Can't DMZ to a server in LAN

axe50397 · April 17, 2025, 4:04pm

I have a PUBLIC_IP/29 provided by our ISP, one of these IPs is given to the ISP router (PUBLIC_1). I have given some of these IPs to our router (RB4011, v7.18.2), one of them to srcnat general traffic, and one of them to redirect to a VM on Proxmox.

PUBLIC_IP.65 is our ISP router
PUBLIC_IP.67 is the one I’m trying to netmap 1:1 or dstnat to 10.190.0.12 (on ether4)

Checks done so far:

When I ping PUBLIC_IP.67 from outside the network, with tcpdump on both machines (mine and the 10.190.0.12)
ICMP is fine, request and replies are exchanged and seen on both
When I try something else (http, https, ssh) nothing shows up on 10.190.0.12.
I tried dstnat only dst port 80, I tried 80 + 443, I tried disabling srcnat from the server to keep it on the general router’s address, nothing arrives to the server except ICMP.
I even tried ping size 1024 bytes. It’s ok.
ssh telnetmyip.com correctly shows general IP or PUBLIC_IP.67 depending when dstnat rule is off or on

I can’t see what I’m missing. Please help.
ip-address.rsc (1.66 KB)
ip-firewall.rsc (6.98 KB)
ip-route.rsc (1.06 KB)

mkx · April 17, 2025, 4:34pm

Post actual configuration, not a novel.

axe50397 · April 17, 2025, 7:53pm

Sorry, I prepared the exports and forgot to attach. It’s done.

mkx · April 18, 2025, 5:55am

I didn’t see anything obviously wrong … but I don’t know much about using multiple routing talbes, so I can’t comment on that aspect of your confiugration.

This is weird. Netmap should NAT all IPv4 sub-protocols equally … both ICMP and TCP. Did you try to sniff traffic on router itself? If filter is done correctly (e.g. set it to src-address of your test remote client) and is set to sniff on all interfaces, it should show same packet multiple times … with slightly different properties (e.g. different dst-address after it’s netmapped).

axe50397 · April 19, 2025, 2:41pm

My routing tables are there to ensure that incoming trafic from a backup ISP, is answered to the same route it came from. I also made my tests with all the mangle and routing tables disabled.

It seems I’m having an issue with incoming trafic from my ISP, currently when I packet sniff ON the ISP router (a MikroTik), I see the ICMP and Winbox trafic. And that’s it. Web trafic doesn’t go through our ISP router, same as SSH. I’ve opened a ticket hoping I’ll get something.

axe50397 · April 23, 2025, 9:32am

It seems the ISP had some kind of misconfiguration their side. They answered me “Engineering is telling me everything is fine, can you check again” and poof, magically the IP reached our VM…

@mkx Thank you for your help