Hi to all,
I would to have a NAT 1:1 in my network.

I configured on my RouterOS 5.8 a public interface with 10 ip address and I would to redirect traffic to host in my lan.

I added all 10 ip addresses on public interface of router and used this configuration natting:

ip firewall nat add chain=srcnat src-address=192.168.0.1 action=src-nat to-addresses="IP PUBLIC 1"
ip firewall nat add chain=dstnat dst-address="IP PUBLIC 1" action=dst-nat to-addresses=192.168.0.1

ip firewall nat add chain=srcnat src-address=192.168.0.2 action=src-nat to-addresses="IP PUBLIC 2"
ip firewall nat add chain=dstnat dst-address="IP PUBLIC 2" action=dst-nat to-addresses=192.168.0.2

etc ....

in this way I configured NAT 1:1 between each public ip address to a local lan ip address...
The question is: when the routeros try to communicate to the internet which ip address it will use???

maybe with src natting and destination natting to localhost ????

Do your public ip's all have internet access? What configuration do you have on your ip/route?

read this on the wiki: http://wiki.mikrotik.com/wiki/Manual:IP ... :1_mapping

Yes all ip public have internet access.

Do your public ip's all have internet access? What configuration do you have on your ip/route?

I think, maybe, the solution for me is:

ip firewall nat add chain=srcnat src-address=127.0.0.1 action=src-nat to-addresses="IP PUBLIC PREFERRED"
ip firewall nat add chain=dstnat dst-address="IP PUBLIC PREFERRED" action=dst-nat to-addresses=127.0.0.1

Do you think it is correct?

No need for destination NAT - after all, traffic is to the router itself.

mmm... I need destination natting only if I would to redirect my public preferred address to router itself right?

In particular:
If I want only that router os can communicate with internet I use only source nat.
But If I would to connect via winbox trought Internet then I must enable destination natting too ... right?

Code: Select all

/ip firewall nat add chain=srcnat dst-adress-type=local action=src-nat to-address=1.1.1.1

No need for destination NAT - after all, traffic is to the router itself.

No. You have it completely backwards.

You use whichever IP address isn't destination NATed to an inside host. The router can listen on ALL IP addresses configured on its interfaces, but will sometimes - when you configure destination NAT - send that traffic to somewhere else rather than listen to it. So your problem isn't what destination NAT rule to apply, but your problem is NOT to apply destination NAT at all for traffic that is destined to the router directly. It's already going to the router because the destination IP address is one configured on a router interface, after all.

Oh thanks it's correct ... thanks a lot

No. You have it completely backwards.
You use whichever IP address isn't destination NATed to an inside host. The router can listen on ALL IP addresses configured on its interfaces, but will sometimes - when you configure destination NAT - send that traffic to somewhere else rather than listen to it. So your problem isn't what destination NAT rule to apply, but your problem is NOT to apply destination NAT at all for traffic that is destined to the router directly. It's already going to the router because the destination IP address is one configured on a router interface, after all.

I have a new problem ....

I would always do a NAT 1:1 but I would also providing a firewall then I use this configuration:

ip firewall nat add chain=srcnat src-address=192.168.0.1 action=src-nat to-addresses="IP PUBLIC 1"
ip firewall nat add chain=dstnat dst-address="IP PUBLIC 1" action=dst-nat to-addresses=192.168.0.1

this is the firewall :

79 chain=forward action=accept connection-state=established protocol=tcp
dst-address=192.168.0.1 dst-port=!1-1024

80 chain=forward action=accept connection-state=related protocol=tcp
dst-address=192.168.0.1 dst-port=!1-1024

81 chain=forward action=accept protocol=udp dst-address=192.168.0.1
dst-port=!1-1024

82 chain=forward action=accept src-address=192.168.0.1

82 chain=forward action=drop

Is it impossibile for 192.168.0.1 to access the internet for a telnet to a remote host specified with an ip address and not name.

Why ?

I did an other test.
I used a packet sniffer betwenn remote server and mikrotik router os and:

- When I run "Telnet remote server" on 192.168.0.1 the remote server reply correctly. I see packets with source port 23 and ip address of remote host destinated to IP PUBLIC 1.
- in public interface of router os with torch tool I see the remote host that send packet with source port 23 to my IP PUBLIC 1.

