As per http://linux-ip.net/html/nat-dnat.html:
"In a devilishly subtle difference, netfilter DNAT [i.e. NAT done with
iptables DNAT commands] does not cause the kernel to answer ARP requests
for the NAT IP, where iproute2 NAT automatically begins answering ARP
requests for the NAT IP."
This means that if you have a setup similar to the following:
public IPs: 172.16.1.0/24
private IPs: 10.0.0.0/24
___
( ).
_( '`.
.=(`( )
(( Internet )
`( ) )
` __._____:'
|
|
+-----------------+
| upstream router |
| 172.16.1.9 |
+-----------------+
|
+-------------------------------------------+
| firewall |
| main public IP: NAT mappings: |
| 172.16.1.10 172.16.1.11 - 10.0.0.1 |
| 172.16.1.12 - 10.0.0.2 |
| 172.16.1.13 - 10.0.0.3 |
| 172.16.1.14 - 10.0.0.4 |
+-------------------------------------------+
| |
+----------+ +----------+
| server | | server |
| 10.0.0.1 | | 10.0.0.1 | . . .
+----------+ +----------+
The firewall machine will not answer ARP requests from the upstream router for
the NATed IPs (e.g. 172.16.1.11), so unless a packet using one of the NATed
public addresses as its source IP has previous passed through the router
outbound, inbound packets will be dropped because ARP fails to come up with
anywhere to send them.
There are several solutions to this:
1. In the upstream router, add two routing table entries for the same subnet:
- one entry as host-only, telling it that the your router's IP address is
locally connected on whatever interface.
- another entry as for the entire subnet, at a slightly lower priority,
saying to pass all traffic for that subnet to your router's IP as the
gateway
e.g. if the upstream router were running Linux, the equivalent commands
would be:
ifconfig eth0 172.16.1.9
route add -net 172.16.1.0/24 gw 172.16.1.10
2. If your upstream router doesn't support setting up an entry for a given
subnet pointing into the same subnet, you have a couple of options:
a. use a different IP for the router, that isn't on the NAT subnet
b. split the subnet up, so that the router's own IP is technically not on
the same subnet
c. if some of the NAT IPs are too close to the router's IP to fit the
subnetting, e.g. if the router is .10 and the NATed IPs are .11, .12, ...,
do this:
split the subnet up higher, wherever there's room, and make static ARP
entries on the upstream router for the IPs below that. e.g.:
.10 - router
.11 - static ARP
.12 - static ARP
.13 - static ARP
.14 - static ARP
.15 - broadcast address; end of subnet 1
.16 - beginning of subnet 2
...
3. Use an entirely different IP for the firewall, e.g. a non-routable one, and
have the upstream router treat that as the gateway for all traffic bound
for the public subnets on your firewall.