I'm getting two ISP's; one for work and one for home (yes finally a separatiion). Anyway, I did the wizard for load-balancing on the EdgePro-8 and have 5 static IP's and am having issues geting in with the Dnat and even getting Snat to work proper.
Can anyone help:
firewall {
all-ping enable
broadcast-ping disable
group {
network-group PRIVATE_NETS {
network 192.168.0.0/16
network 172.16.0.0/12
network 10.0.0.0/8
}
port-group OS_X_Server {
description "Mac OS X Server Ports needed for use."
port 25
port 80
port 110
port 143
port 443
port 500
port 587
port 993
port 995
port 1640
port 1701
port 1723
port 2195-2196
port 4500
port 5060
port 5190
port 5222-5223
port 5269
port 5297-5298
port 5678
port 5900
port 8008
port 8085-8087
port 8088
port 8443
port 11211
port 16080
port 16384-16403
}
port-group PBX {
description "Ports for the PBX to work"
port 443
port 5060-5090
port 10000-20000
}
port-group Unifi_Video {
description "Video ports needed for operation"
port 7080
port 7443
port 7445
port 7446
port 7447
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians disable
modify balance {
rule 10 {
action modify
description "do NOT load balance lan to lan"
destination {
group {
network-group PRIVATE_NETS
}
}
modify {
table main
}
}
rule 20 {
action modify
description "do NOT load balance destination public address"
destination {
group {
address-group ADDRv4_eth0
}
}
modify {
table main
}
}
rule 80 {
action modify
description "do NOT load balance destination public address"
destination {
group {
address-group ADDRv4_eth6
}
}
modify {
table main
}
}
rule 100 {
action modify
modify {
lb-group G
}
}
}
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
rule 21 {
action accept
description "Allow ports to OS X Server"
destination {
address 10.102.3.2
group {
port-group OS_X_Server
}
}
log enable
protocol all
state {
established enable
invalid disable
new enable
related enable
}
}
rule 22 {
action accept
description "Allow Ports to Security"
destination {
address 10.102.3.6
group {
port-group Unifi_Video
}
}
log enable
protocol all
state {
established enable
invalid disable
new enable
related enable
}
}
rule 23 {
action accept
description "Allow Ports to PBX"
destination {
address 10.102.20.2
group {
port-group PBX
}
}
log enable
protocol all
state {
established enable
invalid disable
new enable
related enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address 50.243.209.97/29
address 50.243.209.98/29
address 50.243.209.99/29
address 50.243.209.100/29
address 50.243.209.101/29
description "Comcast Biz"
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth1 {
duplex auto
speed auto
}
ethernet eth2 {
duplex auto
speed auto
}
ethernet eth3 {
duplex auto
speed auto
}
ethernet eth4 {
duplex auto
speed auto
}
ethernet eth5 {
duplex auto
speed auto
}
ethernet eth6 {
address dhcp
description WAN
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth7 {
address 10.102.0.1/24
description LAN
duplex auto
firewall {
in {
modify balance
}
}
speed auto
vif 20 {
address 10.102.20.1/24
description VoIP
mtu 1500
}
vif 30 {
address 10.102.3.1/24
description DMZ
mtu 1500
}
}
loopback lo {
}
}
load-balance {
group G {
interface eth0 {
weight 25
}
interface eth6 {
weight 75
}
lb-local enable
sticky {
dest-addr enable
dest-port enable
source-addr enable
}
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface eth7
rule 1 {
description "SSL to EdgeMAX Pro"
forward-to {
address 10.102.0.1
port 443
}
original-port 443
protocol tcp
}
wan-interface eth0
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name DMZ {
authoritative disable
subnet 10.102.3.0/24 {
default-router 10.102.3.1
dns-server 10.102.3.1
lease 86400
start 10.102.3.10 {
stop 10.102.3.200
}
static-mapping security {
ip-address 10.102.3.6
mac-address 00:15:17:f4:17:74
}
unifi-controller 199.175.55.241
}
}
shared-network-name LAN {
authoritative enable
subnet 10.102.0.0/24 {
default-router 10.102.0.1
dns-server 10.102.0.1
domain-name my-it.support
lease 86400
start 10.102.0.38 {
stop 10.102.0.243
}
static-mapping UBNT-EdgeSwitch {
ip-address 10.102.0.254
mac-address 04:18:d6:31:cb:c4
}
static-mapping USG4 {
ip-address 10.102.0.4
mac-address 44:d9:e7:9f:81:78
}
unifi-controller 199.175.55.241
}
}
shared-network-name VoIP {
authoritative disable
subnet 10.102.20.0/24 {
default-router 10.102.20.1
dns-server 10.102.20.1
dns-server 10.102.3.2
lease 86400
start 10.102.20.10 {
stop 10.102.20.200
}
}
}
use-dnsmasq disable
}
dns {
forwarding {
cache-size 150
listen-on eth7
listen-on eth7.30
listen-on eth7.20
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 1 {
description "DNAT to OS X Server"
inbound-interface eth0
inside-address {
address 50.243.209.98
}
log enable
protocol all
source {
address 10.102.3.2
}
type destination
}
rule 2 {
description "DNAT to PBX"
inbound-interface eth0
inside-address {
address 50.243.209.99
}
log enable
protocol all
source {
address 10.102.20.2
}
type destination
}
rule 3 {
description "DNAT to Security"
inbound-interface eth0
inside-address {
address 50.243.209.100
}
log enable
protocol all
source {
address 10.102.3.6
}
type destination
}
rule 5000 {
description "SNAT from OS X Server"
destination {
}
log enable
outbound-interface eth0
outside-address {
address 10.102.3.2
}
protocol all
source {
address 50.243.209.98
}
type source
}
rule 5001 {
description "SNAT from PBX"
destination {
}
log enable
outbound-interface eth0
outside-address {
address 10.102.20.2
}
protocol all
source {
address 50.243.209.99
}
type source
}
rule 5002 {
description "SNAT from Security"
destination {
}
log enable
outbound-interface eth0
outside-address {
address 10.102.3.6
}
protocol all
source {
address 50.243.209.100
}
type source
}
rule 5003 {
description "masquerade for WAN 2"
outbound-interface eth0
type masquerade
}
rule 5004 {
description "masquerade for WAN"
outbound-interface eth6
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
}
system {
conntrack {
expect-table-size 4096
hash-size 4096
table-size 32768
tcp {
half-open-connections 512
loose enable
max-retrans 3
}
}
domain-name my-it.support
gateway-address 50.243.209.102
host-name gateway
login {
user myIT {
authentication {
encrypted-password ****************
}
level admin
}
}
name-server 8.8.8.8
name-server 8.8.4.4
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
static-host-mapping {
host-name gateway.my-it.support {
alias gateway
inet 10.102.0.1
}
host-name pbx.my-it.support {
alias pbx
inet 10.102.20.2
}
host-name security.my-it.support {
alias security
inet 10.102.3.6
}
host-name server.my-it.support {
alias server
inet 10.102.3.2
}
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
static-host-mapping {
host-name gateway.my-it.support {
alias gateway
inet 10.102.0.1
}
host-name pbx.my-it.support {
alias pbx
inet 10.102.20.2
}
host-name security.my-it.support {
alias security
inet 10.102.3.6
}
host-name server.my-it.support {
alias server
inet 10.102.3.2
}
host-name unifi.my-it.support {
alias unifi
inet 199.175.55.241
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone America/New_York
traffic-analysis {
dpi enable
export enable
}
}My mission is to get all traffic to and from specified IP's to stay where they are going and coming from. My two ISP's are Comcast (5 Statics) and ATT Gig-Fiber (DHCP).