Hairpin NAT + Routing

spookman · April 11, 2011, 10:10am

Hi Guys,

I have setup PPC on my R750 and mostly it seems to be working fine, I have a few issues though.
Previously on the the edimax router if I added a static route to one of our internal networks, all traffic originating internally to
another internal network would be routed via the edimax to the correct gateway. Now with the R750 this
doesn’t seem to work. I have setup RIP and I can from the R750 ping all hosts on all networks, but just not from a host to a host.
90% of our network s fine but 10% can’t use rip and I don’t want to have to setup static routes on all those routers.

a second issue is we have a mail server siting on the network and we are forwarding traffic from external for mail to this server,
this works fine, however if a client from inside the network tries to send mail to the dns name of the mail server, the traffic
is not getting to the servers, hit the WAN ip and stops there. I assume it has something to do with the fact that the traffic
is originating from local and I have now rules for this.

/interface 
set ether1 name=WAN1
set ether2 name=WAN2
set ether3 name=WAN3
set ether5 name=Local

/ip address
add address=10.10.0.1/24 broadcast=10.10.0.255 disabled=no interface=Local network=10.10.0.0

add address=41.x.x.114/29 broadcast=41.x.x.119 disabled=no interface=WAN1 network=41.x.x.112
add address=41.x.x.115/29 broadcast=41.x.x.119 disabled=no interface=WAN1 network=41.x.x.112
add address=41.x.x.116/29 broadcast=41.x.x.119 disabled=no interface=WAN1 network=41.x.x.112
add address=41.x.x.117/29 broadcast=41.x.x.119 disabled=no interface=WAN1 network=41.x.x.112
add address=41.x.x.118/29 broadcast=41.x.x.119 disabled=no interface=WAN1 network=41.x.x.112

add address=41.x.x.2/29 broadcast=41.x.x.7 disabled=no interface=WAN2 network=41.x.x.0
add address=41.x.x.3/29 broadcast=41.x.x.7 disabled=no interface=WAN2 network=41.x.x.0
add address=41.x.x.4/29 broadcast=41.x.x.7 disabled=no interface=WAN2 network=41.x.x.0
add address=41.x.x.5/29 broadcast=41.x.x.7 disabled=no interface=WAN2 network=41.x.x.0
add address=41.x.x.6/29 broadcast=41.x.x.7 disabled=no interface=WAN2 network=41.x.x.0

add address=192.168.10.2/24 broadcast=192.168.10.255 disabled=no interface=WAN3 network=192.168.10.0

/ip route
add comment="MWeb" dst-address=196.2.63.110/32 gateway=41.x.x.113 scope=10
add comment="Yahoo" dst-address=67.195.160.76/32 gateway=41.x.x.113 scope=10
add comment="VodaCom" dst-address=41.1.224.101/32 gateway=41.x.x.1 scope=10
add comment="Google" dst-address=74.125.230.146/32 gateway=41.x.x.1 scope=10
add comment="MyADSL" dst-address=41.203.21.137/32 gateway=192.168.10.1 scope=10
add comment="News24" dst-address=152.111.193.28/32 gateway=192.168.10.1 scope=10


add dst-address=10.1.1.1 gateway=196.2.63.110 scope=10 target-scope=10 check-gateway=ping
add dst-address=10.1.1.1 gateway=67.195.160.76 scope=10 target-scope=10 check-gateway=ping
add dst-address=10.2.2.2 gateway=41.1.224.101 scope=10 target-scope=10 check-gateway=ping
add dst-address=10.2.2.2 gateway=74.125.230.146 scope=10 target-scope=10 check-gateway=ping
add dst-address=10.3.3.3 gateway=41.203.21.137 scope=10 target-scope=10 check-gateway=ping
add dst-address=10.3.3.3 gateway=152.111.193.28 scope=10 target-scope=10 check-gateway=ping

add distance=1 gateway=10.1.1.1 routing-mark=to_WAN1
add distance=2 gateway=10.2.2.2 routing-mark=to_WAN1
add distance=1 gateway=10.2.2.2 routing-mark=to_WAN2
add distance=2 gateway=10.3.3.3 routing-mark=to_WAN2
add distance=1 gateway=10.3.3.3 routing-mark=to_WAN3
add distance=2 gateway=10.1.1.1 routing-mark=to_WAN3

