Mikrotik used at home. I want to configure it so that when computers from home network try to access xx.xx.xx.xx/24 (outside of the home network, out there) the connection is actually redirected to yy.yy.yy.yy (also outside home network, out there). How do I achive that? Thank you in advance!
Use NAT … either dst-nat or netmap, depending on how in particular you want to redirect connections.
Here is an example I use for DNS traffic on a Bar’s Guest Network…
Guest DHCP server hands out OPENDNS Family DNS servers to DHCP-Clients.
If the people on that try to get creative and put in their own DNS servers to bypass that filter… they get caught be these.
/ip firewall nat
add action=dst-nat chain=dstnat comment="Redirect Guest DNS" dst-address=!208.67.220.123 \
dst-port=53 protocol=udp src-address-list=Guest to-addresses=208.67.220.123
add action=dst-nat chain=dstnat comment="Redirect Guest DNS" dst-address=!208.67.220.123 \
dst-port=53 protocol=tcp src-address-list=Guest to-addresses=208.67.220.123
If they use a VPN service… I have other traps that prevent those connections.
So use that as a starting point.
Thank you very much, but I thought that dstnat chain is used for incoming connections (that is from internet to the natted network), is this incorrect?
I tried to add an srcnat rule chain=srcnat action=netmap to-addresses=yy.yy.yy.yy dst-address=xx.xx.xx.0/24 out-interface-list=WAN But that does not seem to work because I have chain=srcnat action=masquerade out-interface-list=WAN in front of it, and it seems that masquerade stops the rule processing and sends the packet on its way.
Use what I gave you and change the IPs to match your needs.
Hey! 
Forget about “Internet” interface. You should operate with inbound links and outbound only.
Yep, thanks a lot, I’ll try that!
I thought that dstnat chain is used for incoming connections (that is from internet to the natted network), is this incorrect? Here on the wiki https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT it says:
There are two types of NAT:
- source NAT or srcnat. This type of NAT is performed on packets that are originated from a natted network. A NAT router replaces the private source address of an IP packet with a new public IP address as it travels through the router. A reverse operation is applied to the reply packets travelling in the other direction.
- destination NAT or dstnat. This type of NAT is performed on packets that are destined to the natted network. It is most comonly used to make hosts on a private network to be acceesible from the Internet. A NAT router performing dstnat replaces the destination IP address of an IP packet as it travel through the router towards a private network.
So in my case the packet originates from a natted network, so it seems to fall into the first category, which is “source NAT or srcnat”. I might have misunderood this somehow, could you please explain how this works? Thank you in advance!
No, both NAT actions are not about where the connection came from or where it flows, it’s about which address gets overwritten.
IP packet contains sets of two addresses:
- src-address wich is IP address of original[__*] packet sender
- dst-address which is IP address of packet’s final[**] target host
For TCP and UDP packets, there are two port numbers as well (src-port and dst-port), corresponding to src-address and dst-address.
[*] and [**] This is true as long as there isn’t some NAT-performing router in between, but that’s not the main point here.
So when MT performs src-nat, it actually does the following:
- if it’s a new connection, allocates entry in connection-tracking/NAT table and allocates new src-address (and src-port in case of TCP or UDP)
- if packet contains “original” src-address (and src-port), it rewrites the value(s) with the translated value from connection-tracking/NAT table
- if packet contains “rewritten” dst-address (and dst-port) - which makes this packet a reply -, it rewrites the dst-value(s) with the original value(s)
And dst-nat is similar, only acts on reverse address fields (on dst-address for “originating” packets and on src-address for “return” packets).
The notion of packet direction (WAN->LAN or the opposite) actually comes from other (selection) criteria. Default src-nat (or rather srcnat masquerade, which is a sort of a shortcut) looks like this:
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none > out-interface-list=WAN
and works for connections in direction LAN->WAN. The highlited part is the selection criterion which makes src-nat to only trigger on packets which are egressing router through WAN interface. If one changed that to e.g. “in-interface-list=WAN”, then the rule would work on connections WAN->LAN (not really useful, but works to illustrate the case).
So one can use src-nat and dst-nat regardless the direction of packet flow (WAN → LAN or the opposite), it only depends on what one wants to achieve using NAT. In your case you want to rewrite dst-address of packets.
mkx, thank you, great explanation!
gotsprings, thank you, your example worked for me!
@mkx, could you please briefly explain (or point me where to read about it) what’s the difference between srcnat chain and src-nat action? I think that your explanation above mostly refer to src-nat and dst-nat actions. How do the srcnat and dstnat chains factor into this explanation? What is a chain? What’s the difference between srcnat and dstnat chains? Thank you in advance!
Chain is where it happens and action is what happens. You can check images in this post (in otherwise unrelated thread) and you should get some idea how the whole thing works.