I think the problem is that this packet are not forwarded to 192.168.0.1 ... Why ????

I attach you a layout of network.
Please, consider, 172.16.0.0/24 public ip addresses.

I disabled firewall on router os and now I have only this configuration:

ip firewall nat add chain=srcnat src-address=192.168.0.1 action=src-nat to-addresses="172.16.0.1"
ip firewall nat add chain=dstnat dst-address="172.16.0.1" action=dst-nat to-addresses=192.168.0.1

ip firewall nat add chain=srcnat src-address=192.168.0.2 action=src-nat to-addresses="172.16.0.5"
ip firewall nat add chain=dstnat dst-address="172.16.0.5" action=dst-nat to-addresses=192.168.0.2

etc ....

then I inserted between router os public interface and ISP router a packet sniffer and :
1) when I run "telnet to remote host on 192.168.0.1" I see on sniffer :
172.16.0.1 -> remote host
and
remote host -> 172.16.0.1
2) on public interface of router of I see:
remote host -> 172.16.0.1

Then, I think that the source natting run correctly because 192.168.0.1 go to the internet always with 172.16.0.1 and the remote host receive correctly packets but when it reply this packets arrive to public interface of router os but not to 192.168.0.1 ... THIS IS THE PROBLEM .... on 192.168.0.1 there isn't any firewall ... Consider that before of mikrotik router I used without problem linux debian with iptables :

iptables -t nat -A POSTROUTING -s 192.168.0.1 -j SNAT --to-source 172.16.0.1
iptables -t nat -A PREROUTING -d 172.16.0.1 -j DNAT --to-dest 192.168.0.1

Can you help me please???

I did other tests ... I think the problem is router os BUG.
I explain you ...

I solved the problem simply activating one ip address on public interface ... and this'isnt normal.
For example.
If I activate ONLY 172.16.0.1/24 the src nat and destination nat run correctly ...
If I activate ONLY 172.16.0.5/24 the src nat and destination nat run correctly ...

Is it possible bug ????

It is exceedingly unlikely you found a bug in the Linux NAT implementation. It's far more likely your router is subtly misconfigured.

Go back to the configuration you want to run. Then post it - so far you've only been showing snippets. That would include the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and a network diagram.

This is the configuration. The firewall is disabled... I only posted nat table ...
The network in ip route are unrecheable beacause I disattached the router ... and another think ... I replaced my ip public with 172.16.0.0/24 ...

I would to remember you that if I active only one ip address for example 172.16.0.5 the nat, source and destination, run correctly... I have problem if add another ip to the same interface...

perhaps in source and destination natting is necessary to specify input and output interface?

Nope - it certainly doesn't hurt, but it's not necessary as such.

I don't see anything wrong with what you pasted. It should work. That it doesn't mean that you either left something out, or edited it in such a way that it hides the problem.

Again, it is close to impossible you found a bug in how Linux handles NAT. You're not doing anything special, and if there was a related bug it would have already been reported by hundreds of thousands of people.

Try resetting the router to scratch and setting up two simple NAT rules and see if it works.

Hi fewi and hi to all,
this morning I resetted the router and I only addedd this one:

1) I added ip addresses to interfaces ...
2) I implemented source and destination natting without firewall
3) I added default route...

It's the same! It's incredible ....
In particular only some private ip can communicate with internet. For example:
192.168.0.1 and 192.168.0.2 run telnet correctly but 192.168.0.3 no. If I disable all interface public and enable only 172.16.0.15 public ip then 192.168.0.3 can communicate correctly ... if I add also 172.16.0.10 then 192.168.0.3 continue to communicate with 192.168.0.2 too while 192.168.0.1 is down... It's strange !!!!
I'm thinking ... Is there some problem in MTU configuration ??? I configured it to 1500 because the router is connected to ethernet intefaces only. Can the nic of server incompatible with mikrotik interface ???? I'm using all server dell, in particular dell 1750, 2950...

