Greetings to all. Please tell an inexperienced person how to make sure that packets originating from a specific local network exit through a designated external IP address?
I have three external ip addresses: 1.1.1.156, 1.1.1.157, and 1.1.1.158, as well as local ones: 10.0.10.0/24, 10.0.20.0/24, and 10.0.30.0/24. Here’s how to use NAT or Route or something else to make the Internet, for example, 10.0.30.0/24 go under 1.1.1.158?
So I should do this ?:
/ ip address
add address=10.0.10.0/24 network=10.0.10.0 interface=bridge-main
add address=10.0.20.0/24 network=10.0.20.0 interface=vlan157
add address=10.0.30.0/24 network=10.0.30.0 interface=vlan158
add address=1.1.1.156/23 network=1.1.1.0 interface=ether1-wan
add address=1.1.1.157/23 network=1.1.1.0 interface=ether2-wan
add address=1.1.1.158/23 network=1.1.1.0 interface=ether3-wan
P.S> : > now I have such settings, because vlan157 and vlan158 go through the 5th port to the switch, where I already spread VLANs on the port/ ip route
add dst-address=0.0.0.0/0 gateway=1.1.1.156,1.1.1.157,1.1.1.158 check-gateway=ping/ ip firewall nat
add chain=srcnat out-interface=ether1-wan action=masquerade
add chain=srcnat out-interface=ether2-wan action=masquerade
add chain=srcnat out-interface=ether3-wan action=masquerade/ ip firewall mangle
add chain=input in-interface=ether1-wan action=mark-connection new-connection-mark=156
add chain=input in-interface=ether2-wan action=mark-connection new-connection-mark=157
add chain=input in-interface=ether3-wan action=mark-connection new-connection-mark=158
add chain=output connection-mark=156 action=mark-routing new-routing-mark=main-ip
add chain=output connection-mark=157 action=mark-routing new-routing-mark=second-ip
add chain=output connection-mark=158 action=mark-routing new-routing-mark=third-ip/ ip route
add dst-address=10.0.10.0/24 gateway=1.1.1.156 routing-mark=main-ip
add dst-address=10.0.20.0/24 gateway=1.1.1.157 routing-mark=second-ip
add dst-address=10.0.30.0/24 gateway=1.1.1.158 routing-mark=third-ip
Do you have three WANs (that’s what the other thread is about) or is it one connection from one ISP with three addresses?
The latter would be simple srcnat:
/ip firewall nat
add chain=srcnat src-address=10.0.10.0/24 out-interface=<WAN> action=src-nat to-addresses=1.1.1.156
add chain=srcnat src-address=10.0.20.0/24 out-interface=<WAN> action=src-nat to-addresses=1.1.1.157
add chain=srcnat src-address=10.0.30.0/24 out-interface=<WAN> action=src-nat to-addresses=1.1.1.158
This is a one connection from one ISP with three addresses. The Internet cable from ISP is included in the switch, from which there are three cables to the router, the first (156), the second(157) and the third(158)
And how do you get those addresses? Is it DHCP? Or static addresses, but locked to specific MAC address? In other words, you can’t just put them all on one interface?
I get three white (statiс) IP addresses over the fiber with a binding to the MAC address
In that case, you need to treat it as multi-WAN. The only difference is that you most likely have the same gateway for all addresses, so when creating other routing tables, you need to include interface (1.1.1.X is gateway address):
/ip route
add dst-address=0.0.0.0/0 gateway=1.1.1.X%ether1-wan routing-mark=main-ip
add dst-address=0.0.0.0/0 gateway=1.1.1.X%ether2-wan routing-mark=second-ip
add dst-address=0.0.0.0/0 gateway=1.1.1.X%ether3-wan routing-mark=third-ip
Depending on how strictly you want to link LANs to WANs, you may either use the approach with mangle rules, marking connections and routing for them, or you can have routing rules.
For mangle rules, you also need to mark connections from LANs. Check PCC example for some ideas. The article is mainly about load balancing, which is done by two rules with per-connection-classifier option, so just ignore that and focus on understanding the rest, because it applies to any multi-WAN config.
With routing rules you can have all-static mapping without mangle rules:
/ip route rule
add src-address=1.1.1.156 action=lookup table=main-ip
add src-address=1.1.1.157 action=lookup table=second-ip
add src-address=1.1.1.158 action=lookup table=third-ip
add src-address=10.0.10.0/24 action=lookup table=main-ip
add src-address=10.0.20.0/24 action=lookup table=second-ip
add src-address=10.0.30.0/24 action=lookup table=third-ip
Thank you! I’ll check it out and sign it off tonight. I don’t forget!
I’ve tried everything, it still doesn’t work , even though I’m 10.0.10.0/24, 10.0.20.0 /24 or even 10.0.30.0/24, I still send requests/responses via 1.1.1.156. Checked on two computers! Here are screenshots: https://imgur.com/a/I4i3vgT
You have wrong gateways. See my previous post, the routes there with 1.1.1.X, it should be 1.1.1.1 for all three (1.1.1.1%ether1-wan, 1.1.1.1%ether2-wan, 1.1.1.1%ether3-wan).
