NAT doesn't work when IP ranges are specified

kxalek · November 14, 2017, 12:12pm

I have a couple or so devices which I connect to the MT router, it’s always only one device at a time via ethernet. I sometimes need to connect to them from the outside and I have the following rules:

[admin@MikroTik] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface=ether1

 1    chain=dstnat action=netmap to-addresses=192.168.88.238 to-ports=22 protocol=tcp in-interface=ether1 dst-port=22 log=no

 2    chain=dstnat action=dst-nat to-addresses=192.168.88.238 to-ports=80 protocol=tcp dst-address=1.1.1.1 dst-port=80 log=no

 3    chain=dstnat action=dst-nat to-addresses=192.168.88.238 to-ports=443 protocol=tcp dst-address=1.1.1.1 dst-port=443 log=no
[admin@MikroTik] >

Those work alright as it is, however if I specify “to-addresses” as

chain=dstnat action=netmap to-addresses=192.168.88.0/24 to-ports=22 protocol=tcp in-interface=ether1 dst-port=22 log=no

or

chain=dstnat action=netmap to-addresses=192.168.88.238-192.168.88.250 to-ports=22 protocol=tcp in-interface=ether1 dst-port=22 log=no

it doesn’t work, the connections time out and I can’t figure out why.

Product code RB951Ui-2nD
Version: 6.37.2

Anumrak · November 14, 2017, 12:18pm

Very interesting question Let the support answer.

Steveocee · November 14, 2017, 3:00pm

I was always under the impression you can only forward the packets through NAT to 1 host. This seems to be backed up by it not allowing you to put in a range or subnet. Can’t you give your individual devices different IP’s then assign varying port numbers so you can access all of them?

pietroscherer · November 14, 2017, 4:29pm

I thought the same. Is there an example that we can use an IP range in field “to-address” or it’s valid for one address only?

kxalek · November 14, 2017, 4:51pm

Steve, it does allow me to put a range or subnet, it doesn’t reject it as misconfiguration. I’m not entirely sure how to achieve assigning individual IPs, I’d assume it’s from IP > DHCP Server > Leases.

Steveocee · November 15, 2017, 9:08am

You are doing port forwarding correct? You can only forward the port to 1 device not multiple or a range. To put this into a “real world” response. If you “could” forward the port to the range if you SSH’d and the router forwarded this to multiple devices then you’d have multiple devices try to respond to you simultaneously, see how that doesn’t work?

OP how many devices do you have that need to be forwarded to?

Anumrak · November 15, 2017, 9:31am

Because of this illogicalness, devs had to disable the permissibility of this rule to setup in filter.

Steveocee · November 15, 2017, 10:52am

Randomly just tried this and yeah it did accept it with no fuss, took a /24 no problems. OK so yeah not too understanding why it is doing that. I wouldn’t have thought there would ever be a need for that.

blajah · November 15, 2017, 10:58am

Acutally i do not agree. There is no logic in this request if we are talking about unicast. In Anycast it would make sense. Like, @Steveocee explained, in common scenarios it is useless to have such option, but a lot of routers are used in more complex environment, and still we all have the same feature-set, right?

kxalek · November 15, 2017, 2:52pm

Yeah, I understand why it doesn’t look logical but in my case I only connect one device at a time and I have to go through the minor inconvenience of changing the rules for the different IPs that they’re assigned, I have only 2 or 3 between which I swap the cable every now and then.

jphconstantin · November 16, 2017, 11:59am

Illogical ?
Forward the Voip traffic to a group of phones: how do you make that ?

Steveocee · November 16, 2017, 12:09pm

If you are only connecting 1 device at a time then you can leave it forwarding to 1 IP, each device uses the same IP when it connects and you only have 1 device connected. No problems.

Steveocee · November 16, 2017, 12:10pm

Why would you do that?
VOIP phones register and make their own connection, they do not need un-needed VOIP traffic sending to them.

blajah · November 17, 2017, 7:35pm

Whoa, i was questioning myself this same question, but actually you wrote it. I thought a bit about this, but pretty much couldn’t get to any common scenario.
Also, just thinkig loud, how would connection tracker record multiple NAT translations using same port?

kxalek · December 21, 2017, 10:35am

I can’t seem to make it work, I mean I set two different static IPs for two devices: 192.168.88.235 and 192.168.88.236, then I set up two NAT rules from Firewall menu, but unless I disable one of the rules it doesn’t work.

In other words, what I’m wondering is, is it possible to make the router give the same IP address to different MAC addresses!? Again, we’re talking about a situation when only one device is plugged at a time.

Steveocee · December 21, 2017, 1:30pm

On it’s own segregated network, short lease times and very restricted amount of available IP’s (ie 1 in this case) yes you can do that.

skuykend · December 22, 2017, 1:45am

One option may be to put in both addresses as separate rules, and then use “nth=2,1” on the first one of the series.

At most it would take two attempts to connect to the ‘up’ server.