local to local masquerade

RouterOS Beginner Basics
1

Hi,
I’m wrestling with mikrotik NAT policies.
I have a local network with a few computers behind mikrotik router(v3.0rc9). On the external interface is multiple external ips NATtded through to internal computers. If I access the external ips from outside of the network everithing is okay, but I cannot access them from inside using external IP.
I have read some threads on this forum, but nothing from it works for me.

 1. chain=srcnat action=src-nat to-addresses=62.209.xxx.xxx to-ports=0-65535 src-address=192.168.5.138
2. chain=dstnat action=dst-nat to-addresses=192.168.5.138 to-ports=0-65535 dst-address=62.209.xxx.xxx
3. chain=srcnat action=masquerade src-address=192.168.5.0/24

http://forum.mikrotik.com/t/port-forwarding-problems/30728/16

On this thread I read that i need:

So at the end you get three nat rules:

  1. Masquerade internal-to external (you already have it)
  2. port forwarding (you already have it)
  3. masquerade local to local (rule i wrote above)

I thing, that I’m doing something wrong with the last point.

How exactly the packet goes trough the rules?
Please help me to make it work.

2

Are you using the proxy or a hotspot on the localnet?
All else on the localnet is ok? You can access the internet?

The nat rules are applied in order. The port forward srcnat/dstnat rules should be first. Then the local to local.

It might help if you could show us
/ip firewall nat print all

3

All else on the localnet is ok. Internet is working, everything seems to be ok.
The rules are in order how I posted them. I don’t thing it’s a good idea to post all the rules. There is about 140 rules.

I get the internet to the network by:

 1. chain=srcnat action=src-nat to-addresses=193.179.xxx.xxx to-ports=0-65535 src-address-list=private_networks out-interface=ether1
4

What you are looking for is hairpin NAT.
This is possible, but the NAT rule might look a bit strange at first:

For example to forward HTTP to server at 10.26.4.15 you would need this rule (10.26.4.254 is the router ip).

chain=dstnat action=dst-nat to-addresses=10.26.4.15 protocol=tcp dst-address=!10.26.4.254 dst-address-type=local dst-port=80

The logic behind this is: You want to dst-nat all traffic that comes in on one of the routers IPs (dst-address-type=local) but just not on the lan interface (dst-address=!10.26.4.254)

If your router is multihomed you need to use address lists.

Best regards

Max

Forwarding to an interface from which traffic came