Mail server dst-nat (masquerade issue)

RouterOS General
1

Hi all.

I have a mail server (zimbra) running on local ip address.
The mail server external address (1.1.1.1 example) is configured in the mikrotik and it is with this rules:

0 chain=dstnat action=dst-nat to-addresses=192.168.10.4 to-ports=25
protocol=tcp dst-address=1.1.1.1 dst-port=996

1 ;;; Mail server DST_NAT
chain=dstnat action=dst-nat to-addresses=192.168.10.4
dst-address=1.1.1.1

Rule 0 is used for isp that blocks port 25
Rule 1 is to direct any kind of traffic from the external address to local mail server ip

I dont know why but rule number 1 is also masquerading and all request that reach the mail server are as if they came from my mikrotik firewall 192.168.10.1 and not from the original ip’s

Can anyone help? what should i change in order that whatever thats coming to 1.1.1.1 Will go to 192.168.10.4 with the original ip that it came from.

If you are asking why is it important its because of spam filtering lists.

2

There should be at least one srcnat also. Maybe that is the problem. Please post “/ip firewall nat”.

3

As requested by Surfertim I’m publishing all of my nat rules:

1.1.1.1 - is my external mail server address
1.1.1.2 - is my external address for browsing
2.2.2.2 - is a second external address (different ISP)

0 chain=dstnat action=dst-nat to-addresses=192.168.10.4 to-ports=25 protocol=tcp dst-address=1.1.1.1 dst-port=996

1 ;;; Mail server DST_NAT
chain=dstnat action=dst-nat to-addresses=192.168.10.4 dst-address=1.1.1.1

2 X chain=dstnat action=dst-nat to-addresses=8.8.8.8 to-ports=53 protocol=tcp src-address=192.168.10.8 dst-address=77.73.190.21 dst-port=53

3 chain=dstnat action=dst-nat to-addresses=192.168.10.2 to-ports=7022 protocol=tcp dst-address=1.1.1.2 dst-port=7022

4 chain=dstnat action=dst-nat to-addresses=192.168.10.2 to-ports=7443 protocol=tcp dst-address=1.1.1.2 dst-port=7443

5 chain=dstnat action=dst-nat to-addresses=192.168.16.9 to-ports=3389 protocol=tcp dst-address=1.1.1.2 dst-port=54444

6 chain=dstnat action=dst-nat to-addresses=192.168.10.5 to-ports=3389 protocol=tcp dst-address=1.1.1.2 dst-port=54322

7 chain=dstnat action=dst-nat to-addresses=192.168.16.9 to-ports=3389 protocol=tcp dst-address=2.2.2.2 dst-port=54321

8 chain=dstnat action=dst-nat to-addresses=192.168.10.5 to-ports=3389 protocol=tcp dst-address=2.2.2.2 dst-port=54322

9 X ;;; Mail server DST_NAT
chain=dstnat action=dst-nat to-addresses=111.111.111.111 src-address=222.217.38.33 dst-address=1.1.1.1

10 ;;; Mail server SNAT
chain=srcnat action=src-nat to-addresses=1.1.1.1 src-address=192.168.10.4 out-interface=ether7_skylinks

11 chain=srcnat action=masquerade

4

I think it is rule 11.

/ip firewall nat
set 11 out-interface=ether7_skylinks

If ether7_skylinks is not your WAN interface, change that to the appropriate interface.

5

But what if it is my WAN ? i have 2 WAN’s ports.

And this one is the correct with the mail server address.

6

Rule 11 is the challenge. If you have two WAN interfaces, you should have a srcnat rule for each interface.

7

Hi SurferTim.

Can u please assist me on setting a rule that will say:

If its coming from Eth1 to 1.1.1.1 (external mail server address) go to 192.168.10.4 without masquerade it.

Thanks.

8

That isn’t the right way to go about it. Tim has it exactly right: make two masquerade rules, one for each WAN interface, and specify them as out-interfaces. That is the correct way to implement source NAT, and solves your problem immediately.

9

Can u please give an example of such rule?

10

Tim already told you.

Currently you rule is:

/ip firewall nat
add chain=srcnat action=masquerade

You need to add out-interface properties to that. Assuming one WAN interface is called ether7_skylinks and the other one is called ether8_something:

/ip firewall nat
add chain=srcnat action=masquerade out-interface=ether7_skylinks
add chain=srcnat action=masquerade out-interface=ether8_something

That way only traffic leaving through the WAN interfaces gets masqueraded, which in turn also means that hosts on the inside that have traffic destination NATted to them see the IP address of the source as it entered the router.