i’m now trying to set a port forwarding for my sftp and it works. but the problem is i can’t get the source ip when someone is connecting to my sftp and it always return 198.172.1.1 not the source IP
here’s my configuration for NAT
note:
i dont have any mangle set
add action=dst-nat chain=dstnat comment=ABC dst-address=1xx.1xx.1xx.1xx dst-port=22 protocol=tcp
to-addresses=192.168.1.23 to-ports=22
add action=src-nat chain=srcnat disabled=yes dst-address=192.168.1.23 protocol=tcp to-addresses=
1xx.1xx.1xx to-ports=22
add action=masquerade chain=srcnat dst-address=192.168.1.23
The last rule with action=masquerade is the reason; that rule is only necessary for hairpin nat where you would like devices in the same subnet like 192.168.1.23 to be able to connect to the public address. So without that rule, the addresses of the clients in the internet will make it down to 192.168.1.23, but devices in the same subnet like 192.168.1.23 will not understand the response of 192.168.1.23 because it will be coming from its real address; to prevent this, the response needs to be forced to the Mikrotik which “un-dst-nats” it, which inevitably means that the 192.168.1.23 gets the Mikrotik’s IP in 192.168.1.x as the source of the request.
You can configure that rule to act only when necessary by adding src-address=192.168.1.0/the-correct-mask to it.
You have provided the address of the internal server - 192.168.1.23, but not the rest of your configuration. That address fits into many subnets of different size, starting from 192.168.1.16/28 up to 192.168.0.0/16 (if we stay in the domain of private subnets of course). So look at the network and mask you use on Mikrotik’s own IP address in that subnet and use the same one in the rule. So if the mask is /24 as I guess, the network would be 192.168.1.0, and you would use the following code in the terminal window:
/ip firewall nat set [find action=masquerade dst-address=192.168.1.23] src-address=192.168.1.0/24
i already use this code in my mikrotik but i still got 192.168.1.1 for my log
here’s an example of what output i want to have
client ip 2xx.2xx.2xx.2xx want to connect to my sftp via public ip 1xx.1xx.1xx.1xx
the output i want is to display my client ip not my local ip
the NAT that i use is this and i still get 192.168.1.1 for my output in bitvise ssh
Wow. It looks all wrong to me. You’re making sure that connections to most ports forwarded from public address will have their source set to same public address. You want nothing of the sort, if you want to see original source adressess. On top of that, you have not one, but three exactly the same rules guaranteeing that anything to 192.168.1.23 (except to port 22 covered by previous rule) will get the source masqueraded.
Interestingly, I don’t see the only srcnat rule you should have, the main NAT to access internet. So unless this is some special config with more routers, the only two srcnat rules you should ever need are:
Yes, but it also applies to other srcnat rules. What I’m saying is that your current srcnat rules make no sense to me and you shouldn’t need any of them. I mean, is this regular router, does it have the public 1xx.1xx.1xx.1xx assigned to some WAN interface, LAN 192.168.1.x/24 to another, etc? Or is it part of some larger and strangely complex network?
The part that confuses me, if it’s regular router, how can internet work, when you don’t have any srcnat for outgoing traffic? All your srcnat rules have dst-address=192.168.1.x, so they apply to traffic to LAN but not from LAN. Did you omit some rules from what you posted?
It takes those connections (and not only them, any tcp connection to 192.168.1.21 to any port) and makes them look as if they came from 1xx.1xx.1xx.1xx:8443. But why? What’s the idea behind that?
Hairpin NAT rule, if you want to connect to services on 1xx.1xx.1xx.1xx from same LAN 192.168.1.0/24 (optional, you can skip this rule, if you don’t need to do this):
I mean, is this regular router, does it have the public 1xx.1xx.1xx.1xx assigned to some WAN interface, LAN 192.168.1.x/24 to another, etc? Or is it part of some larger and strangely complex network?
yes i’m using this as a router to connect from a public Internet provider to my office lan pc, and also is using this a a medium to port forward some of our local website to be accessed from outside IP. I’m also using it as port forwarding medium for some of our client to connect to our local SFTP.
It takes those connections (and not only them, any tcp connection to 192.168.1.21 to any port) and makes them look as if they came > from > 1xx.1xx.1xx.1xx:8443. But why? What’s the idea behind that?
i’m using this cause what this is what i learned from youtube, it said to have local website to be accessed by outside IP the setting should be like this
and also thanks for the reply and sorry to bother you this much
Just try it, it’s safe (*), disable all your srcnat rules (don’t delete them yet, keep them as backup for now) and add mine instead. If it works, great. If not, you can put everything back in few clicks.
(*) As I wrote, I still don’t understand, how internet access could have worked before, so there might be something missing.
Whether it will work or not, it might be good idea to post your whole config (scroll a little back and read sindy’s signature for instructions), because pe1chl is mostly right, if you picked what you have from YouTube, there might be also other “interesting” things in your config.
So post the export of the current configuration. It is enough to e.g. forget to restrict the action=masquerade rule in ip firewall nat to act only on WAN interface to get the result you describe.
