Community discussions

MikroTik App
 
ondrej89
just joined
Topic Author
Posts: 3
Joined: Sat Mar 26, 2022 11:13 am

NAT for out interface WAN

Tue Nov 22, 2022 1:30 pm

Mikrotik router LAN IP 192.168.1.253
Mikrotik router WAN IP: 192.168.0.10
Non-Mikrotik modem: 192.168.0.1
Public IP: 212.5.***.**
Server LAN IP: 192.168.1.7
Server: WAN IP: 192.168.0.3
Default gatweay at Mikrotik Router: 192.168.0.1
Default gatweay at Server: 192.168.0.1
Default gateway at DHCP clients at LAN: 192.168.1.253

We have a server providing some services within LAN network plus other sites connected via VPN and some services published to internet. At the non-Mikrotik modem, there is NAT for published services pointing to 192.168.0.3 and everything worked ok. One day, when we upgraded internet connection, we had to replace the modem. After replacing it, services published to internet stopped working from LAN as the new modem drops packets from LAN going to our own public IP instead of doing NAT. There is nearly nothing to configure, it's very simple device so we tried to do the configuration at Mikrotik router.

I tried to set up dstnat rule with action dst-nat to address 192.168.0.3 for Src. Address 192.168.1.0/24 and Dst. Address 212.5.***.**.

If I specify WAN in Out. Interface List, I get an error Couldn't change NAT Rule <192.168.1.0/24->212.5.***.**> - outgoing interface matching not possible in input and prerouting chains (6). If I don't specify it, I can create the rule, but it doesn't work as expected. When I tried not to specify Dst. Address, I couldn't access the Mikrotik router anymore as it was pointing to 192.168.0.3. Then I had to use the MAC address to access it so it does obviously something, but IDK what I'm doing wrong.

I also tried to specify LAN in In. Interface List instead of providing Src. Address, but no change.

Any advice please?
 
Sob
Forum Guru
Forum Guru
Posts: 9049
Joined: Mon Apr 20, 2009 9:11 pm

Re: NAT for out interface WAN

Tue Nov 22, 2022 2:23 pm

So you have server connected directly to ISP's router (same way as your router), NOT server connected behind your router, right? Nothing special is needed for that, this should be enough:
/ip firewall nat
add chain=dstnat dst-address=212.5.***.** action=dst-nat to-addresses=192.168.0.3
 
ondrej89
just joined
Topic Author
Posts: 3
Joined: Sat Mar 26, 2022 11:13 am

Re: NAT for out interface WAN

Sat Nov 26, 2022 9:16 am

Server is connected to straight to the ISP router at one interface with IP 192.168.0.3 and also to MikroTik router at another interface with IP 192.168.1.7.

I had tried adding the rule, even before I sent my first post here, but it’s still not working.
 
sindy
Forum Guru
Forum Guru
Posts: 9899
Joined: Mon Dec 04, 2017 9:19 pm

Re: NAT for out interface WAN

Sat Nov 26, 2022 11:46 am

Server is connected ... also to MikroTik router at another interface with IP 192.168.1.7.
And that's what breaks it. The packet from 192.168.1.x (the client) towards 212.5.a.b goes to the gateway 192.168.1.253 (the Mikrotik), which dst-nats it to 192.168.0.3, but the source address remains 192.168.1.x. So the server responds using the route to 192.168.1.0/24, which is direct, not via Mikrotik. The client receives the response packet, but since it comes from 192.168.1.7 rather than 212.5.a.b, it ignores it.
One possible solution is to add also a src-nat rule:
chain=srcnat src-address=192.168.1.0/24 dst-address=192.168.0.3 action=src-nat to-addresses=192.168.0.10
This will rewrite the source address of the request from 192.168.1.x to the WAN IP of the Mikrotik, so the server will send the response to that address; the Mikrotik will first un-src-nat the response (i.e. rewrite the destination address with the source address of the request), route it, and then un-dst-nat it (i.e. rewrite the source address with the destination address of the request). So the client will be happy as the response will come from 212.5.a.b.

Another solution is to just disconnect the other interface of the server, but doing so would likely have some impact on your current workflow.
 
Sob
Forum Guru
Forum Guru
Posts: 9049
Joined: Mon Apr 20, 2009 9:11 pm

Re: NAT for out interface WAN

Sat Nov 26, 2022 2:52 pm

It depends. My assumption (possibly wrong) was that there's masquerade on RB's WAN, because that's what people usually do, even when they could do it without. And if it's there, it would cover this.
 
sindy
Forum Guru
Forum Guru
Posts: 9899
Joined: Mon Dec 04, 2017 9:19 pm

Re: NAT for out interface WAN

Sat Nov 26, 2022 3:20 pm

As usually, we have to use mentalism to guess what the actual configuration is :)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14411
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: NAT for out interface WAN

Sat Nov 26, 2022 3:33 pm

As usual the experts jump right in with both feet and eyes closed....... ;-P

For the OP.......
viewtopic.php?p=908118

Who is online

Users browsing this forum: Ahrefs [Bot], Amazon [Bot], dinosgb and 29 guests