dst-nat with external ip

enrilor · July 17, 2022, 10:43am

Hi, I have that problem with dst-nat. I have a rule to forward webmail on my NAS with dst-nat and works fine.
The problem is that if there is a bruteforce attack on mail NAS lockout IP for 24 hours. The problem is that NAS lockout not public IP but routerboard IP

For example

151.86.78.XXX (ip to lockout)
192.168.1.254 (routerboard)
192.168.1.37 (NAS)
On NAS log I get this error
Host [192.168.1.254] was blocked via [MailPlus Server].

that’s the rule
add action=dst-nat chain=dstnat dst-port=443 in-interface=ether24 log=yes
log-prefix=443 protocol=tcp to-addresses=192.168.1.37 to-ports=443

Someone can help ?

Sob · July 17, 2022, 10:23pm

If NAS blocks 192.168.1.254, it’s because it sees it as source. And it sees it as source, because you have some misconfigured srcnat rules. If I should guess, you probably have:

/ip firewall nat
add chain=srcnat action=masquerade

But what you really want is:

/ip firewall nat
add chain=srcnat out-interface=<WAN> action=masquerade

enrilor · July 18, 2022, 5:18pm

great, I tought that was a problem on dst-nat but I wasn’t able to understand were !
Thanks a lot.