How to force NATed machines to communicate with each other using their WAN ip addresses?

zx128k · March 6, 2023, 9:35am

Guys, another pazzle…
Screenshot 2023-03-06 131654.png
I have services inside LAN acceptable using NAT, including mail servers. They work as normal from outside world, but the time has come when I need them to communicate with each other. Unfortunately it’s not enough to just use Mikrotik’s own DNS service to indicate their LAN ip address, there must be also MX records etc. So it is required that one mail server to access another mail server using WAN ip address instead. How to do this?

Right now, I’m differentiating traffic by incoming WAN ip address and interface, like:

add action=dst-nat chain=dstnat comment="Email service to Server 1" dst-address=10.10.10.10 \
    dst-port=25,110,993,995,143,587,465 in-interface=ether2 protocol=tcp \
    to-addresses=192.168.10.10

add action=dst-nat chain=dstnat comment="Email service to Server 2" dst-address=20.20.20.10 \
    dst-port=25,110,993,995,143,587,465 in-interface=ether2 protocol=tcp \
    to-addresses=192.168.20.10

How to tell Mikrotik to accept packets from one mail server to another like it was outside LAN?

besides mail services they also act as a web servers. So they also can’t reach each other through WAN ip addresses, I have to exclusively set LAN ip address in the DNS server for individual web site I want to access from either machine, for example 192.168.10.10 IN A websitedomain.com, etc…

Thanks!!

anav · March 6, 2023, 12:43pm

Put them both on a zerotier network

mkx · March 6, 2023, 1:04pm

The dst-nat rules you already have, are almost fine. With exception: the “in-interface=ether2” stands in the way. So you can omit the “in-interface” property (but might cause some other problem, depends on the rest of NAT rules you have), or simply add similar pair of rules, but use src-address property instead of in-interface (to limit the NAT rule to act only on connections between both servers). Performance-wise it probably doesn’t much if you use single pair of dst-nat rules, slightly overloaded, or if you use additional pair of dst-nat rules.

Next you’ll probably need also src-nat rules … I’m assuming your src-nat rule also limits NAT to packets sent through ether2 interface. And you probably want the connection party to think it was connected from the other mail server using its public IP address as well. So construct a src-nat rule pair, smilar to this one:

add chain=srcnat action=src-nat src-address=192.168.10.10 dst-address=20.20.20.10 protocol=tcp dst-port=25 to-addresses=10.10.10.10

(remember that src-nat is done as one of last steps in packet handling, way later than dst-nat (which is one of first steps) … so src-nat rule will see public IP address of destination)

zx128k · March 7, 2023, 5:42pm

I made a copy as you said, removing interface directive and adding source list LAN but it gaves this error:

dstnat: in:ether4 out:(unknown 0), src-mac, proto TCP (SYN), 192.168.10.10:51894->20.20.20.10:3389, len 52

mkx · March 7, 2023, 5:49pm

I guess you see this in log … is it verbose copy of whole log message? And what is now exact dst-nat rule?

zx128k · March 7, 2023, 7:32pm

yep…

chain=dstnat action=dst-nat to-addresses=192.168.20.10 protocol=tcp dst-address=20.20.20.10 src-address-list=LAN dst-port=25,110,993,995,143,587,465 log=no log-prefix=""

pretty much look like destination machine is sending response packets to the moon

zx128k · March 7, 2023, 8:27pm

omg,

it caused by my previous config from this thread:

http://forum.mikrotik.com/t/guys-please-help-setting-up-dual-wan-config/164594/1

/ip route rules print
0 src-address=192.168.100.0/24 routing-mark=WAN1_traffic action=lookup-only-in-table table=ISP1 
1 src-address=192.168.5.0/24 routing-mark=WAN2_traffic action=lookup-only-in-table table=ISP2 
 
/ip firewall mangle print

 0    chain=prerouting action=mark-connection new-connection-mark=WAN1 passthrough=yes connection-state=new connection-mark=no-mark in-interface=ether1 log=no log-prefix="" 
 1    chain=prerouting action=mark-connection new-connection-mark=WAN2 passthrough=yes connection-state=new connection-mark=no-mark in-interface=ether2 log=no log-prefix="" 
 2    chain=prerouting action=mark-connection new-connection-mark=WAN1 src-address-type="" dst-address-type="" dst-address-list=!LAN connection-mark=no-mark in-interface=ether3 log=no 
      log-prefix="" 
 3    chain=prerouting action=mark-connection new-connection-mark=WAN2 dst-address-list=!LAN connection-mark=no-mark in-interface=ether4 log=no log-prefix="" 
 4    chain=prerouting action=mark-routing new-routing-mark=WAN1_traffic connection-mark=WAN1 log=no log-prefix="" 
 5    chain=prerouting action=mark-routing new-routing-mark=WAN2_traffic connection-mark=WAN2 log=no log-prefix=""

I have excluded LAN traffic in these rules because otherwise they were losing conectivity. Now it is becoming really very interesting!!!