Hi everyone!
I am looking for some help.
I have no password for the current RB960PGS, no backup from the config.

Topology:
ISP Modem <-> Mikrotik RB960PGS <-> CRS326
CRS326 <-> Computers, servers - Running Pfsense VM with 2 interface WAN, LAN.
On the RB960PGS:
- Ether 1 - ISP connection (FIX Ip configured on the Ether1)
- Ether 2 - > Connecting to the CRS326

Pfsense Configuration:
-Ether 1 - 192.168.70.1 /24 - Default Gateway 192.168.70.254
- Ether 2 - 192.168.70.254 / 24 - LAN Network on the CRS326 (as virtual)

I made a masqurade NAT firewall rule, so I have internet connection, because the out interface is the RB960PGS ether1 which is the ISP.

I would like to pass all of the traffic to the pfsense.
I have some running service on 50.42 on 50.43, 50.44.

So what I need:
- FIX IP + XXXX port (open on pfsense, nat already created to the server, WAN IP + port -> LAN IP + port
It should just work, because its working currently.)

What kind of firewall nat chain or filter rule or anything, should I use to pass the traffic to the pfsense WAN IP from the ISP modem, across the new RB960PGS? (I can configure the ISP failover, thats why I dont described the 2. connection)
Of course if anybody can help, I will be really thankfull
Thanks!

The easiest, as far as I can see is something along the lines of the following. This simply takes whatever arrives to the interfaces in the WAN list and translates it to the PFSense's address.
By default, Mikrotik has a rule that permits all traffic to destinations that were translated If you have left it, that should still work.

Note that in the description you give, you have no 192.168.70.254 and you said you assigned 70.2 to ether2 which you show connected to the second ISP. It may be that you already have quite a problem before doing more work.

Lastly, you are making this quite complex for the simple case you have. I think you should stop and consider simplifying your network: for example there is no need to do a NAT on the Mikrotik AND on the PFSense when you could just do the NAT on the Mikrotik directly to the real address of the server.

The easiest, as far as I can see is something along the lines of the following. This simply takes whatever arrives to the interfaces in the WAN list and translates it to the PFSense's address.

Code: Select all

/ip/firewall/nat
add chain=dstnat in-interface-list=WAN action=dst-nat to-addresses=192.168.70.1

By default, Mikrotik has a rule that permits all traffic to destinations that were translated If you have left it, that should still work.

Note that in the description you give, you have no 192.168.70.254 and you said you assigned 70.2 to ether2 which you show connected to the second ISP. It may be that you already have quite a problem before doing more work.

Lastly, you are making this quite complex for the simple case you have. I think you should stop and consider simplifying your network: for example there is no need to do a NAT on the Mikrotik AND on the PFSense when you could just do the NAT on the Mikrotik directly to the real address of the server.

Thank you!
But I think the issue caused by, the mikrotik changing the header while passing data to the pfsense, so when I open the website from outside my request will never reach the target host. I have internet because of the masqurade rule on the LAN.

So I think I need to forward the packets between the mikrotik and the pfsense, to get this without changing the packets, am I totally wrong?
I think it causing double NAT or something like this.

Also a correction for the configuration:

I have set Fix ip for ether1 (ISP1)
I have set ether2 as 192.168.70.254/24 -> CRS326 -> Virtual Pfsense (192.168.70.1 /24 , default gateway 192.168.70.254



I have made a masqurade srcnat on ether1.

I have edited my main post, I messed up the IP configurations.
This is the current configuration what I set and what I have on pfsense.

On the RB960PGS:
- Ether 1 - ISP connection (FIX Ip configured on the Ether1)
- Ether 2 - > Connecting to the CRS326 - 192.168.70.54 /24
I have made a masqurade srcnat on ether1. - Internet OK on CRS326 LAN

Pfsense Configuration:
-Ether 1 - 192.168.70.1 /24 - Default Gateway 192.168.70.254
- Ether 2 - 192.168.50.254 / 24 - LAN Network on the CRS326 (as virtual)


Connection - > RB960PGS Ether 1 -> forward -> 192.168.70.1 (pfsense will do the nat from WAN IP + POST -> LAN (SRV IP + POST).
Than the connection should go back... And I think this is the not working part. I think the ip address is changing while the NAT and than it cant go answer.. So i have hanging connections.

