Outbound NAT rule priority? - newb

[rvoelker]

Have searched forums, read the manual. Either I have it 100% backwards or simply misunderstand.

GOAL:
1 internal private IP address outbound traffic NATs to specific public IP(of many)
All other internal IPs outbound NAT to default IP

OBSERVATION
All internal IPs are NAT'ing to the specific public IP instead of the default IP(as viewed from the 'Show Sessions')

CONFIG
√*Added 2 External Interface IP Address Aliases (first is the default IP of the Untangle, second is the specific IP. Not sure I need to add the default IP)
Addr and Netmask: <DefaultIP.x.y>/24
Addr and Netmask: <SpecificIP.x.y>/24

√*Created an Advanced Port Forward rule for SpecificIP
Destination: <SpecificIP>
Protocol: {TCP;UDP}
New Destination: <InternalIP>

√*Created NAT Policy on Internal Interface with two rules, in this order;
Address and Subnet: <InternalIP.x.y>/24> Source: <SpecificIP>
Address and Subnet: 0.0.0.0/0 Source: auto
...there are no IP Address Aliases

What I am observing is that any internal IP address outbound traffic appears to be mapping to my SpecificIP that I want to use for a particular host on the inside. I'm trying to get the data for any host, other than the particular host, to go out through the default.

What am I missing?

thanks a million for the eyeballs.

[hlarsen]

If you have an IP as the Primary IP address on the interface you do not need to add it as an alias.

Your /24 on the NAT policy is NATing that entire subnet; use /32 for individual hosts.

More information is available here: http://wiki.untangle.com/index.php/1:1_NAT

[rvoelker]

I changed the mask for the;
Internal interface's NAT policy of the public IP address from /24 to /32
PublicIP/32 PrivateIP
Left the 2nd NAT Policy rule alone
0.0.0.0/0 auto

Also removed the Default Interface IP from the IP Address Aliases list of the External interface per your suggestion.

..Show Sessions is still hanging on to the old sessions that were open so I assume it will take a bit for new sessions to open for the other internal IP's to determine whether they are NAT'ing to the desired public.

Thanks for answering so quickly. Hopefully that won't establish a bad habit for me!

[hlarsen]

it should be PrivateIP/32 PublicIP.
you can check the IP the server is using at ipv4.icanhazip.com

[rvoelker]

Typo. It is as you suggested.


Thanks again for the help - looks like the problem has been solved.


PrivateIP machine has not yet been placed as this is a remote pre-config. The assumption is that if the existing internal hosts are NAT'ing to the correct Default IP that when I spin up the new internal machine on a specific internal IP the NAT'ing to the SpecificIP will be working. We'll see.