Port 80 mixed up among clients using DNAT

Question

I'm trying to set up a network like this:

...but I'm facing an issue.

Here's the point:

If I try to reach (e.g.) mywebsite1.com from external it works like a charm and it's shown my wonderful website but whenever I try to run (e.g.) apt-get update from inside the Virtual Server 2 it throws an error like "Failed to connect to xxx-whatever-website.com port 80: connection refused".

The problem is solved if I delete the prerouting rule on the main server firewall but, of course, then I'm not more able to connect to mywebsite1.com from external. Same story if I change the Virtual Server default gateway to 192.168.1.1.

I naively tried to add a static route on the main server (something like ip route add 192.168.1.1 via 192.168.1.32) but, of course, it didn't work. Should I try to mark the packets in some way or something, in order to recognize the source client?

Answer 1

Since I omitted the original destination target in my DNAT rule, it hit all original destination targets. So, I needed to add -d 192.168.1.30 to it.

-A PREROUTING -p tcp -m tcp -i vmbr0 -d 192.168.1.30 --dport 80 -j DNAT --to-destination 192.168.1.32:80

Now it works.