All incoming connections appear as Routers IP

saibarker · June 6, 2017, 9:01am

When Looking through service logs on my server (which is behind a Mikrotik RB2011UIAS-RM NAT) All incoming connections appear as the Mikrotik’s IP address and not the client’s Public IP.

I have a feeling it has to do with Masquerade but I have tried disabling all the rules with no success.

Thanks in advanced

BartoszP · June 6, 2017, 10:10am

There are two reasons:

A. Connections from WAN to LAN are masqaraded with router’s IP
B. Connections from LAN to server use harpin-nat as they connect not directly to local server IP but they use it’s public IP so server sees them as incoming from router. https://wiki.mikrotik.com/wiki/Hairpin_NAT

saibarker · June 6, 2017, 9:16pm

Ok, so I have figured out it is not a hairpin nat causing this. so it must be the masquerade rules.
Below is a screenshot of the masquerade rules in IP>Firewall>Nat
Do I need to disable the rule for “OutInterface=Local” or all of them?

Thanks

sid5632 · June 6, 2017, 10:06pm

Posting screenshots is pointless as they don’t show all the columns. Use a config. export instead. In this case “/ip firewall nat export”.

Do I need to disable the rule for “OutInterface=Local” or all of them?

Probably the former, but you don’t exactly give much information. Why did you put it in there in the first place?

saibarker · June 6, 2017, 11:31pm

/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN1
add action=masquerade chain=srcnat out-interface=Local
add action=masquerade chain=srcnat out-interface=WAN2
add action=masquerade chain=srcnat out-interface=WAN3
# no interface
add action=masquerade chain=srcnat out-interface=*14
# WAN4 not ready
add action=masquerade chain=srcnat out-interface=WAN4
add action=masquerade chain=srcnat out-interface=WAN1
add action=dst-nat chain=dstnat disabled=yes dst-port=8040-8041 protocol=tcp \
    to-addresses=192.168.10.13 to-ports=8040-8041
add action=dst-nat chain=dstnat disabled=yes dst-port=4444 in-interface-list=\
    all protocol=tcp to-addresses=192.168.10.13 to-ports=4444
add action=dst-nat chain=dstnat port=10001 protocol=tcp to-addresses=\
    192.168.0.4 to-ports=10001
add action=dst-nat chain=dstnat port=8091 protocol=tcp to-addresses=\
    192.168.20.1 to-ports=8091
add action=dst-nat chain=dstnat port=25565 protocol=tcp to-addresses=\
    192.168.0.3 to-ports=25565
add action=dst-nat chain=dstnat port=3389 protocol=tcp to-addresses=192.168.0.3 \
    to-ports=3389

saibarker · June 13, 2017, 12:47am

Bump

Sob · June 13, 2017, 2:09am

This one is the reason why it happens:

/ip firewall nat
add action=masquerade chain=srcnat out-interface=Local