Can't make Port FWD for multiple IP's

norenberg · September 27, 2012, 5:01am

I have multiple public IP’s and I have NAT port forwarding for multiple services.
When I input a new WAN IP and route it ie a PPPoEout connection, it drops the NAT for all the others.

For instance, if I have this:

 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          10.0.0.2                  5
 1   S  0.0.0.0/0                          202.1XX.5x.X              5
 2 X S  0.0.0.0/0                          192.168.3.1               5
 3 ADS  0.0.0.0/0                          2XX.8X.5x.1               1  ALL SERVICES NAT TO THIS

So, say that I add a new PPPoE OUT connection:

 1 A S  0.0.0.0/0                          203.1xx.5x.1              5

I can’t make any NAT through this one above. Can’t ping from external, can’t do anything.
And if I mark “Add Default Route” I can ping from outside but it kills all the other PPTP and NAT’s port fwd from the 202.1XX.5x.X , for example:

13 X ;;; Backup
     chain=dstnat action=dst-nat to-addresses=192.168.1.20 to-ports=80 
     protocol=tcp dst-address=202.1XX.5x.X  dst-port=8080

This stops working.

Any clue on why is this happening?

Cheers

norenberg · September 27, 2012, 8:54pm

Was my question understandable?

janisk · September 28, 2012, 9:16am

paste more configuration as it is not clear what ou have set up where. what masquerade (srcnat) you have.have.

AnRkey · September 28, 2012, 9:35am

Post the output of /ip firewall nat print for us please.

Also, you an only have one default gateway unless you label traffic and then route by label. This is the only way, that I’m aware of, to have multiple default gateways at once.

Having two default gateways will result in only one of them being used.

norenberg · September 28, 2012, 2:30pm

Thanks everyone for the reply.

This makes sense, I do use marked routes, but someone has done this for me.
Now I need to be onsite to check this out (I don’t wanna risk to do it remotely.)

I use masquerade for hotspots and multiple VLANs but I believe routing-marks will be the culprit.

I will post the follow-up here for reference.

cheers

norenberg · October 23, 2012, 2:44am

Ok, I am using route marks and I can get the outgoing connection to work fine.
However, I still not able to make the IP to respond to incoming connections.

Any advice?

 1   chain=prerouting action=mark-routing new-routing-mark=residential 
     passthrough=yes src-address-list=pppoe dst-address-list=!local

;;; Backup VDSL
     chain=dstnat action=dst-nat to-addresses=192.168.1.20 to-ports=80 
     protocol=tcp dst-address=203.171.5X.XXX routing-mark=residential 
     dst-port=8080

I just can’t connect to the port 8080

Cheers, thanks for any advice.

janisk · October 23, 2012, 9:32am

if yo have several WAN connections and you want to use them both then

mark routing, so traffic knows where to go out, like some load balancing (seems you have this)
you have to mark incoming connections and assign them wan routing marks so packets that came it WAN1 will go out WAN1 not any other of available WAN interfaces
if you want NAT to specific addresses you can use 1 to 1 map or use specific source nat rule to NAT specific addresses to specific global address.

norenberg · October 23, 2012, 8:14pm

Thanks for your reply.

I’d like to make a port mapping. Do you mean:

 chain=srcnat action=src-nat to-addresses=203.171.5X.XXX to-ports=8080 
     protocol=tcp src-address=192.168.1.20 routing-mark=residential src-port=80

tried this but still didn’t work

janisk · October 24, 2012, 6:05am

here you can read about 1 to 1 mapping and how that operates:
http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT#1:1_mapping

norenberg · October 25, 2012, 8:30pm

Your docs appear to have wrong information (replace ips for the real ones):

/ip firewall nat add chain=dstnat dst-address=11.11.11.1-11.11.11.254 \
	action=netmap to-addresses=2.2.2.1-2.2.2.254
failure: netmap action requires to-address be whole network

Managed to netmap anyway:

23   ;;; Netmap
     chain=dstnat action=netmap to-addresses=192.168.1
     dst-address=202.171.XXX.1-202.171.XXX.254 routing-mark=residential

24   chain=srcnat action=netmap to-addresses=203.171.5
     routing-mark=residential

And, guess what? Still not working.
No ping, no access from external. DST-NAT won’t work.

Any ideas?

Thanks

janisk · October 26, 2012, 5:27am

this will work for example ip addresses from manual.

/ip firewall nat add chain=srcnat src-address=2.2.2.0/24 \
action=netmap to-addresses=11.11.11.0/24

/ip firewall nat add chain=dstnat src-address=11.11.11.0/24 \
action=netmap to-addresses=11.11.11.0/24

updated manual to reflect on changes that where done

this will work:

/ip firewall nat add chain=dstnat dst-address=11.11.11.0-11.11.11.255 \
	action=netmap to-addresses=2.2.2.0-2.2.2.255

/ip firewall nat add chain=srcnat src-address=11.11.11.0-11.11.11.255 \
	action=netmap to-addresses=2.2.2.0-2.2.2.255

idea behind is that x.x.x.0/24 translates to x.x.x.0-x.x.x.255 since /24 includes x.x.x.0 and x.x.x.255 and these addresses are perfectly fine for example, when pppoe is used and tunnel remote address is x.x.x.0/32 or x.x.x.255/32 or something that we are more used to as x.x.x.254/32