I'm trying to config an 8-port EdgeRouter to do the following:
a) load balance 3 WANs, all from different providers and all using DHCP
b) define a number of port-forwarding rules
c) minimize the number of port-forwarding rules
I've read a bunch of KB articles, forum threads and even watched a number of Youtube videos. So I get how to do a) and b).
It's c) that is frustrating me.
Presume the WANs are connected to eth0, eth1, and eth2
On the Destination NAT Rule Configuration dialog there are different ways to specify the destination including a) entering in the "Dest Address" field an IP address, IP subnet, or IP range, b) selecting a predefined address group, c) a predefined network group or d) specifying an interface.
Or via the cmd line
# set service nat rule 1 destination address Possible completions:<x.x.x.x> IP address to match<x.x.x.x/x> Subnet to match<x.x.x.x>-<x.x.x.x> IP range to match !<x.x.x.x> Match everything except the specified address !<x.x.x.x/x> Match everything except the specified subnet !<x.x.x.x>-<x.x.x.x> Match everything except the specified range # set service nat rule 1 destination group address-group ADDRv4_eth0 ADDRv4_lo
[Note the completion for "set service nat rule 1 destination group address-group" are dependant upon how the interface ports are defined and on any defined firewall address-groups or network-groups.]
When a WAN interface uses DHCP, the best (IMO) approach is to specify the destination interface (choice d) above).
So something like:
set service nat rule 1 destination group address-group ADDRv4_eth0
Now here's the rub, at least as far as I can tell...
When load balancing multiple WAN interfaces that use DHCP, there is no way to create a single DNAT rule for all three WAN interfaces.
In other words, if you want a port-forwarding rule to exist on multipe DHCP WAN interfaces, then there must be one NAT rule per DHCP WAN interface.
Am I missing something?
Ideally, I want to do something like:
set firewall group address-group WAN_INTERFACES address ADDRv4_eth0 set firewall group address-group WAN_INTERFACES address ADDRv4_eth1 set firewall group address-group WAN_INTERFACES address ADDRv4_eth2 set service nat rule 1 destination group address-group WAN_INTERFACES
But sadly it seems it can't be done:
# set firewall group address-group WAN_INTERFACES address ADDRv4_eth0 address must be an IPv4 address or network or range Value validation failed Set failed
I can easily create the same NAT rule for each of the WAN interfaces, but this just seems redundant and messy...
set service nat rule 1 destination group address-group ADDRv4_eth0 set service nat rule 2 destination group address-group ADDRv4_eth1 set service nat rule 3 destination group address-group ADDRv4_eth2
Does anyone have a cleaner way of doing this?
Thanks
Mark