Hello. There is a port forwarding from the Internet to the internal server address 172.16.100.100 via dstnat (netmap). How to make sure that there is a substitution of the Internet address for the internal address of the router 172.16.100.1. That is to say, reverse NAT, so that the requests would be from a local PC.
Look up hairpin nat, lots of examples on the forums.
Alternatively simply put the server on its own subnet or vlan and all users not on the same subnet will be able to access the server by WANIP.
Everyone gets access, but due to the complex network, I already have a default gateway on another network. This server has 2 network cards 192.168.100.100 and 172.16.100.100. And the main work goes with the entire network, including the Internet through 192.168.100.1. We connected another channel with the Internet through 172.16.100.1. If you disconnect the second card and configure the gateway, then everything works. I would like the traffic that comes through 172.16.100.1 to be as if from a local PC so as not to complicate the configuration of routes on the server itself, otherwise all Internet traffic that came to 172.16.100.100 leaves through 192.168.100.1 since this is the default gateway.
It’s called Hairpin NAT. Here is the example:
/ip firewall nat add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=172.18.17.0/24 src-address=172.18.17.0/24
/ip firewall nat add action=masquerade chain=srcnat comment="Main NAT" out-interface-list=ether1
/ip firewall nat add action=dst-nat chain=dstnat comment="Port forward - service X" dst-address-list=WAN dst-port=1234 protocol=udp to-addresses=172.18.17.123 to-ports=1234
/ip firewall nat add action=dst-nat chain=dstnat comment="Port forward - service Y" dst-address-list=WAN dst-port=4321 protocol=tcp to-addresses=172.18.17.123 to-ports=4321
The LAN network is 172.18.17.0/24
You will need to create address-list called “WAN” and put your router’s public IP address there. If it’s dynamic, then instead of IP just put DDNS record (find it in “/ip cloud”) which always points to your always-changing public IP.
Ether1 is my WAN interface.
P.S. If anyone knows better way - let me know.
I think it’s a simple src-nat on router with IP address 172.16.100.1. If that router is Mikrotik, then simple
/ip firewall nat
add chain=srcnat action=src-nat dst-address=172.16.100.100 to-addresses=172.16.100.1
So whatever passing that router on the way towards router will get NATed.
I usually add the local interface as the output interface.
Sure thing, sometimes one has to narrow down the NAT rule to only part of traffic … but that largely depends on use case. E.g. if you have router with a WAN interface and single LAN subnet, then limiting SRC NAT to out-interface=WAN doesn’t make any change most of the time (and in case when one wants hair-pin NAT it’s actually counter productive). But if you have router with several LAN subnets and one only wants to perform SRC-NAT for traffic egressing towards internet, then setting out-interface=WAN is necessary.
It’s hard to tell which is OP’s case as he didn’t provide a good description (chart) of his LAN layout, but assuming this router is gateway between two LAN subnets, then it’s the first case: router will mostly (if not only) used for traffic passing between both interfaces and setting out-interface on DST-NAT doesn’t make any change.
I think the condition for local interface as output interface was for hairpin srcnat rule. Which is usually not necessary, because such traffic won’t go anywhere else anyway. Except when you’d have some overlapping subnets, e.g. for VPN clients who would use addresses from LAN subnet, then this condition would prevent unnecessary srcnat for connections from LAN to VPN clients. It would still happen for connection from VPN clients to LAN, you’d have to stop that using other means (accept rule in srcnat for traffic from VPN subnet).
Something does not work. I have a rule
chain = dstnat action = netmap to-addresses = 172.16.100.100 to-ports = 80 protocol = tcp in-interface = pppoe dst-port = 80
on microtic for forwarding tcp port 80 to the server, but arrives at an internal server with an external IP, and since the server has a default gateway on another network card, the answer goes through it, but I want the external address to be replaced with the internal one.
Then just add some srcnat rule, for example:
/ip firewall nat
add chain=srcnat dst-addresses=172.16.100.100 protocol=tcp dst-port=80 action=masquerade
Damn pretzel nat is what this is…
Srcnat is quick and dirty solution. And as long as you don’t care about real source addresses, it’s ok. Better one would be to tell server to send responses back from requests came. It’s definitely doable if the server runs Linux, probably other systems too, but AFAIK not on Windows.
Thank you all, everything worked out. Mikrotik is truly a very powerful device.