I have a problem which I can’t handle. My ISP gave me 5 IP addresses. Let’s say it’s 1.1.1.50/29, 1.1.1.51/29, 1.1.1.52/29, 1.1.1.53/29 and 1.1.1.54/29. My gateway is 1.1.1.49 and my network is 1.1.1.48.
Now, all of the addresses are assigned to ETH1 of my RB2011. I also have two subnets in LAN (10.x.x.0/24 and 192.x.x.0/24) which are src-natted to .51 and .53 public addresses.
I have a server with address 10.x.x.5 that has a Apache server running. On MT I have a dst-nat rule for address 1.1.1.54 directing to my 10.x.x.5 server and a src-nat for that machine pointing to my .54 public IP.
The problem is that the router have no clue on which IP it should respond for the incomming traffic.
If I’ll disable all of my public IP’s except for one - MT responds to ping properly, dst-nat works as well. However, if I’ll enable at least one IP more - ping starts loosing packets (the more IP’s active the more packets lost) and my web pages work only if the outgoing packet will be miracously routed to the correct IP. I don’t have any mangle rules, nor nothing special in routing table.
Got an update.
Because I need my services up and running asap - I’ve decided to set up a web proxy on RPi and i’ve disabled all my IP’s except of one (.50). That did the trick (almost): everything is working fine from the outside, there are no pings lost and all of my services are working fine.
The outgoing connections are working fine from 99% of my devices. If I’ll go to showmyip or I’ll do wget to who.is - my IP is correct (.50). The only device that isn’t working is my Yealink IP phone, which has configured one account of my customer’s and on the customer’s Mikrotik - Torch shows that the traffic incoming from phone comes from .51 IP and not the .50.
I’ve removed all rules from firewall/NAT, the only ones left are dst-nat and masquerade and still - my phone is seen as .51 on the outside. The phone itself doesn’t have any public IP configuration.
Please help!
[EDIT] After rebooting my MT - the phone started to be seen at correct IP address. That was wierd…
Are you sure you didn’t have some very weird config? Because what you describe is very weird. You can have as many addresses as you want, there’s no reason why it shouldn’t work correctly.
That’s not weird. The srcnat and dstnat chains of the firewall only handle the initial packet of each connection, and the verdict of these chains is stored in the context of the connection in the connection tracking module of the firewall. So all subsequent downstream packets belonging to the same connection are handled the same like the initial packet, and all upstream packets belonging to the same connection are handled inversely (i.e. the destination address and port of upstream packets is changed to the original source address and port of the downstream packets).
Since the phone registers once and since then the same connection keeps being refreshed. And the to-addresses of a src-nat rule don’t need to be up on the router.
BTW, did you actually assign those addresses directly to the router, or did you use them just in the src-nat and dst-nat rules?
So you’re saying that each time I change src-nat rules on my MT I should reboot the router? I’ve made a lot of configurations for my customers and it was never a case…
I’m quite sure I did I’ve assigned addresses in IP → Addresses; I’ve configured IP → Routes to my gateway (.49) on ETH1 with preferred source .50. Lastly - I’ve added src-nat rules in IP → Firewall → NAT for each server/device and for all of my subnets (I have three of them, OFC after the previous rules).
What’s odd is that I have masquerade rule for all outgoing traffic after the src-nat rules and I can see that there are some packets that are using this rule. As for now, I’ve set up a Apache proxy on Raspberry Pi for all of my services, I’ve redirected all of my domains to .50 address and all outcoming traffic is directed to .50 address. Now - everything works flawlessly. But it’s a waste of IP pool and I have some concerns about the security (at the moment - my home network uses the same public IP address that my work network as well as guests network).
Post complete configuration export of your router (execute /export file=anynameyouwish hide-sensitive, fetch the resulting file, open it in text editor and redact public IP addresses … obfuscate them but in a consistent manner) and include it here (inside [__code] [/code] environment).
So you’re saying that each time I change src-nat rules on my MT I should reboot the router?
@sindy is saying that change in NAT rules get applied to new connections immediately while old connections keep the old settings. Most of usual internet usage triggers many short lived connections (web browsing, instant messaging, …), but some stuff uses few long-lived connections (SIP, VoIP, video streaming, …). It’s the later connections that keep living with old NAT settings.
It is possible to clear old connections (by clearing table in /ip firewall connection), but often it’s easier to execute full router reboot. If one uses action=masquerade for src NAT, then change in WAN IP address (picked up by router) will automatically clear the connection table. But that’s with existing rule (I’m not sure if connection table is cleared as well if the whole rule gets removed or disabled).
It doesn’t - the rules in the srcnat and dstnat chains only handle the initial packet of each connection. The connection data in connection tracking store the verdict of each of these chains, including the flag indicating whether the action was src-nat or masquerade, but not a link to a particular rule.
I’ve assigned addresses in IP → Addresses; I’ve configured IP → Routes to my gateway (.49) on ETH1 with preferred source .50. Lastly - I’ve added src-nat rules in IP → Firewall → NAT for each server/device and for all of my subnets (I have three of them, OFC after the previous rules).