DST-NAT Local IP to Local IP

dlopez · February 14, 2012, 7:13pm

Hi, I want to forward the traffic from my LAN to the MK on port 25 to a local IP :

Client IP ( 192.168.0.1 ) -----> 192.168.0.10:25 (Mikrotik) ------> 192.168.0.2:25 (MailServer)

I’ve been try to do the following using the DST-NAT chain using something like :

/ip firewall nat add chain=dstnat in-interface=LAN1 dst-address=192.168.0.10 protocol=tcp port=25 to-addresses=192.168.0.2 to-ports=25 action=dst-nat

But with no success. Any ideas ???

BTW: I need this rule because the mail server used to be the same as the firewall (Linux Box) and there’re about 30 pc with that configuration.

luiscandia · February 14, 2012, 8:07pm

Are you using a rule for NAT masquerade?

dlopez · February 14, 2012, 10:31pm

Yes I have a global masquerade rule :

chain=srcnat action=masquerade src-address=192.168.0.0/24 out-interface=eth1-wan

luiscandia · February 14, 2012, 10:40pm

in the masquerade rule, in this case is not necessary to specify src address, just masquerade the out interface so:

chain=srcnat action=masquerade out-interface=eth1-wan

dlopez · February 14, 2012, 10:51pm

Ok, I’ve changed that but still no joy.

luiscandia · February 14, 2012, 10:57pm

What if you try to put your mail server in other network? like 172.16.1.5 in other port and network of your mikrotik router.

maybe as this rule is not passing the router, is not changing the dst address.

dasiu · February 15, 2012, 12:02am

If I understand it correctly, the MailServer is on LAN1, just like the other computers? Then - add another masquarading rule:

chain=srcnat action=masquerade src-address=192.168.0.0/24 dst-address=192.168.0.2

Does it work now?

If it is the case, computer with 192.168.0.1 sends a packet to 192.168.0.10 (MikroTik), which redirects the packet (leaving the source address = .1) to .2 server on the same interface. The server gets the packet with src-address=.1, and sends the response straight to the computer in the same subnet, not through MikroTik. So client starts connection with 192.168.0.10, but receives response (ACK) from 192.168.0.2 . That’s why the NAT rule for dst-address=192.168.0.2 should be created, so that MailServer would send the return packets also through the MikroTik.

dlopez · February 15, 2012, 2:40am

Ok, using both rules maked it work. Thanks.

/ip firewall nat add chain=dstnat in-interface=LAN1 dst-address=192.168.0.10 protocol=tcp port=25 to-addresses=192.168.0.2 to-ports=25 action=dst-nat
chain=srcnat action=masquerade src-address=192.168.0.0/24 dst-address=192.168.0.2

kolorasta · August 3, 2012, 2:59pm

this was useful for me and worked fine.. thank u