/ip firewall mangle
# standard stuff for router traffic. Doesn't apply to our case since we will later firewall filter traffic that would be covered by this, but included as to be complete#
add chain=input in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_conn
add chain=input in-interface=WAN2 action=mark-connection new-connection-mark=WAN2_conn
add chain=input in-interface=WAN3 action=mark-connection new-connection-mark=WAN3_conn

add chain=output connection-mark=WAN1_conn action=mark-routing new-routing-mark=to_WAN1
add chain=output connection-mark=WAN2_conn action=mark-routing new-routing-mark=to_WAN2
add chain=output connection-mark=WAN3_conn action=mark-routing new-routing-mark=to_WAN3

# don't mark traffic going to directly connected WAN networks#
add chain=prerouting dst-address=192.168.1.0/24  action=accept in-interface=Local

# Server connections established from WAN to LAN coming in WAN1 accordingly. If you have static IPs, you can also refer to them here as dst-address.#
add chain=prerouting connection-state=new in-interface=WAN1 protocol=tcp dst-address=41.x.x.114 dst-port=21,25,80,110,143,443,8080 action=mark-connection new-connection-mark=WAN1_conn
add chain=prerouting connection-state=new in-interface=WAN1 protocol=tcp dst-address=41.x.x.115 dst-port=443 action=mark-connection new-connection-mark=WAN1_conn
add chain=prerouting connection-state=new in-interface=WAN1 protocol=tcp dst-address=41.x.x.118 dst-port=80,8767,14534 action=mark-connection new-connection-mark=WAN1_conn

# Server connections established from WAN to LAN coming in WAN2 accordingly#
add chain=prerouting connection-state=new in-interface=WAN2 protocol=tcp dst-address=41.x.x.2 dst-port=21,25,80,110,143,443,8080  action=mark-connection new-connection-mark=WAN2_conn
add chain=prerouting connection-state=new in-interface=WAN2 protocol=tcp dst-address=41.x.x.3 dst-port=80,443  action=mark-connection new-connection-mark=WAN2_conn
add chain=prerouting connection-state=new in-interface=WAN2 protocol=tcp dst-address=41.x.x.4 dst-port=80  action=mark-connection new-connection-mark=WAN2_conn

# force traffic out WAN1#
add chain=prerouting dst-address=196.2.16.216/32 in-interface=Local action=mark-connection new-connection-mark=WAN1_conn passthrough=yes protocol=tcp dst-port=25
add chain=prerouting src-address=10.10.0.247/32 in-interface=Local action=mark-connection new-connection-mark=WAN1_conn passthrough=yes protocol=tcp dst-port=80

# force traffic out WAN2#
add chain=prerouting dst-address=41.0.7.123/32 in-interface=Local action=mark-connection new-connection-mark=WAN2_conn passthrough=yes protocol=tcp dst-port=25
add chain=prerouting src-address=10.10.0.247/32 in-interface=Local action=mark-connection new-connection-mark=WAN2_conn passthrough=yes protocol=tcp dst-port=443 

# force traffic out WAN3#
add chain=prerouting src-address=10.10.0.247/32 in-interface=Local action=mark-connection new-connection-mark=WAN3_conn passthrough=yes protocol=tcp dst-port=81


# apply PCC, but only to connections that aren't marked yet#
add chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:3/0 action=mark-connection new-connection-mark=WAN1_conn passthrough=yes
add chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:3/1 action=mark-connection new-connection-mark=WAN2_conn passthrough=yes
add chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:3/2 action=mark-connection new-connection-mark=WAN3_conn passthrough=yes

# mark packets from LAN to WAN with routing marks according to their connection marks#
add chain=prerouting connection-mark=WAN1_conn in-interface=Local action=mark-routing new-routing-mark=to_WAN1
add chain=prerouting connection-mark=WAN2_conn in-interface=Local action=mark-routing new-routing-mark=to_WAN2
add chain=prerouting connection-mark=WAN3_conn in-interface=Local action=mark-routing new-routing-mark=to_WAN3

