How to setup NAT in this case

RouterOS General
1

Hi,

I’ve got a situation with NAT not working.

I’ve got an ESXi host containing Mikrotik CHR router and multiple VMs. Some of them are on private IPs, some of them are on public IPs.

Mikrotik is connected to some DC gateway. It has ip ex. 1.2.3.1.

It has two bridges:

  • “Bridge-PUBLIC” which contains VMs that get public IP addresses (ex. 1.2.3.4, 1.2.3.5…).
  • “Bridge-PRIVATE” which contains VMs that get private IP addresses (ex. 192.168.1.10…)

dst-nat has been created (ex. 1.2.3.1:8080 > 192.168.1.10:80) for VMs in the Bridge-PRIVATE, and if I try to access them from any public IP address that is not in Bridge-PUBLIC, the NAT works.

ip/firewall/nat/add action=dst-nat chain=dstnat dst-address=1.2.3.1 dst-port=8080 protocol=tcp to-addresses=192.168.1.10 to-ports=80

If i try to access from any IP from the Bridge-PUBLIC, it doesn’t work.

I guess Hairpin NAT will not solve the issue since I am not doing NAT from private range?

What am I doing wrong?

2

Why you guys always write in such a confusing way… :smiley:

Like 8.8.8.8 to 1.2.3.1:8080 > 192.168.1.10:80 works?
But 1.2.3.10 to 1.2.3.1:8080 > 192.168.1.10:80 doesnt works?

Firewall rule allowing this DNAT action?
Has 192.168.1.10 a route to 1.2.3.0/??, it wont go back via the router?

3

Sorry :slight_smile:

But you got the idea what is going on correctly.

And I think you are on the point, I can’t ping 1.2.3.10 from 192.168.1.10.

I (idiot) was looking the wrong thing all the time, I thought 1.2.3.10 can access 192.168.1.10, not the other way around.

Why the hell doesn’t it want to ping 1.2.3.10. I got the sourcenat configured: It can ping 8.8.8.8, but it can’t ping 1.2.3.10

/ip/firewall/nat add action=masquerade chain=srcnat comment="private range NAT" src-address=192.168.1.0/24
4

try to not perform nat for any destination within directly connected host, so you would change your nat to this

set x out-interface=[wan port]