Forward public IP to another public IP

routemenow · June 16, 2010, 9:11pm

Hi,

Is there a way to forward my MT public IP to another public IP (not an MT and on dfferent network/ISP)?

To be more precise, I need to set up IP forwarding from my server to my home PC. My server’s public IP is 10.20.. ISP A, my home public IP is 10.21.. and ISP B.

Regards,
Paul

fewi · June 17, 2010, 3:02am

While this is possible, it is a little trickier.
You can destination NAT so that the destination IP gets rewritten, but the problem is that at that point your home PC is going to see the source IP address of the client that initially requested the connection. It won’t know to talk back to your server, but will directly send traffic back to the client. The client, however, is expecting the source IP address of the server on return traffic since that is, after all, the IP address it initially contacted. Thus it will discard the return traffic and it will seem as if the two cannot talk. To work around that you must also source NAT on the router near the server to an IP address on that server router. The home machine will then send back traffic to the server router, which will undo the translation and send the packets back to the client. The router server essentially servers as a bit of a proxy. The downside is that the home PC will never see the client’s real IP address and that you’re using both up and down bandwidth on the server router since all traffic must flow through it.

So assuming a server IP address of 2.2.2.2 and a home PC IP address of 3.3.3.3, and that port 80 on the server gets forwarded to port 8080 on the home PC this would look like something like below. First you mark connection so that you can later identify it for the two NAT actions, then you destination NAT and then you source NAT.

/ip firewall mangle
add chain=prerouting dst-address=2.2.2.2 protocol=tcp connection-state=new dst-port=80 action=mark-connection new-connection-mark=NATthis
/ip firewall nat
add chain=dstnat connection-mark=NATthis action=dst-nat to-address=3.3.3.3 to-ports=8080
add chain=srcnat connection-mark=NATthis action=masquerade

That’s untested and off the top of my head. If it doesn’t work also try searching the forum for “+hairpin +NAT” as that’s essentially the same problem, only you’re trying to do it on the outside interface.

routemenow · June 17, 2010, 9:55am

Thanks, I’ll try that out…

Pada · June 20, 2010, 10:57pm

As an alternative you could also try hosting a PPTP VPN server so that you can use the MT’s Internet connection from anywhere.

Those IP addresses that you gave fall in the private IP range. Could you perhaps tell us what you’re trying to achieve if its not too personal.

routemenow · November 25, 2010, 3:41pm

The code mentioned here in this thread doesn’t work for me. Any other suggestions? I’m still looking for a solution…

fewi · November 25, 2010, 3:57pm

http://wiki.mikrotik.com/wiki/Hairpin_NAT

Rewrite that for your IP addresses and ports. If it doesn’t work, post the configuration you came up with, including “/ip address print detail”, “/ip route print detail”, and “/ip firewall export”.

Feklar · November 30, 2010, 9:51pm

I’ve played around with this a little bit, but not very much. If I remember correctly first the router needs to have the IP you are forwarding from, so to use Fewi’s example of 2.2.2.2 and 3.3.3.3

/ip address
add interface=WAN address=2.2.2.2/24
/ip firewall nat
add chain=dstnat dst-address=2.2.2.2 protocol=tcp dst-port=80 action=dst-nat to-address=3.3.3.3

This wasn’t set up with any PCC or failover rules running on the box, so if you are doing anything like that, it may require some more steps to get it working.