It is possible to use both NAT and Static Filters together on one RRAS server. even though RRAS Static Filters are stateless and NAT requires stateful firewall.
If you view the NAT Session Mappings (right-click>view Mappings) while a NAT session is active, you'll see 3 IP addresses per session: public, private, and remote. I added both the public ip and private ip/range to a "Drop all packets except..." Inbound Static Filter on my "public" RRAS interface(s).
Inbound static filters on "public" NAT interface(s) in RRAS "General" section:
1: Source: Any, Destination: "public" ip, 255.255.255.255 subnet (to isolate to single IP address)
2: Source: Any, Destination: "private" ip/range (10.10.10.0, 255.255.255.0 for /24 subnet for example)
This appears to allow NAT (Any > Public) and forwarding (Any > Private) to occur, and excludes other undesired routing.
Seems would be able to set the second filter as public>private, but this didn't work for me, I needed Any>Private
Wednesday, April 8, 2020
Subscribe to:
Posts (Atom)
