Hello! I am needing to create a Nat rule/s that if I request a network IP on a private network of 172.21.0.0 that my source IP becomes 172.21.2.33
Logic:
If dst = 172.21.x.x
then src = 172.21.2.33
The router has a public IP and a private IP on port Etha0
I have this address (172.21.2.33 ) added to Port Eth0
How can I write this rule in RouterOS?
This is what I tried:
/ip firewall nat
add action=src-nat chain=srcnat dst-address=172.21.0.0/24 to-addresses=172.21.2.33
But this does not seem to work. Is this the right way to accomplish this? How do I test this?
If 172.21.x.x means that target network includes all addresses with any last two numbers, then the correct mask is /16. Other than that, the rule does exactly what you described it should do. If it doesn’t work, there may be something else missing. Try to describe in more detail how the whole thing should work, what’s connecting where, exact source and destination, where everything is, etc.
So here is the network, The office router is sitting in a Rack that our Service network is attached to. the 172.21.x.x/16 network. The devices are Ubiquity Radios that are connected to a MikroTik router and there is a Fiber backhaul to our data room at our main office. What I am doing is segregating out office network to the new MikroTik router and setting up VPN and DHCP for the office.
Right now the DHCP clients can connect to any server that is on the network in the same rack with the private network of 172.21.x.x/16.
The goal is for anyone that is on the office network to be able to access any Ubiquity device on the service network.
—EDITED—
Try to put the srcnat rule before other srcnat/masquerade rules and do a traceroute to see what happens.
AnyOne who have 2 Public IP can do:
And now we can easy check what PublicIP see the OpenDNS (now Cisco).
This rule is little similar to HairPinNat when we speak about the same /24 cidr subnet but of course your example is at internet.
Also, specify outbound interface to understand what you are doing.
I have the same problem my mikrotik configuration as follow
mikrotik Lan ip is 10.10.10.10
Wan interface ip 10.10.9.2
then the traffic route form wan to FortiGate (there are no masquerade rule on mikrotik)
The Nat Doing On FortiGate router
i am need to change source Ip of subnet 10.10.4.0/24 to 10.100.20.0/24 when destination network was 10.12.0.0/24 (tunnel)
because the VPN Tunnel On FG allows only subnet 10.100.20.0/24 to pass through
So when I need to access any device with Destination 10.12.0.0/24 , I must do it from devices that have ip subnet 10.100.20.0/24
what is the solution to Subnet 10.10.4.0/24 ?
Please read first Getting the most out of this forum
This is not the same situation and you should create new post.
What is “10.10.4.0/24”? You say your LAN is 10.10.10.10. Please read your post in Preview before submit it.
About your case.
At MikroTik who is after other router like FortiGate must have a directly connected network with it. I understand that “Wan interface ip 10.10.9.2” is on MikroTik and 10.10.9.1 is on FortiGate.
When you not use SNAT/Masq NAT rule then you used a routing itself, this mean your LAN 10.10.10.10 or/and 10.10.4.0/24 is out to FG as original address.
This FortiGate must have do a SNAT rule to hide your 10.10.10.10 or/and 10.10.4.0/24 as 10.100.20.0/24 because this 10.100.20.0/24 is internal network inside FortiGate, this is not MikroTik network.
You cannot do SNAT (hide src address) as not your network. SNAT can change incomming not-your network as one of yours networks. Means you can hide 10.10.10.10 and/or 10.10.4.0/24 as 10.10.9.2. When you do it then still FG must do SNAT to hide your 10.10.9.2 as 10.100.20.0/24.
If I not answer you properly that means you wrongly describe problem, not use a diagram. Please read first Getting the most out of this forum
Hello, i have got a simple situation. There is a mikrotik on X.X.X.X i have a dst_nat rule that is NATing the traffic to 10.9.8.106 on all ports. Then, base on documentation from mikrotik, i have a src_nat masquerade.
But in logs on postfix that is in LAN i see all incomming traffic from 10.9.8.106, which is the IP the traffic is beeing redirected to.
Here goes the config:
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=X.X.X.X in-interface=ether1 to-addresses=10.9.8.106
add action=masquerade chain=srcnat out-interface=ether1
I know that this was asked many times, but i am going crazy on that … why the postfix shows in logs:
Jun 8 22:51:29 obserwatoriumbrd postfix/smtpd[26652]: disconnect from domain.tec [10.9.8.106]
Jun 8 22:51:30 obserwatoriumbrd postfix/smtpd[26548]: connect from domain.tec [10.9.8.106]
The srcnat rule doesn’t affect traffic towards 10.9.8.106 unless that host is connected to ether1 interface.
Regarding SMTP: are the postfix logs from host with IP 10.9.8.106? It doesn’t sound logical that source IP addresses shown were as shown due to dstnat … because in this case SMTP host couldn’t return traffic (it would seem traffic is coming from local IP address). Only logical explanation is that postfix, which produced logs you posted, is on another LAN host with different IP address and 10.9.8.106 is acting as SMTP relay. In this case the postfix host will definitiely see relay host as originator of all connections.