Another post to simply create a mind dump in case I ever need to / want to do this again!

If you're like me and you have a handful of static IP's and want to host multiple servers behind a router such as web servers, minecraft servers, gitlab servers, etc.. you'll need to put in some work. Initially I thought this wouldn't be possible with the EdgeRouter X but I finally got it working. I'm going to throw out some example IP's and an example setup which should allow anyone to adapt this to their own!

Public IP Space: 10.1.1.240/29 Private IP Space: 192.168.1.0/24

Start by logging into your EdgeMAX EdgeRouter X and head to the Dashboard

Typically eth0 would be your Internet connection, this is where we will define our WAN addresses:

  • Actions -> Config
  • Click Add IP
  • Select Manually define IP address
  • Add one of your WAN IP's
  • Repeat for each WAN IP address you have
  • Click Save

For the purposes of this post, lets assume that you've got eth3 connected to a switch and that you have your servers connected to that switch and that switch0 in the EdgeRouter Dashboard has an IP address of 192.168.1.1/24

Click on Firewall/NAT

Remove anything that may already be defined in the Port Forwarding tab. We will only be using NAT rules and Firewall Policies

Click on the NAT Tab

For the purposes of this post we are also assuming the following:

Web Server - 192.168.1.10 Gitlab Server - 192.168.1.20

We will also assume that both of these servers need port 443 for HTTPS traffic.

Finally, we will assign the following public IP's to the servers using NAT

Web Server - 10.1.1.242 Gitlab Server - 10.1.1.243

First things first, in the NAT tab the first thin you should see are the source NAT rules. There should only be 1 with a description of masquerade for WAN this is basically a catch all rule that sends all traffic going out over any of the public IP's you have defined in eth0.

This rule becomes a problem when dealing with multiple WAN IP's and multiple servers so we have to define SNAT rules that force servers to send traffic back out over the same IP that traffic came in on.

Click on Add source NAT rule

  • Description: Web Server
  • Enable: Checked
  • Outbound Interface: eth0
  • Translation: Specifiy address and/or port - 10.1.1.242
  • Protocol: All protocols
  • Src Address: 192.168.1.10
  • Save

Important!!! - RULE ORDER MATTERS - Make sure you move this newly created rule above the masquerading rule and then click on Save Rule Order

You'll want to repeat this process to create an SNAT rule for the Gitlab Server or any other servers you might have.

Next we need to create DNAT rules

Click on Add Destination NAT Rule

  • Description: Web Server
  • Enable: Checked
  • Inbound Interface: eth0
  • Translations: Address - 192.168.1.10
  • Protocol: TCP
  • Dest Address: 10.1.1.242
  • Dest Port: 443
  • Save

You'll want to repeat this process to create a DNAT rule for the Gitlab Server or any other servers you might have.

Now we need to add a firewall rule to allow traffic in

Click on the Firewall Policies Tab

Find WAN_IN and click Actions -> Edit Ruleset

Click Add New Rule

  • Description: Allow HTTPS - Web Server
  • Enable: Checked
  • Action: Accept
  • Protocol: TCP

Destination Tab

  • Address: 192.168.1.10
  • Port: 443
  • Save

That's it, repeat this process for all servers and ports that you need to open and then Save, make sure that these rules are all moved to the top of the Ruleset and click on Save Rule Order

Hope this helps someone, took some time to get this all worked out!!!