Mikrotik router LAN IP 192.168.1.253
Mikrotik router WAN IP: 192.168.0.10
Non-Mikrotik modem: 192.168.0.1
Public IP: 212.5.*.
Server LAN IP: 192.168.1.7
Server: WAN IP: 192.168.0.3
Default gatweay at Mikrotik Router: 192.168.0.1
Default gatweay at Server: 192.168.0.1
Default gateway at DHCP clients at LAN: 192.168.1.253
We have a server providing some services within LAN network plus other sites connected via VPN and some services published to internet. At the non-Mikrotik modem, there is NAT for published services pointing to 192.168.0.3 and everything worked ok. One day, when we upgraded internet connection, we had to replace the modem. After replacing it, services published to internet stopped working from LAN as the new modem drops packets from LAN going to our own public IP instead of doing NAT. There is nearly nothing to configure, it’s very simple device so we tried to do the configuration at Mikrotik router.
I tried to set up dstnat rule with action dst-nat to address 192.168.0.3 for Src. Address 192.168.1.0/24 and Dst. Address 212.5.*..
If I specify WAN in Out. Interface List, I get an error Couldn’t change NAT Rule <192.168.1.0/24->212.5.*.> - outgoing interface matching not possible in input and prerouting chains (6). If I don’t specify it, I can create the rule, but it doesn’t work as expected. When I tried not to specify Dst. Address, I couldn’t access the Mikrotik router anymore as it was pointing to 192.168.0.3. Then I had to use the MAC address to access it so it does obviously something, but IDK what I’m doing wrong.
I also tried to specify LAN in In. Interface List instead of providing Src. Address, but no change.
So you have server connected directly to ISP’s router (same way as your router), NOT server connected behind your router, right? Nothing special is needed for that, this should be enough:
Server is connected to straight to the ISP router at one interface with IP 192.168.0.3 and also to MikroTik router at another interface with IP 192.168.1.7.
I had tried adding the rule, even before I sent my first post here, but it’s still not working.
And that’s what breaks it. The packet from 192.168.1.x (the client) towards 212.5.a.b goes to the gateway 192.168.1.253 (the Mikrotik), which dst-nats it to 192.168.0.3, but the source address remains 192.168.1.x. So the server responds using the route to 192.168.1.0/24, which is direct, not via Mikrotik. The client receives the response packet, but since it comes from 192.168.1.7 rather than 212.5.a.b, it ignores it.
One possible solution is to add also a src-nat rule: chain=srcnat src-address=192.168.1.0/24 dst-address=192.168.0.3 action=src-nat to-addresses=192.168.0.10
This will rewrite the source address of the request from 192.168.1.x to the WAN IP of the Mikrotik, so the server will send the response to that address; the Mikrotik will first un-src-nat the response (i.e. rewrite the destination address with the source address of the request), route it, and then un-dst-nat it (i.e. rewrite the source address with the destination address of the request). So the client will be happy as the response will come from 212.5.a.b.
Another solution is to just disconnect the other interface of the server, but doing so would likely have some impact on your current workflow.
It depends. My assumption (possibly wrong) was that there’s masquerade on RB’s WAN, because that’s what people usually do, even when they could do it without. And if it’s there, it would cover this.