/ip firewall nat
# forward tcp/80 and tcp/443 to 192.168.0.100 on both WAN interfaces#
add chain=dstnat in-interface=WAN1 protocol=tcp dst-port=21,25,80,110,143,443,8080 action=dst-nat dst-address=41.x.x.114 to-addresses=10.10.0.250
add chain=dstnat in-interface=WAN2 protocol=tcp dst-port=21,25,80,110,143,443,8080 action=dst-nat dst-address=41.x.x.2 to-addresses=10.10.0.250

add chain=dstnat in-interface=WAN1 protocol=tcp dst-port=443 action=dst-nat dst-address=41.x.x.115 to-addresses=10.10.0.232 to-ports=3389
add chain=dstnat in-interface=WAN1 protocol=tcp dst-port=80,8767,14534 action=dst-nat dst-address=41.x.x.118 to-addresses=10.10.0.247
add chain=dstnat in-interface=WAN1 protocol=tcp dst-port=80 action=dst-nat dst-address=41.x.x.3 to-addresses=10.10.0.246
add chain=dstnat in-interface=WAN1 protocol=tcp dst-port=443 action=dst-nat dst-address=41.x.x.3 to-addresses=10.10.0.250 to-ports=22
add chain=dstnat in-interface=WAN1 protocol=tcp dst-port=80 action=dst-nat dst-address=41.x.x.4 to-addresses=10.10.0.245



# source NAT all traffic out to the Internet#
add chain=srcnat out-interface=WAN1 action=masquerade
add chain=srcnat out-interface=WAN2 action=masquerade
add chain=srcnat out-interface=WAN3 action=masquerade

/ip firewall address-list
# create address list of hosts allowed to administrate the router#
add list=admin_hosts address=10.10.0.232
add list=admin_hosts address=10.10.2.10
add list=admin_hosts address=10.10.0.2/24


/ip firewall filter
# statefully firewall traffic to the router#
add chain=input connection-state=established action=accept
add chain=input connection-state=related action=accept
add chain=input connection-state=invalid action=drop

# allow services for all LAN clients: DNS and NTP#
add chain=input in-interface=Local protocol=udp dst-port=53,123 action=accept
add chain=input in-interface=Local protocol=tcp dst-port=53 action=accept

# allow all router access from admin hosts#
add chain=input in-interface=Local src-address-list=admin_hosts action=accept
add chain=input in-interface=WAN1 src-address-list=admin_hosts action=accept

# default deny#
add chain=input action=drop

# SNMP #
add action=log chain=forward comment="" disabled=no dst-port=25 log-prefix=smtp_ out-interface=!Local protocol=tcp src-address=!10.10.0.250
add action=drop chain=forward comment="" disabled=no dst-port=25 out-interface=!Local protocol=tcp src-address=!10.10.0.250


# statefully firewall traffic through the router#
add chain=forward connection-state=established action=accept
add chain=forward connection-state=related action=accept
add chain=forward connection-state=invalid action=drop

# allow all traffic from LAN to WAN#
add chain=forward in-interface=Local action=accept

# allow tcp/80 and tcp/443 to web server#
add chain=forward dst-address=10.10.0.250 protocol=tcp dst-port=21,22,25,80,110,143,443,8080
add chain=forward dst-address=10.10.0.232 protocol=tcp dst-port=3389
add chain=forward dst-address=10.10.0.245 protocol=tcp dst-port=80
add chain=forward dst-address=10.10.0.246 protocol=tcp dst-port=80
add chain=forward dst-address=10.10.0.247 protocol=tcp dst-port=80,8767,14534

# default deny#
add chain=forward action=drop

spookman · April 11, 2011, 1:02pm

Ok I have found this article

http://wiki.mikrotik.com/wiki/Hairpin_NAT

And implemented like this

/ip firewall nat
add chain=srcnat src-address=10.10.0.0/24 dst-address=10.10.0.250 protocol=tcp dst-port=20,21,25,8,110,143,443 out-interface=LAN action=masquerade

Can I note just do this ? that way everything destened for 10.10.0.250 will be masqueraded ?

add chain=srcnat dst-address=10.10.0.250 out-interface=LAN action=masquerade

fewi · April 11, 2011, 1:24pm

You can, but then all logs on 10.10.0.250 will show 10.10.0.1 as the client source address, always. Including for connections initiated from the WAN.

spookman · April 11, 2011, 2:00pm

I only ask as we have around 20 subnets, which meas I’ll need to add a rule for each subnet.