In the past I had this problem:
I implemented a mesh network with ospf ; each routeros was connected to another via wifi and have its local network private. The local network of each routers guested some devices but there is always one device type that is impossible to communicate with it... I solved this problem simply configuring local interface with arp-proxy ...

Hi fewi,
I tried to use torch command.
If I run on 192.168.0.1 "telnet public_ip" I see in torch tool on public interface an entry with:

public_ip:23 -> 172.16.0.5:random_port

It's clare. The packet from 192.168.0.1 arrive to public_ip and this respond correctly. The packet SYN,ACK from public_ip to 172.16.0.5 enter in the router but the router don't redirect it to 192.168.0.1.
I want to remember that it happens only if I have different ip address to router public interface.
If I have only ip 172.16.0.5 on routeros public inteface without changing any configuration the source nat and destination nat run correctly...
This is very strange!

Hi fewi,
you must see this screenshot !!!!!
This morning I powered on routerboard 1200 and this is the surprise:

As you can see, I connected to RouterOs through ether10 that have ip address 10.245.5.239 while interface ether9 have a public ip address terminating with .100. When I run winbox for scanning mikrotik device It report me that interface ether10 that have a correct mac address (as you can see in ether10 interface gui) have ip address public terminating with .100 !!!!!

THIS IS ANOTHER STRANGE THINK ON THIS ROUTER ...
Have you any idea?

I can't help you.

Destination NAT
If you want to link Public IP 10.5.8.200 address to Local one 192.168.0.109, you should use destination address translation feature of the MikroTik router. Also if you want allow Local server to talk with outside with given Public IP you should use source address translation, too.

Add Public IP to Public interface:

/ip address add address=10.5.8.200/32 interface=Public
Add rule allowing access to the internal server from external networks:

/ip firewall nat add chain=dstnat dst-address=10.5.8.200 action=dst-nat \
to-addresses=192.168.0.109
Add rule allowing the internal server to talk to the outer networks having its source address translated to 10.5.8.200:

/ip firewall nat add chain=srcnat src-address=192.168.0.109 action=src-nat \
to-addresses=10.5.8.200

The above was taken from the wiki - http://wiki.mikrotik.com/wiki/Manual:IP ... nation_NAT

As for the discrepancy listed in your previous post with the MAC/IP in winbox... I believe you said you enabled proxy-arp in one of your other posts... Proxy-ARP is not necessary.

Do another /system reset-configuration

Configure the LAN and add your WAN IP and setup your NAT.

All you need to modify is the

/ip address (add LAN and WAN IP addresses)
/ip firewall nat (add one to one nat under src-nat/dst-nat)
/ip route (for your default gateway)

Don't overcomplicate things get the bare minimum setup and tested then add whatever firewall rules, additional NAT, etc... you need after its setup and working with the basics.

Hi,
tomorrow I check the problem of winbox and arp-proxy and feedback you.
For the reset,
I have already executed the step that you reported ...
in the up of this thread you can see I only added ip address, nat rules without firewall and default route ...
You reported part of manual ... but if I configure one ip address on public interface the nat run correctly ... The problem is If I add more ip addresses...

Destination NAT
If you want to link Public IP 10.5.8.200 address to Local one 192.168.0.109, you should use destination address translation feature of the MikroTik router. Also if you want allow Local server to talk with outside with given Public IP you should use source address translation, too.

Add Public IP to Public interface:

/ip address add address=10.5.8.200/32 interface=Public
Add rule allowing access to the internal server from external networks:

/ip firewall nat add chain=dstnat dst-address=10.5.8.200 action=dst-nat \
to-addresses=192.168.0.109
Add rule allowing the internal server to talk to the outer networks having its source address translated to 10.5.8.200:

/ip firewall nat add chain=srcnat src-address=192.168.0.109 action=src-nat \
to-addresses=10.5.8.200

The above was taken from the wiki - http://wiki.mikrotik.com/wiki/Manual:IP ... nation_NAT

As for the discrepancy listed in your previous post with the MAC/IP in winbox... I believe you said you enabled proxy-arp in one of your other posts... Proxy-ARP is not necessary.

Do another /system reset-configuration

Configure the LAN and add your WAN IP and setup your NAT.

