Lan PC accessing Lan Server via Public IP RB433 V4.10

preacherx · September 24, 2010, 4:34pm

First, my setup details.

Ports:

 #     NAME                                                    TYPE             MTU   L2MTU
 0  R  ;;; Public Port
       ether1                                                             ether            1500  1526 
 1  R  ;;; Bridge 1 : Port 1
       ether2                                                             ether            1500  1522 
 2     ;;; Bridge 1 : Port 2
       ether3                                                             ether            1500  1522 
 3  R  ;;; Bridge 1 : Port 3
       wlan1                                                              wlan             1500  2290 
 4  R  ;;; Local Lan Bridge
       bridge1

IPs:

 #   ADDRESS            NETWORK         BROADCAST       INTERFACE                                                                                             
 0   192.168.2.1/24     192.168.2.0     192.168.2.255  bridge1                                                                                               
;;; Public IP (last octet obfuscated for privacy/security)
 1 D 98.213.18.XXX/20   98.213.16.0     98.213.31.255   ether1

NAT:

Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; Aristotle RDP
     chain=dstnat action=dst-nat to-addresses=192.168.2.234 to-ports=3389 protocol=tcp in-interface=ether1 dst-port=3389 

 1   ;;; Aphrodite RDP
     chain=dstnat action=dst-nat to-addresses=192.168.2.12 to-ports=3389 protocol=tcp in-interface=ether1 dst-port=3390

 2   ;;; Default Masq
     chain=srcnat action=masquerade out-interface=ether1

Now, to explain the scenario. A PC from the internet accessing 3389 or 3390 is correctly passed to the destination servers. A local PC with an IP of 192.168.2.200 on the LAN can access the servers via 192.168.2.234 or 192.168.2.12. This is as it should be and is all working properly.

When the local PC with IP of 192.168.2.200 attempts to connect to 98.213.18.XXX on port 3389 or 3390 traffic is not passed to servers.

Now to explain what I wish to work. I would like to be able to have a local PC with any IP from network 192.168.2.0/24 to be able to connect to 98.213.18.XXX on a designated port and have it connect to the proper server if a dst-nat rule exists for that port. I want this to happen without having to add a second rule for ever dst-nat I configure.

For example, I would like it to allow 192.168.2.200 to connect to 98.213.18.XXX on port 3389 and be passed to 192.168.2.234 port 3389. Then later if I add a rule for port 9090 to dst-nat to 192.168.2.12 I would like that to automatically allow 192.168.2.200 to connect to 98.213.18.XXX port 9090 and get passed to 192.168.2.12 port 9090 without having to add anything other than the dst-nat for port 9090

Linksys and netgear home routers do this without any configuration at all. I refuse to believe that, the far more advanced, mikrotik can not do this.

preacherx · September 27, 2010, 9:11pm

Someone, anyone? If this can’t be done on a mikrotik I would at least appreciate some idea as to why, when it works on many, many, residential class personal routers.

ditonet · September 27, 2010, 9:23pm

http://wiki.mikrotik.com/wiki/Hairpin_NAT

Regards, Grzegorz.