[Ask] NAT doesn't work

RouterOS General
1

Hello there,

I’ve just configured my mikrotik in front of my server. I want to put mail server behind it, a mail one. I have learned many NAT references and try to implement it in my network. but yet, i still find problem. Here is my topology and configuration:

( Internet )------|Mikrotik|-------[switch]--------server
________________|
________________------[access point]--------user’s laptop


I want to set my server not only be able to connect to internet but also get accessed from internet. So i do a 1-to-1 NAT so mail’s public IP (x.x.x.3) will be able to be NAT-ed to its private IP (192.168.2.3), vice versa, along with all services (ports).

In mikrotik:

/ip addresses
add address=x.x.x.2/29 interface=ether2 network=x.x.x.1			--> x.2 to internet
add address=x.x.x.3/29 interface=ether2 network=x.x.x.1			--> x.3 to be public ip of mail
add address=192.168.1.1/24 interface=ether3 network=192.168.1.0	--> gateway of access point for users
add address=192.168.2.1/24 interface=ether4 network=192.168.2.0 	--> gateway of server's private ip

/ip firewall nat
add action=src-nat chain=srcnat src-address=192.168.1.0/24 to-addresses=\
    x.x.x.2
add action=src-nat chain=srcnat src-address=192.168.2.3 to-addresses=\
    x.x.x.3
add action=dst-nat chain=dstnat disabled=yes dst-address=x.x.x.3 \
    dst-port=443 protocol=tcp to-addresses=192.168.2.3 to-ports=443

The problem is:

  1. with this configuration, my mail server (192.168.2.3) can not ping 8.8.8.8. But if i change my src-nat action become masquerade, it can ping it (connect to internet)
  2. While it can ping internet using masquerade, its HTTPS page (port 443) still cannot be accessed from internet.
  3. Is there anything wrong with my NAT or Address configuration? Why does masquerade and src-nat really matter in my condition?

I would be very thankful for your help.

2

First You should resolve src-nat problem. It seems like address x.x.x.3 not working. With src-nat traffic from server goes exactly to addressx.x.x.3, with masquerade traffic goes to ether2 and uses any available address configured for this interface. Check if your x.x.x.3 address is working (ping from router itself using this address as source).

Your dst-nat rule is disabled, by the way.

3

Wow, you got it right.

I tried to ping 8.8.8.8 with x.x.x.3 as source, and results in “timeout”. How to make this IP works? I even have added it as address in /ip address.

4

Case closed !!!

I found my mistake. This was my address before resolved,

/ip address
add address=x.x.x.2/29 interface=ether2 network=x.x.x.1         --> x.2 to internet
add address=x.x.x.3/29 interface=ether2 network=x.x.x.1         --> x.3 to be public ip of mail
add address=192.168.1.1/24 interface=ether3 network=192.168.1.0   --> gateway of access point for users
add address=192.168.2.1/24 interface=ether4 network=192.168.2.0    --> gateway of server's private ip

This is after

/ip address
add address=x.x.x.2/32 interface=ether2						--> x.2 to internet
add address=x.x.x.3/32 interface=ether2 						--> x.3 to be public ip of mail
add address=192.168.1.1/24 interface=ether3 network=192.168.1.0   	--> gateway of access point for users
add address=192.168.2.1/24 interface=ether4 network=192.168.2.0    --> gateway of server's private ip

Spot the differences? Yes, specific address should use specific subnet. So now i decided to use /32 instead of /29. No network required, because it will be added automatically.

Thanks karlisi. Thanks mikrotik. Hope this thread can be useful for all.