DST-NAT to internal multiple IP Adresses

nkraft · October 30, 2019, 7:26am

Hello,

I have a dst-nat rule in operation.
A server gets forwarded with the IP 193.0.8.248 two ports from the outside. Port forward for the Exchange 443 and 25. That works fine.
I would like to make a second server with the IP 193.0.8.254 externally achievable. But only one dst-nat rule works.
Is there any way that I can work with both rules.
Maybe you can give me a hint how to solve.
Thank you very much.

Regards Norman

xvo · October 30, 2019, 7:56am

Not for the same ports.

nkraft · October 30, 2019, 8:53am

Hi,
sure i have the Port 8081 for the Server IP:193.0.8.254.

Filter Rules
/ip firewall filter
add action=accept chain=input dst-port=500 in-interface=ether1 protocol=udp
add action=accept chain=input dst-port=4500 in-interface=ether1 protocol=udp
add action=accept chain=forward dst-address=192.168.200.200 dst-port=443
protocol=tcp
add action=accept chain=forward dst-address=192.168.200.200 dst-port=5222
protocol=tcp
add action=accept chain=forward dst-address=193.0.8.248 dst-port=443 protocol=
tcp
add action=accept chain=forward dst-address=193.0.8.248 dst-port=25 protocol=
tcp
add action=accept chain=forward dst-address=193.0.8.254 dst-port=8081 protocol=
tcp

NAT
add action=dst-nat chain=dstnat dst-address=192.168.0.2 protocol=tcp
to-addresses=193.0.8.248

If i switch the rule to the first in Line, then the second will not work.

add action=dst-nat chain=dstnat dst-address=192.168.0.2 protocol=tcp
to-addresses=193.0.8.254

karlisi · October 30, 2019, 9:43am

Try this

add action=dst-nat chain=dstnat dst-address=192.168.0.2 dst-port=443 protocol=tcp \
to-addresses=193.0.8.248 to-ports=443
add action=dst-nat chain=dstnat dst-address=192.168.0.2 dst-port=25 protocol=tcp \
to-addresses=193.0.8.248 to-ports=25
add action=dst-nat chain=dstnat dst-address=192.168.0.2 dst-port=8081 protocol=tcp \
to-addresses=193.0.8.254 to-ports=8081

mkx · October 30, 2019, 9:49am

Those NAT rules are too greedy … you have to make NAT rules so that they only forward connections to particular ports:

/ip firewall nat
add action=dst-nat chain=dstnat dst-address=192.168.0.2 protocol=tcp dst-port=25,443 to-addresses=193.0.8.248
add action=dst-nat chain=dstnat dst-address=192.168.0.2 protocol=tcp dst-port=8081 to-addresses=193.0.8.254

Note use of dst-port to make NAT rules more specific.

Optionally you can use to-ports=25 on second line if you actually want to forward non-standard port on WAN side to some standard port on LAN server (port 25 is used as an example).

@karlisi beat me to the answer … however, note that if you’re forwarding port from WAN to LAN while keeping the port number, you don’t need to set to-ports … at the same time, you can set several ports on single NAT config line.

nkraft · October 30, 2019, 10:12am

Hi,

thx i have used the hint from mkx , that works fine.
Thx very much, to all .

Regards Norman