changing destination IP of packet

roukos · January 5, 2017, 10:19am

Hello everybody,

I have the following problem :
I have 3 monitoring devices which produce and send packets to specific website A.
Between these 3 devices & ADSL modem i have connected a RB750r2. It is configured as bridge and monitoring devices have access to internet.
What i am trying to do is put a firewall entry (NAT) which will change the packet’s destination address from website A to website B.
What i have done so far is the following entry
ip firewall nat add action=dst-nat chain=dstnat dst-address=websiteA to-addresses=websiteB

but packets (which produced inside local network and must sent to internet) are still received from website A and not B.

What is wrong with configuration ?
Please advise

Thx in advance

Revelation · January 5, 2017, 1:17pm

If your packet is going from inside your network to an external source, you need to use a src-nat.

Sob · January 5, 2017, 7:13pm

Most importantly, if you have RB configured as bridge, i.e. transparent for IP traffic, IP firewall won’t touch your packets. You can enable use of IP firewall for bridged packets in “/interface bridge settings”, but I’ve never tried if you can also use NAT there.

roukos · January 14, 2017, 8:42pm

updated status :
bridge is no longer part of configuration.
lan 4 of mikrotik —> connected to simple switch (internal lan devices, 192.168.10.xxx)
lan 5 of mikrotik —> connected to adsl modem (e.g. 192.168.10.254)

all internal devices sends packets to site A (internet). I want to change the header of these packets and packets be sent to site B.
whatever i tried had no success…either using only nat entries (src-nat / dst-nat) or using mangle for packet-marking…
is it possible anyone to guide me for the right entries and right order of putting them on firewall/nat or firewall/mangle section ?

thank you in advance

Revelation · January 14, 2017, 9:04pm

Have you tried using a mangle rule?

Here’s an example of something you can try.

2    chain=prerouting action=route passthrough=yes route-dst=2.2.2.2 src-address=192.168.100.5 dst-address=1.1.1.1 log=yes 
      log-prefix=""

In the above example 192.168.100.5 is your device sending packets to 1.1.1.1; though we are attempting to use a mangle to change the destination to 2.2.2.2. I haven’t tried this yet so you may need to play with some of the options to see if it works.

Sob · January 15, 2017, 11:16pm

This should work:

/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
/interface bridge settings
set use-ip-firewall=yes
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=<site A> to-addresses=<site B>
/ip address
add address=192.168.10.x/24 interface=bridge1
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.10.254

The important parts are use-ip-firewall=yes for bridge and the router itself must have proper access to internet (valid LAN IP address and default route). I don’t have proper setup for testing right now, but at least dstnat rule works correctly. If there were any problem with returning packets (I assume not), then add masquerade rule for dstnated packets and then it will work for sure.

roukos · January 16, 2017, 6:43pm

yes, it worked as a charm

many many thanks for your help & assistance !!!