All you need to modify is the

/ip address (add LAN and WAN IP addresses)
/ip firewall nat (add one to one nat under src-nat/dst-nat)
/ip route (for your default gateway)

Don't overcomplicate things get the bare minimum setup and tested then add whatever firewall rules, additional NAT, etc... you need after its setup and working with the basics.

OK I see that...

What is this for??

/ip firewall nat add action=netmap chain=srcnat comment="ROUTER OS (SOURCE NAT)" disabled=no to-addresses=172.16.0.1

It sounds like 172.16.0.1 is your management IP address.. Just assign this to the public interface there's no NAT settings required to point this at the router.

As for everything else it looks OK from what you've posted..... Here's how it should look:

/ip address
add address=192.168.0.1/24 interface=LAN
add address=172.16.0.1/27 interface=WAN
add address=172.16.0.2/27 interface=WAN
add address=172.16.0.3/27 interface=WAN

/ip firewall nat
add action=dst-nat chain=dstnat disabled=no dst-address=172.16.0.1 to-addresses=192.168.0.101
add action=dst-nat chain=dstnat disabled=no dst-address=172.16.0.2 to-addresses=192.168.0.102
add action=dst-nat chain=dstnat disabled=no dst-address=172.16.0.3 to-addresses=192.168.0.103
add action=src-nat chain=srcnat disabled=no src-address=192.168.0.101 to-addresses=172.16.0.1
add action=src-nat chain=srcnat disabled=no src-address=192.168.0.102 to-addresses=172.16.0.2
add action=src-nat chain=srcnat disabled=no src-address=192.168.0.103 to-addresses=172.16.0.3

/ip route
add dst-address=0.0.0.0/0 gateway=172.16.0.30 (default route)

If you have other hosts on the LAN other than the 1:1 NAT hosts then you'll need to add a masquerade rule in the src-nat chain.

Should be pretty straight forward.

Hi William,
the rule you quoted is for have the same ip address used by the router for its connections to internet. If I use masqureding function instead of src-nat and I have different ip public on the same interface which ip address it use? tge preferred source specified in route table? o it's random? I don't know and then I specified it with src-nat.

For the configuration ... it is the same that I'm using ... It's strange...
Tomorrow I post you about winbox problem...

Hi William I checked arp proxy. There isn't.
The arp mode for interface ether10 is "enabled".
I think that this routerboard have some hardware or firmware problem....

Hi to all,
I think I solved the problem !!!!
As I tell you I would to use RB1200 to replace a debian server with iptables.
This morning I tell to me. If some src-nat run and other not run is it possible that is about arp cache????
Is it possible there is some server linux that have a timeout more long ? Then I cloned debian mac address on RB12000 and now all run correctly ....

Hi

ip firewall nat add chain=srcnat src-address=192.168.0.1 action=src-nat to-addresses="IP PUBLIC 1"
ip firewall nat add chain=dstnat dst-address="IP PUBLIC 1" action=dst-nat to-addresses=192.168.0.1

This is your config


You should use this config ad everything will be ok:


ip firewall nat add chain=srcnat src-address=192.168.0.1 action=src-nat to-addresses="IP PUBLIC 1"
ip firewall nat add chain=dstnat dst-address="IP PUBLIC 1" action=net-map to-addresses=192.168.0.1

Hi Alexandro. thanks for the answer. Why in desttination nat I must use netmap function and not simply dst-nat? And why you use netmap only in dst-nat? I tried netmap in both (src-nat and dst-nat) but not only in dnat. Next week i try your configuration and tell you. thanks a lot..

Hi

ip firewall nat add chain=srcnat src-address=192.168.0.1 action=src-nat to-addresses="IP PUBLIC 1"
ip firewall nat add chain=dstnat dst-address="IP PUBLIC 1" action=dst-nat to-addresses=192.168.0.1

This is your config


You should use this config ad everything will be ok:


ip firewall nat add chain=srcnat src-address=192.168.0.1 action=src-nat to-addresses="IP PUBLIC 1"
ip firewall nat add chain=dstnat dst-address="IP PUBLIC 1" action=net-map to-addresses=192.168.0.1

Am using this configuration and everything is ok am using it to access my routers from my mobile phone and everything was working properly.
You Welcome .