I can see the issue with the WAN, and it would be a real issue as the server has fail to ban installed, so if 1 person get’s the auth wrong then every one would be lockout out.

what if I add - in-interface=LAN

/ip firewall nat
add chain=srcnat dst-address=10.10.0.250 in-interface=LAN out-interface=LAN action=masquerade

this will work with out effecting WAN trafic ?

Also with my other routing question :

If I have a host say 10.10.0.10 and it’s only default gateway is 10.10.0.1 “RB750 with RIP” this host can’t ping 10.10.4.1 which is through gateway 10.10.0.3 “RB443”

How do I get the RB750 for forward all traffic to the internal subnets if it knows of the addresses via RIP ?

fewi · April 11, 2011, 2:29pm

I would do it via address lists.

/ip firewall address-list
add list=Internal address=192.168.0.0/16
add list=Internal address=10.0.0.0/8
/ip firewall nat
add chain=srcnat dst-address=10.10.0.250 src-address=list=Internal out-interface=LAN action=masquerade

Replace the values on the list with your real internal subnets.

Routing: it should do that automatically. As long as the RouterBOARD has 10.10.0.3 as a next hop for 10.10.4.0/24 it should send the packet there if it receives one with a destination address in that subnet.

spookman · April 11, 2011, 4:41pm

Cool got it for the FQDN,

I am still having a troblem with the routing though.

here is the network layout.

I have an internet router “RB750” @ 10.10.0.1
Various servers ftp,mail,http @ 10.10.0.0/24
we have another router “RB433” and from there out to various high sites and towers and then CPE’s connected to those these CPE’s subnets are 10.10.x.0/24

To test, I have manually added a route on 10.10.0.1 “RB750” of 10.10.2.1 with a gateway of 10.10.0.3
the router at 10.10.0.1 can ping this hosts “high site”, but all the hosts on 10.10.0.0/24 can’t
if I run a tracert to the ip 10.10.2.1 I can see it hits the router 10.10.0.1 but the next hop is the ISP and not 10.10.0.3

spookman · April 11, 2011, 5:21pm

Ok something is not right in my config. Just to add I currently only have WAN3 connected WAN1 and WAN2 are not plugged in till I get this working.

/ip route
add comment="MWeb" dst-address=196.2.63.110/32 gateway=41.x.x.113 scope=10
add comment="Yahoo" dst-address=67.195.160.76/32 gateway=41.x.x.113 scope=10
add comment="VodaCom" dst-address=41.1.224.101/32 gateway=41.x.x.1 scope=10
add comment="Google" dst-address=74.125.230.146/32 gateway=41.x.x.1 scope=10
add comment="MyADSL" dst-address=41.203.21.137/32 gateway=192.168.10.1 scope=10
add comment="News24" dst-address=152.111.193.28/32 gateway=192.168.10.1 scope=10


add dst-address=10.1.1.1 gateway=196.2.63.110 scope=10 target-scope=10 check-gateway=ping
add dst-address=10.1.1.1 gateway=67.195.160.76 scope=10 target-scope=10 check-gateway=ping
add dst-address=10.2.2.2 gateway=41.1.224.101 scope=10 target-scope=10 check-gateway=ping
add dst-address=10.2.2.2 gateway=74.125.230.146 scope=10 target-scope=10 check-gateway=ping
add dst-address=10.3.3.3 gateway=41.203.21.137 scope=10 target-scope=10 check-gateway=ping
add dst-address=10.3.3.3 gateway=152.111.193.28 scope=10 target-scope=10 check-gateway=ping

add distance=1 gateway=10.1.1.1 routing-mark=to_WAN1
add distance=2 gateway=10.2.2.2 routing-mark=to_WAN1
add distance=1 gateway=10.2.2.2 routing-mark=to_WAN2
add distance=2 gateway=10.3.3.3 routing-mark=to_WAN2
add distance=1 gateway=10.3.3.3 routing-mark=to_WAN3
add distance=2 gateway=10.1.1.1 routing-mark=to_WAN3

