) POSTROUTING -s 192.168.10.70 -j SNAT --to-source 10.23.0.14
iptables -t nat -A (or -I) PREROUTING -d 10.23.0.15 -j DNAT --to-destination 192.168.10.71
iptables -t nat -A (or -I) POSTROUTING -s 192.168.10.71 -j SNAT --to-source 10.23.0.15
Hello,
The rules look fine. As long as the router receives packets with these destination IPs, it should forward them.
Kind Regards,
This topic was automatically closed after 15 days. New replies are no longer allowed.