I have an Exchange 2007 server behind the mikrotik. I have a dst-nat configured to forward traffic to port 25 of the internal IP of the Exchange server. When viewing the exchange smtp logs the source IP of the sender is always the internal IP of the Mikrotik. This breaks the Realtime blacklist features as it doesn’t query for the internal IP address.
Can the Mikrotik be configured to port forward without changing the IP header?
Yes, as all dst-nat is always only affecting the destination IP address.
You probably have a masquerade rule in the src-nat chain that doesn’t specify the out-interface, so the router does what it is told and masquerades to the interface IP address whenever a packet leaves on any interface, including outside traffic going to the inside network.
i messed with the masquerade rule and can get it to pass the ip correctly but then i lose the ability to browse the web. what am i missing?
I don’t know, I can’t look into your router. Paste your NAT configuration here:
/ip firewall nat export
…or at least say what you have changed =)
Here is my nat config:
add action=masquerade chain=srcnat comment=“” disabled=no out-interface=!ether1
add action=dst-nat chain=dstnat comment=“” disabled=yes dst-address=pub.ip.addr dst-port=
5900 protocol=tcp to-addresses=priv.ip.addr to-ports=5900
add action=dst-nat chain=dstnat comment=“” disabled=no dst-address=pub.ip.addr dst-port=25
protocol=tcp to-addresses=priv.ip.addr to-ports=25
add action=dst-nat chain=dstnat comment=“” disabled=no dst-address=pub.ip.addr dst-port=
3389 protocol=tcp to-addresses=priv.ip.addr to-ports=3389
add action=dst-nat chain=dstnat comment=“” disabled=no dst-address=pub.ip.addr dst-port=
443 protocol=tcp to-addresses=priv.ip.addr to-ports=443
ether1 is my internet facing interface, ether2 is my internal LAN.
add action=masquerade chain=srcnat comment="" disabled=no out-interface=!ether1
says “masquerade to the interface IP address whenever you’re passing traffic out an interface OTHER than ether1”. You want the opposite - you want source NAT to only happen when traffic IS going out ether1. Remove the exclamation mark that negates the interface. You can’t browse because your private inside IPs aren’t getting NAT’d to the public on the interface and so your ISP discards them (or even if they make it to the target, the target doesn’t know how to get back).
I removed the ! from masquarade command and then I can’t browse. I have a bridge called “Internet” that includes ether1, when I change the command to what is shown below I can browse and the IP of the sender shows in the logs.
add action=masquerade chain=srcnat comment=“” disabled=no out-interface=Internet
I guess it is fixed, not sure why there is a bridge group.