With the above if I ping any of the IP’s 10.10.x.0/24 and PCC marks it with to_WAN2 or to_WAN3 it fails to respond, however if it get’s marked to_WAN1 then it works.

if I add the following to allow 2 WAN’s to fail.

add distance=3 gateway=10.2.2.2 routing-mark=to_WAN3
add distance=3 gateway=10.3.3.3 routing-mark=to_WAN1
add distance=3 gateway=10.1.1.1 routing-mark=to_WAN2

Then nothing works, if I disable all fail over per say, ie. disable all distance 2 and 3 routes, then only traffic marked to_WAN3 fails, and this is the connection with the active connection to the ISP.

fewi · April 11, 2011, 5:27pm

Routing marks override everything else.

In your mangle set add rules higher up than the rules that apply route marks that have an action of ‘accept’ for the internal IP spaces (you can re-use your address list). That way traffic to internal destinations does not get routing marks applied since the rule matches, and an action of ‘accept’ does nothing. Then the normal routing table takes over and the packet gets routed accordingly.

spookman · April 11, 2011, 6:47pm

Jeeez China,

I hope the people who employ you are paying you well… skillz dude, the internal part is working now thanks.

Still one issue,
the Hairpin NAT is still not working for me.

Where do i put this in the list ?

add chain=srcnat dst-address=10.10.0.250 src-address=list=Internal out-interface=LAN action=masquerade

fewi · April 11, 2011, 6:57pm

Just to make sure, can you post the output of “/ip firewall address-list export” and “/ip firewall nat export” as it is right now? Generally speaking the rules should come before any other source NAT rules that would match the same packets, so it kind of depends on what you have going right now. Rather than keep track of what has been edited since the original post it would be easiest to see a snapshot of how it is configured right now.

spookman · April 11, 2011, 7:10pm

thanks fewi

/ip firewall address-list
add address=10.10.0.232 disabled=no list=admin_hosts
add address=10.10.2.10 disabled=no list=admin_hosts
add address=10.10.0.0/24 disabled=no list=Internal
add address=10.10.1.0/24 disabled=no list=Internal
add address=10.10.2.0/24 disabled=no list=Internal
add address=10.10.3.0/24 disabled=no list=Internal
add address=10.10.4.0/24 disabled=no list=Internal
add address=10.10.5.0/24 disabled=no list=Internal
add address=10.10.6.0/24 disabled=no list=Internal
add address=10.10.7.0/24 disabled=no list=Internal
add address=10.10.8.0/24 disabled=no list=Internal
add address=10.10.9.0/24 disabled=no list=Internal
add address=10.10.10.0/24 disabled=no list=Internal

/ip firewall nat
add action=dst-nat chain=dstnat disabled=no dst-address=41.x.x.114 dst-port=21,25,80,110,143,443,8080 in-interface=WAN1 protocol=tcp to-addresses=10.10.0.250
add action=dst-nat chain=dstnat disabled=no dst-address=41.x.x.2 dst-port=21,25,80,110,143,443,8080 in-interface=WAN2 protocol=tcp to-addresses=10.10.0.250
add action=dst-nat chain=dstnat disabled=no dst-address=41.x.x.115 dst-port=443 in-interface=WAN1 protocol=tcp to-addresses=10.10.0.232 to-ports=3389
add action=dst-nat chain=dstnat disabled=no dst-address=41.x.x.118 dst-port=80,8767,14534 in-interface=WAN1 protocol=tcp to-addresses=10.10.0.247
add action=dst-nat chain=dstnat disabled=no dst-address=41.x.x.3 dst-port=80 in-interface=WAN1 protocol=tcp to-addresses=10.10.0.246
add action=dst-nat chain=dstnat disabled=no dst-address=41.x.x.3 dst-port=443 in-interface=WAN1 protocol=tcp to-addresses=10.10.0.250 to-ports=22
add action=dst-nat chain=dstnat disabled=no dst-address=41.x.x.4 dst-port=80 in-interface=WAN1 protocol=tcp to-addresses=10.10.0.245
add action=masquerade chain=srcnat disabled=no out-interface=WAN1
add action=masquerade chain=srcnat disabled=no out-interface=WAN2
add action=masquerade chain=srcnat disabled=no out-interface=WAN3
add action=masquerade chain=srcnat disabled=no dst-address=10.10.0.250 out-interface=Local src-address-list=Internal

