Incoming IP's are the same

RouterOS Beginner Basics
1

I am still fairly new to the scripting side, but so far I’ve managed to configure a basic setup.
This setup includes some basic firewall rules (included below), but I’ve also made some smaller changes all over the place.

It’s working (almost) perfectly right now.
However, somewhere along the line, I messed something up…
I now have 2 issues I can’t seem to figure out:

1. All incoming IP’s seem to be rerouted through my default gateway.
E.g. My default gateway is 192.168.10.250. Incoming connections from 80.0.0.1 are converted to 192.168.10.250:portnumber.

2. All external connections also seem to get my default gateway as IP.
E.g. My internal ip is 192.168.10.80 and my default gateway is 192.168.10.250. When I connect to my server and check its logs, it logged connections from 192.168.10.250.


I made this post as a last resort, since I really can’t seem to find anything related to this issues.
The stupid thing is, I’m pretty sure I made these changes myself but am now unable to revert them.
If somebody could help me out here, or even point me in the right direction… I would be forever greatful!


My firewall filters:

[Zwooosh@MikroTik] /ip firewall> filter print
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; Drop all incoming packets (udp & tcp) on port 53 not originating from th>
ocal area network. - This prevent outside sources to use your DNS server.
     chain=input action=drop protocol=tcp src-address-list=!support dst-port=53 

 1   chain=input action=drop protocol=udp src-address-list=!support src-port="" 
     dst-port=53 port="" 

 2   ;;; drop all forward packets that are outbound on the PPPoE interface and wh>
 src ip is not from the local LAN. - This prevents compromised PC on your LAN from
 running bots that DDoS other servers with spoofed addresses.
     chain=forward action=drop in-interface=!bridge-local out-interface=pppoe 

 3   chain=input action=accept protocol=icmp in-interface=pppoe 

 4   chain=input action=accept connection-state=related 

 5   chain=input action=accept connection-state=established 

 6   ;;; Add Syn Flood IP to the list
     chain=input action=add-src-to-address-list tcp-flags=syn protocol=tcp 
     address-list=Syn_Flooder address-list-timeout=30m connection-limit=30,32 

 7   ;;; Drop to syn flood list
     chain=input action=drop src-address-list=Syn_Flooder

My firewall nat rules:

[Zwooosh@MikroTik] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic 
 0 X chain=srcnat action=masquerade to-addresses=0.0.0.0 
     src-address=192.168.0.0/16 out-interface=pppoe 

 1 X chain=dstnat action=dst-nat to-addresses=192.168.10.80 to-ports=8080 
     protocol=tcp dst-address=10.0.0.1 dst-port=8080 

 2   chain=srcnat action=masquerade out-interface=bridge-local 

 3   chain=srcnat action=masquerade out-interface=pppoe 

 4   ;;; PlexMachine - TCP
     chain=dstnat action=dst-nat to-addresses=192.168.10.80 protocol=tcp 
     dst-address=10.0.0.1 
     dst-port=80,443,22,8000,32400,9987,30033,10011,58846 

 5   ;;; PlexMachine - UDP
     chain=dstnat action=dst-nat to-addresses=192.168.10.80 protocol=udp 
     dst-address=10.0.0.1 dst-port=80,443,22,8000,32400,9987,10011,58846

I’m not even sure its related to my firewall since the only possible cause I could think of was my ip-route configuration:

[Zwooosh@MikroTik] > ip route print       
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          195.190.243.20            1
 1 ADC  192.168.10.0/24    192.168.10.250  bridge-local              0
 2 ADC  195.190.243.20/32  10.0.0.1   pppoe                     0
2

1. All incoming IP’s seem to be rerouted through my default gateway.
E.g. My default gateway is 192.168.10.250. Incoming connections from 80.0.0.1 are converted to 192.168.10.250:portnumber.

2. All external connections also seem to get my default gateway as IP.
E.g. My internal ip is 192.168.10.80 and my default gateway is 192.168.10.250. When I connect to my server and check its logs, it logged connections from 192.168.10.250.

It’s how the NAT masquerade works, what do you expect?

3

Yeah, sorry I’ve read up some more on masquerading, so I get why point 2 is happening now.
However I still don’t really understand why incoming connections are also affected.

To explain my situation a bit more: I run a Teamspeak (voicechat) server behind this router, and all connecting clients need to be port-forwarded.
But all the clients now share the same IP (my gateway), albeit with different portnumbers. So banning a specific client is kind of a hassle right now. I would prefer to just receive their original IPs, while they’re still being port-forwarded to my server.

What would be a better NAT-rule for this scenario?
I’m still new to all this network-configuration and was just experimenting with some stuff.
I noticed these two masquerading rules worked so I kept using them.

4

Sorry, but on this way, I can not help you, some other forum members can help you, I hope.

5

Because of this rule

2 chain=srcnat action=masquerade out-interface=bridge-local

every connection going out to your bridge interface will get the interface address as source address.
This is what your rule instructs the router to do. And since it is applied in postrouting (as any src-nat rule) it affects all outgoing/forwarded packages, no matter their origin.

Disable/delete NAT rule number 2 and it will work as you want it.
But of course, incoming connections will not appear local anymore, so take care of your firewall settings on your intranet machines, if needed.

For more details check second picture, routing:
http://forum.mikrotik.com/t/new-packet-flow-diagram/66252/1

6

Thanks a lot!
Your post pointed me in the right direction and I was able to change the faulty rule (following: Hairpin NAT).