I have installed and enable RRAS and NAT on Server 2012 R2 with 8 interfaces. I assumed I would be able to select WHICH of the remaining 7 interfaces got NATed, but it appears ALL interfaces are NATed. This is undesirable. How can I prevent some of the interfaces from NATing through the public interface?
I'd prefer not to set static filters on every interface
It may be worth noting that I have only the 'Public' interface defined under the 'NAT settings. I have deleted all other 'Private' interfaces from the NAT settings, yet all other private interfaces are still being NATed out the Public interface. I have no address pools defined because I only want to NAT through the one Public IP address (assigned to the public interface)
As far as I know this is the default behaviour or RRAS so I would:
Before you do that, please make sure that you followed these steps https://technet.microsoft.com/en-us/library/dd469812(v=ws.11).aspx, followed by a server restart.
Right-click > Delete on the undesired NAT interfaces
Also:
It is possible to use both NAT and Static Filters together on one RRAS server. even though RRAS Static Filters are stateless and NAT requires stateful firewall.
If you view the NAT Session Mappings (right-click>view Mappings) while a NAT session is active, you'll see 3 IP addresses per session: public, private, and remote. I added both the public ip and private ip/range to a "Drop all packets except..." Inbound Static Filter on my "public" RRAS interface(s).
Inbound static filters on "public" NAT interface(s) in RRAS "General" section:
1: Source: Any, Destination: "public" ip, 255.255.255.255 subnet (to isolate to single IP address)
2: Source: Any, Destination: "private" ip/range (10.10.10.0, 255.255.255.0 for /24 subnet for example)
This appears to allow NAT (Any > Public) and forwarding (Any > Private) to occur, and excludes other undesired routing.
Seems would be able to set the second filter as public>private, but this didn't work for me, I needed Any>Private