fewi · April 11, 2011, 7:36pm

You also need to bypass this traffic from PCC exactly like you did for internal traffic. I spaced on that earlier and should have mentioned it before, but never clicked on how to combine these. Since this is in prerouting you’re going to have to refer to the public IPs as prerouting is before destination NAT, so traffic hasn’t been translated back to the inside address yet.

Something like this:

/ip firewall address-list
add list=my-public-ips address=41.x.x.114
add list=my-public-ips address=41.x.x.2
add list=my-public-ips address=41.x.x.115
[...]
/ip firewall mangle
add chain=prerouting src-address=Internal dst-address-list=my-public-ips action=accept

And then position that rule near the override ones for the internal routes.

After that it should work for all the traffic forwarded to 10.10.0.250 already - everything looks perfectly fine, and unless the firewall filters have changed from your original post, those wouldn’t be blocking traffic either.

You’re also forwarding traffic to 10.10.0.232, 10.10.0.246, 10.10.0.247, and 10.10.0.245. You can either duplicate that rule, or make another address list:

/ip firewall address-list 
add list=hairpin-hosts address=10.10.0.232
add list=hairpin-hosts address=10.10.0.250
add list=hairpin-hosts address=10.10.0.245
add list=hairpin-hosts address=10.10.0.246
add list=hairpin-hosts address=10.10.0.247
/ip firewall nat
add chain=srcnat disabled=no dst-address-list=hairpin-hosts out-interface=Local src-address-list=Internal action=masquerade

Positioning that rule where the current one for 10.10.0.250 is should work just fine.

Hope that works.

spookman · April 11, 2011, 7:43pm

Sweet thanks fewi,

I’ll test it out tomorrow and let you know… thanks again.

spookman · April 12, 2011, 7:18am

Almost there just a few issues though, the hairpin nat is still not working correctly. I have had to add rules 0-3 at the top of nat to ensure that all internal mail/web traffic goes to the servers.

/ip firewall address-list
add address=10.10.0.232 disabled=no list=admin_hosts
add address=10.10.2.10 disabled=no list=admin_hosts
add address=41.x.x.112/29 disabled=no list=my-public-ips
add address=41.x.x.0/29 disabled=no list=my-public-ips
add address=10.10.0.0/24 disabled=no list=Internal
add address=10.10.1.0/24 disabled=no list=Internal
add address=10.10.2.0/24 disabled=no list=Internal
add address=10.10.3.0/24 disabled=no list=Internal
add address=10.10.4.0/24 disabled=no list=Internal
add address=10.10.5.0/24 disabled=no list=Internal
add address=10.10.6.0/24 disabled=no list=Internal
add address=10.10.7.0/24 disabled=no list=Internal
add address=10.10.8.0/24 disabled=no list=Internal
add address=10.10.9.0/24 disabled=no list=Internal
add address=10.10.10.0/24 disabled=no list=Internal
add address=10.10.0.232 disabled=no list=Hairpin-hosts
add address=10.10.0.245 disabled=no list=Hairpin-hosts
add address=10.10.0.246 disabled=no list=Hairpin-hosts
add address=10.10.0.247 disabled=no list=Hairpin-hosts
add address=10.10.0.250 disabled=no list=Hairpin-hosts

/ip firewall mangle print      
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=prerouting action=accept src-address-list=Internal dst-address-list=my-public-ips in-interface=Local 

 1   chain=prerouting action=accept dst-address-list=Internal in-interface=Local 

 2   chain=input action=mark-connection new-connection-mark=WAN1_conn passthrough=yes in-interface=WAN1 