And better than screenshots is to do:
/export hide-sensitive file=myconfig
and then post content of resulting myconfig.rsc in code tags (you can mask addresses if you want, but in some consistent and understadable way).
Omg… Thank you very much! Thanks to the foreign community, everything is perfectly searched for and works. Love you. Microtik is the best
Sob, hello! I have a problems… again. Can you help me ?
Not if you don’t post it.
I can 't understand why I can 't open port 27016 for the SE game server . When I check the port status via 2ip, packets arrive to it, that is, the counter increases, but the port usually does not respond to the source. The same thing happens with port 53. I have a web server at home on ISPmanager from ISPsystem. Before the server , of course, there is MikroTik, in it I open everything. The port seems to be open , and when I enter it:
root@rd-web:~# dig roffdaniel.com @193...157/158
; <<>> DiG 9.11.5-P4-5.1-Debian <<>> roffdaniel.com @193...157/158
;; global options: +cmd
;; connection timed out; no servers could be reached
Gives an error , I don 't understand
Tell me please…
My NAT config
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade out-interface-list=WAN log=no log-prefix=""
1 chain=srcnat action=masquerade out-interface=ether1-wan log=no
log-prefix=""
2 chain=srcnat action=masquerade out-interface=ether2-wan log=no
log-prefix=""
3 chain=srcnat action=masquerade out-interface=ether3-wan log=no
log-prefix=""
4 X chain=srcnat action=src-nat to-addresses=193.***.***.156
src-address=10.0.10.0/24 out-interface=ether1-wan log=no log-prefix=""
5 X chain=srcnat action=src-nat to-addresses=193.***.***.157
src-address=10.0.20.0/24 out-interface=ether2-wan log=no log-prefix=""
6 X chain=srcnat action=src-nat to-addresses=193.***.***.158
src-address=10.0.30.0/24 out-interface=ether3-wan log=no log-prefix=""
7 X chain=srcnat action=src-nat to-addresses=193.***.***.156
src-address=192.168.0.0/24 out-interface=ether1-wan log=no log-prefix=""
8 X chain=srcnat action=src-nat to-addresses=193.***.***.156
src-address=192.168.10.0/24 out-interface=ether1-wan log=no log-prefix=""
9 chain=dstnat action=netmap to-addresses=10.0.20.25 to-ports=8080
protocol=tcp dst-address=193.***.***.157 dst-port=8080 log=no
log-prefix=""
10 chain=dstnat action=netmap to-addresses=10.0.20.25 to-ports=80 protocol=tc>
dst-address=193.***.***.157 dst-port=80 log=no log-prefix=""
11 chain=dstnat action=netmap to-addresses=10.0.20.25 to-ports=443
protocol=tcp dst-address=193.***.***.157 dst-port=443 log=no log-prefix=""
12 chain=dstnat action=netmap to-addresses=10.0.20.25 to-ports=25 protocol=tc>
dst-address=193.***.***.157 dst-port=25 log=no log-prefix=""
13 chain=dstnat action=netmap to-addresses=10.0.20.25 to-ports=587
protocol=tcp dst-address=193.***.***.157 dst-port=587 log=no log-prefix=""
14 chain=dstnat action=netmap to-addresses=10.0.20.25 to-ports=465
protocol=tcp dst-address=193.***.***.157 dst-port=465 log=no log-prefix=""
15 chain=dstnat action=netmap to-addresses=10.0.20.25 to-ports=110
protocol=tcp dst-address=193.***.***.157 dst-port=110 log=no log-prefix=""
16 chain=dstnat action=netmap to-addresses=10.0.20.25 to-ports=995
protocol=tcp dst-address=193.***.***.157 dst-port=995 log=no log-prefix=""
17 chain=dstnat action=netmap to-addresses=10.0.20.25 to-ports=993
protocol=tcp dst-address=193.***.***.157 dst-port=993 log=no log-prefix=""
18 chain=dstnat action=netmap to-addresses=10.0.20.25 to-ports=53 protocol=tc>
dst-address=193.***.***.157 dst-port=53 log=no log-prefix=""
19 chain=dstnat action=netmap to-addresses=10.0.20.25 to-ports=53 protocol=ud>
dst-address=193.***.***.157 dst-port=53 log=no log-prefix=""
20 chain=dstnat action=netmap to-addresses=10.0.20.25 to-ports=3306
protocol=tcp dst-address=193.***.***.157 dst-port=3306 log=no
log-prefix=""
21 chain=dstnat action=netmap to-addresses=10.0.20.25 to-ports=21 protocol=tc>
dst-address=193.***.***.157 dst-port=21 log=no log-prefix=""
22 chain=dstnat action=netmap to-addresses=10.0.30.35 to-ports=8080
protocol=tcp dst-address=193.***.***.158 dst-port=8080 log=no
log-prefix=""