Sorry because of the bad description. I have tried many different ways. (Some networking guy told me its routing problem etc.. I got too many information).

I redrew the schematic with the information you gave. Let me know if that matches. The switch has been removed as it is L2 and won't change a thing (for now).
Note that you wrote the default gateway on the PFSense is 192.168.70.254 and that the MT has 192.168.70.54. So you already have a first issue which is this doesn't match. Assuming you made a typo and your MT has 192.168.70.254. Let me know if it doesn't.

If I understand correctly what you want: connections on the Internet going to 1.2.3.4 port 8443 (or 80, or 443, or 8080 or whatever) goes unchanged to the PFSense, which will translate that 1.2.3.4 port 8443 to 192.168.50.xx port yyyy.

Not going to work in the setup you explained: the IP you want to apply the NAT to is also the IP of the interface, meaning that it is unchanged, the MT will consider the packet is destined to its own interface, run through the input chain and process it locally.

If you have a second public IP, that can work, but with only a single public IP - not going to.

There are several possible solutions:

• Move the NAT/port translation from the PFSense to the MT and route (best option)
• Bridge the WANs to the external interface of the PFSense, which will then have the public IP as its external IP (second best option)
• Accept that double NAT will happen, that will cause performance issues before you have other types of issues (third best option)

Sorry, I left one issue in the first post.

This is a currently working networking setup. The Issue is, I have no password for the currently running RB960PGS, and I dont want to wait until the device will broke. So I started to collect information. This system is working now, services also, after I replace the two device, I have internet connection, so that part is fine, but the services not accessable.

Once more my current configuration on the mikrotik:
RB960PGS
- Ether 1 - ISP connection (Static IP from ISP configured)
- Ether 2 - > 192.168.70.254/24

- Masquraide srcnat to, out interface Ether 1

Pfsense Configuration:
-Ether 1 - 192.168.70.1 /24 - Default Gateway 192.168.70.254
- Ether 2 - 192.168.50.254 / 24 - LAN

So we ironed out the 70.54/70.254 one - one to go.

Yes for the password. Do that as soon as you can.

Can you send me the NAT rules from the PFSense?

So we ironed out the 70.54/70.254 one - one to go.

Yes for the password. Do that as soon as you can.

Can you send me the NAT rules from the PFSense?

This is not possible, thats why I am looking for solution. If I were able to recover the password of the currently running RB960PGS, ofc I would just save the config file and keep doing my stuff. Because nobody knows the device's password, in this case what I can do is replacing the device and try to replicate the configuration.

So I have no password for the CURRENT RB960PGS, the device has password, but nobody knows. I bought another RB960PGS, and I will keep trying with different configurations until everything works fine on the network. After that I can reset the currently used one...

I dont really want to touch the Pfsense, because everything configured and working perfectly since 5 years.

I have two option.
1. Figuring out the configuration for the new RB960PGS and be able to replace the another device..
2. Redesign the whole network, remove pfsense, etc....


I really want to go with the first option, because the pfsense running and doing everything since the first time it was turned on and configured, I dont want to replace the whole network configuration because of a forgotten mikrotik password... :/

Pfsense NAT Rule example
And of course pfsense creates automatically a filter rule for it.

Now we are getting somewhere.

Add this to your running Mikrotik. This will permit access from the internet to your server on TCP/8080. Of course replace <your public IP> with the actual IP address.
Chances are that double NAT has been present all along. Let's fix the immediate issue (incoming traffic) and you'll fix and make a proper configuration later.

Now we are getting somewhere.

Add this to your running Mikrotik. This will permit access from the internet to your server on TCP/8080. Of course replace <your public IP> with the actual IP address.

Code: Select all

/ip/firewall/nat
add chain=dstnat in-interface-list=WAN action=dst-nat to-addresses=192.168.70.1 dst-port=8080 protocol=tcp dst-address=<your public IP>

Chances are that double NAT has been present all along. Let's fix the immediate issue (incoming traffic) and you'll fix and make a proper configuration later.

Thank you!
Now I can see what was the issue. I never used the "public ip" at the DST-address, because of the missing WAN IP. I left the DST Address empty all the time.

Thank you really! If possible, write me a message please, if this is possible.