 3   chain=input action=mark-connection new-connection-mark=WAN2_conn passthrough=yes in-interface=WAN2 

 4   chain=input action=mark-connection new-connection-mark=WAN3_conn passthrough=yes in-interface=WAN3 

 5   chain=output action=mark-routing new-routing-mark=to_WAN1 passthrough=yes connection-mark=WAN1_conn 

 6   chain=output action=mark-routing new-routing-mark=to_WAN2 passthrough=yes connection-mark=WAN2_conn 

 7   chain=output action=mark-routing new-routing-mark=to_WAN3 passthrough=yes connection-mark=WAN3_conn 

 8   chain=prerouting action=accept dst-address=192.168.1.0/24 in-interface=Local 

 9   chain=prerouting action=mark-connection new-connection-mark=WAN1_conn passthrough=yes connection-state=new protocol=tcp dst-address=41.134.46.114 in-interface=WAN1 dst-port=21,25,80,110,143,443,8080 

10   chain=prerouting action=mark-connection new-connection-mark=WAN1_conn passthrough=yes connection-state=new protocol=tcp dst-address=41.134.46.115 in-interface=WAN1 dst-port=443 

11   chain=prerouting action=mark-connection new-connection-mark=WAN1_conn passthrough=yes connection-state=new protocol=tcp dst-address=41.134.46.118 in-interface=WAN1 dst-port=80,8767,14534 

12   chain=prerouting action=mark-connection new-connection-mark=WAN2_conn passthrough=yes connection-state=new protocol=tcp dst-address=41.0.40.2 in-interface=WAN2 dst-port=21,25,80,110,143,443,8080 

13   chain=prerouting action=mark-connection new-connection-mark=WAN2_conn passthrough=yes connection-state=new protocol=tcp dst-address=41.0.40.3 in-interface=WAN2 dst-port=80,443 

14   chain=prerouting action=mark-connection new-connection-mark=WAN2_conn passthrough=yes connection-state=new protocol=tcp dst-address=41.0.40.4 in-interface=WAN2 dst-port=80 

15   chain=prerouting action=mark-connection new-connection-mark=WAN1_conn passthrough=yes protocol=tcp dst-address=196.2.16.216 in-interface=Local dst-port=25 

16   chain=prerouting action=mark-connection new-connection-mark=WAN1_conn passthrough=yes protocol=tcp src-address=10.10.0.247 in-interface=Local dst-port=80 

17   chain=prerouting action=mark-connection new-connection-mark=WAN2_conn passthrough=yes protocol=tcp dst-address=41.0.7.123 in-interface=Local dst-port=25 

18   chain=prerouting action=mark-connection new-connection-mark=WAN2_conn passthrough=yes protocol=tcp src-address=10.10.0.247 in-interface=Local dst-port=443 

19   chain=prerouting action=mark-connection new-connection-mark=WAN3_conn passthrough=yes protocol=tcp src-address=10.10.0.247 in-interface=Local dst-port=81 

20   chain=prerouting action=mark-connection new-connection-mark=WAN1_conn passthrough=yes dst-address-type=!local in-interface=Local connection-mark=no-mark per-connection-classifier=both-addresses:3/0 

21   chain=prerouting action=mark-connection new-connection-mark=WAN2_conn passthrough=yes dst-address-type=!local in-interface=Local connection-mark=no-mark per-connection-classifier=both-addresses:3/1 

22   chain=prerouting action=mark-connection new-connection-mark=WAN3_conn passthrough=yes dst-address-type=!local in-interface=Local connection-mark=no-mark per-connection-classifier=both-addresses:3/2 

23   chain=prerouting action=mark-routing new-routing-mark=to_WAN1 passthrough=yes in-interface=Local connection-mark=WAN1_conn 

24   chain=prerouting action=mark-routing new-routing-mark=to_WAN2 passthrough=yes in-interface=Local connection-mark=WAN2_conn 

25   chain=prerouting action=mark-routing new-routing-mark=to_WAN3 passthrough=yes in-interface=Local connection-mark=WAN3_conn

 /ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=input action=accept connection-state=established 