23 chain=dstnat action=netmap to-addresses=10.0.30.35 to-ports=80 protocol=tc>
dst-address=193.***.***.158 dst-port=80 log=no log-prefix=""
24 chain=dstnat action=netmap to-addresses=10.0.30.35 to-ports=443
protocol=tcp dst-address=193.***.***.158 dst-port=443 log=no log-prefix=""
25 chain=dstnat action=netmap to-addresses=10.0.30.35 to-ports=25 protocol=tc>
dst-address=193.***.***.158 dst-port=25 log=no log-prefix=""
26 chain=dstnat action=netmap to-addresses=10.0.30.35 to-ports=587
protocol=tcp dst-address=193.***.***.158 dst-port=587 log=no log-prefix=""
27 chain=dstnat action=netmap to-addresses=10.0.30.35 to-ports=465
protocol=tcp dst-address=193.***.***.158 dst-port=465 log=no log-prefix=""
28 chain=dstnat action=netmap to-addresses=10.0.30.35 to-ports=110
protocol=tcp dst-address=193.***.***.158 dst-port=110 log=no log-prefix=""
29 chain=dstnat action=netmap to-addresses=10.0.30.35 to-ports=995
protocol=tcp dst-address=193.***.***.158 dst-port=995 log=no log-prefix=""
30 chain=dstnat action=netmap to-addresses=10.0.30.35 to-ports=993
protocol=tcp dst-address=193.***.***.158 dst-port=993 log=no log-prefix=""
31 chain=dstnat action=netmap to-addresses=10.0.30.35 to-ports=53 protocol=tc>
dst-address=193.***.***.158 dst-port=53 log=no log-prefix=""
32 chain=dstnat action=netmap to-addresses=10.0.30.35 to-ports=53 protocol=ud>
dst-address=193.***.***.158 dst-port=53 log=no log-prefix=""
33 chain=dstnat action=netmap to-addresses=10.0.30.35 to-ports=3306
protocol=tcp dst-address=193.***.***.158 dst-port=3306 log=no
log-prefix=""
34 chain=dstnat action=netmap to-addresses=10.0.30.35 to-ports=21 protocol=tc>
dst-address=193.***.***.158 dst-port=21 log=no log-prefix=""
35 chain=dstnat action=netmap to-addresses=10.0.30.35 to-ports=1500
protocol=tcp dst-address=193.***.***.158 dst-port=1500 log=no
log-prefix=""
36 chain=dstnat action=netmap to-addresses=10.0.30.30 to-ports=8006
protocol=tcp dst-address=193.***.***.158 dst-port=8006 log=no
log-prefix=""
37 chain=dstnat action=netmap to-addresses=10.0.30.30 to-ports=22 protocol=tc>
dst-address=193.***.***.158 dst-port=86 log=no log-prefix=""
38 chain=dstnat action=netmap to-addresses=10.0.30.35 to-ports=22 protocol=tc>
dst-address=193.***.***.158 dst-port=22 log=no log-prefix=""
You have several dstnat rules forwarding ports to same server. So if all those ports work, there’s no reason why just one wouldn’t. The only difference is that 53 is udp and others are tcp (I don’t know about 27016). So make sure that you don’t block udp in firewall filter. You can go step by step and verify what exactly happens. If counter for dstnat increases, it means that packet arrived to router, but it doesn’t guarantee that it was sent to server (that’s why you need to check firewall filter). You can also verify on internal interface that it really went there, using either Tools->Torch or logging rule in postrouting. Next step is that server must send something back, use the same way to check it.
I still don 't understand how it works, sorry…
Here is I a bit cleaned NAT from unnecessary IP addresses, 158 th acts as a service, 157 th acts as access to the sites themselves. Watch this video please: https://youtu.be/RDqX123Sodw
P.S: at the end of the video, I did not correctly open port 27016, there is no problem with it anymore
I open the ports as I know, check on all the ones I need: 21 (FTP/ TCP), 22(SSH/TCP), 25(SMTP/TCP), 53(DNS/UDP) 143(IMAP/TCP), 995(IMAPS/TCP), 465(SMTPS/TCP), 3306(MySQL/TCP).
21, 22-work, and the rest can not respond to packages or do not accept them at all…
I don 't want to waste your time just because I’m new, I’m studying, and I have to pay for my education. Please help me and I will pay for your spend time
I’ll be honest, I didn’t watch the video closely, it’s rather long and quite boring. 
But I skimmed through it, tried to check the ports from my side, and it doesn’t work at all, there’s no response from any of them. But now I realize that you never posted whole config, so that would be great next step, do:
/export hide-sensitive file=myconfig
And post content of resulting myconfig.rsc here in code tags.
Yes, i am sorry, keep it
rd-config.rsc (11.6 KB)