Nat and preservice public ip for a port

Jotne · March 9, 2022, 8:34pm

I am not very good in the nat, so need som help if its possible.

I have a router with a public IP on interface ether1.
On inside I have two server.
Server 1 Linux server (172.16.1.10) with only need for web port 22 trough NAT. Simple dest nat.
Server 2 Web server (172.16.1.20) I need port 443 from public IP to the server without NAT.
This way server 2 would see the public IP

Base NAT setup:

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat dst-port=22 protocol=tcp to-addresses=172.16.1.10

Zacharias · March 9, 2022, 8:48pm

You need src-nat and dst-nat rules…
The first one, is used so that the server is src nated using the Public IP you want, and the later to dst-nat all the incoming traffic to that Public IP to the Server…

/ip firewall nat add chain=srcnat src-address=x.y.z.w action=src-nat to-addresses=public_IP
/ip firewall nat add chain=dstnat dst-address=pulic_IP dst-port=443 protocol=tcp  action=dst-nat to-addresses=x.y.z.w

But the problem is you don’t want to use any NAT rules…
And the question is, why you do not want any NAT ?

Larsa · March 9, 2022, 8:51pm

Jotne, you want to forward public port 443 packets to 172.16.1.20 which is a private IP address without nat. Sorry, not possible - you can’t have your cake and eat it too The main reason is that the return source addr 172.16.1.20 will be dropped upstreams.

Jotne · March 9, 2022, 8:55pm

I want the above rule to work so inside to outside nat and nat to the sever1.
Since server2 is a web server, I like the webserver to see the public source IP, so that logging of usage would be correct.

@Larsa
Thats why I added " if its possible"

Zacharias · March 9, 2022, 8:56pm

Nat rules in post #2 is what you re asking for…

Jotne · March 9, 2022, 9:01pm

@Zacharias

/ip firewall nat add src-address=172.16.1.20 action=src-nat to-addresses=92.x.x.x

This asks for chain

Same with this:

/ip firewall nat add dst-address=92.x.x.x dst-port=443 protocol=tcp  action=dst-nat to-addresses=172.16.1.20

Larsa · March 9, 2022, 9:01pm

Sorry my bad, I didn’t manage to complete my answer but the main reason this won’t work is that the return source address 172.16.1.20 will be dropped upstreams since it belongs to a private address range.

Zacharias · March 9, 2022, 9:18pm

@Jotne i missed it, edited my previous post…

Also, in your case, the src-nat rule is not actually needed because you have a general masquerade rule… if you add it though, just place it before the masquerade one so that you can see it works ( packets counting )…

Jotne · March 9, 2022, 9:40pm

Seems to work on a test router.