 1   chain=input action=accept connection-state=related 

 2   chain=input action=drop connection-state=invalid 

 3   chain=input action=accept protocol=udp in-interface=Local dst-port=53,123 

 4   chain=input action=accept protocol=tcp in-interface=Local dst-port=53 

 5   chain=input action=accept src-address-list=admin_hosts in-interface=Local 

 6   chain=input action=accept src-address-list=admin_hosts in-interface=WAN1 

 7   chain=prerouting action=accept src-address-list=Internal in-interface=Local 

 8   chain=input action=drop 

 9   chain=forward action=log protocol=tcp src-address=!10.10.0.250 out-interface=!Local dst-port=25 log-prefix="smtp_" 

10   chain=forward action=drop protocol=tcp src-address=!10.10.0.250 out-interface=!Local dst-port=25 

11   chain=forward action=accept connection-state=established 

12   chain=forward action=accept connection-state=related 

13   chain=forward action=drop connection-state=invalid 

14   chain=forward action=accept in-interface=Local 

15   chain=forward action=accept protocol=tcp dst-address=10.10.0.250 dst-port=21,22,25,80,110,143,443,8080 

16   chain=forward action=accept protocol=tcp dst-address=10.10.0.232 dst-port=3389 

17   chain=forward action=accept protocol=tcp dst-address=10.10.0.245 dst-port=80 

18   chain=forward action=accept protocol=tcp dst-address=10.10.0.246 dst-port=80 

19   chain=forward action=accept protocol=tcp dst-address=10.10.0.247 dst-port=80,8767,14534 

20   chain=forward action=drop

/ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=dstnat action=dst-nat to-addresses=10.10.0.245 protocol=tcp dst-address=41.0.40.4 src-address-list=Internal dst-port=80 

 1   chain=dstnat action=dst-nat to-addresses=10.10.0.246 protocol=tcp dst-address=41.0.40.3 src-address-list=Internal dst-port=80 

 2   chain=dstnat action=dst-nat to-addresses=10.10.0.247 protocol=tcp dst-address=41.134.46.118 src-address-list=Internal dst-port=80,8767,14534 

 3   chain=dstnat action=dst-nat to-addresses=10.10.0.250 protocol=tcp src-address=!10.10.0.250 src-address-list=Internal dst-address-list=my-public-ips 

 4   chain=srcnat action=masquerade src-address-list=Internal dst-address-list=Hairpin-hosts 

 5   chain=dstnat action=dst-nat to-addresses=10.10.0.250 protocol=tcp dst-address=41.134.46.114 in-interface=WAN1 dst-port=21,25,80,110,143,443,8080 

 6   chain=dstnat action=dst-nat to-addresses=10.10.0.250 protocol=tcp dst-address=41.0.40.2 in-interface=WAN2 dst-port=21,25,80,110,143,443,8080 

 7   chain=dstnat action=dst-nat to-addresses=10.10.0.232 to-ports=3389 protocol=tcp dst-address=41.134.46.115 in-interface=WAN1 dst-port=443 

 8   chain=dstnat action=dst-nat to-addresses=10.10.0.247 protocol=tcp dst-address=41.134.46.118 in-interface=WAN1 dst-port=80,8767,14534 

 9   chain=dstnat action=dst-nat to-addresses=10.10.0.246 protocol=tcp dst-address=41.0.40.3 in-interface=WAN1 dst-port=80 

10   chain=dstnat action=dst-nat to-addresses=10.10.0.250 to-ports=22 protocol=tcp dst-address=41.0.40.3 in-interface=WAN1 dst-port=443 

11   chain=dstnat action=dst-nat to-addresses=10.10.0.245 protocol=tcp dst-address=41.0.40.4 in-interface=WAN1 dst-port=80 

12   chain=srcnat action=masquerade out-interface=WAN1 

13   chain=srcnat action=masquerade out-interface=WAN2 

14   chain=srcnat action=masquerade out-interface=WAN3

All help appreciated

spookman · April 12, 2011, 9:50am

More issue,

hitting the webpages on 41.x.x.2 which points to 10.10.0.250 works fine,
but hitting 41.x.x.3 or 41.x.x.2 is not dstnat to the respective hosts.

Also how do I enable icmp on the external interfaces ?