NAT forwarding when not default gateway

RouterOS General
1

I never seem to be able to get the following to work. If the Mtik is the device’s default gateway,
it works fine. But when it isn’t, it doesn’t. Any ideas appreciated.

Public IP → Mtik → Device → Default Gateway on another network

Public IP of Mtik: 1.1.1.1
Private IP of Mtik: 10.0.0.254
Private Device IP: 10.0.0.2
Private Device GW: 10.0.0.1

/ip address
add address=1.1..1.1/24 interface=Public network=1.1.1.0
add address=10.0.0.254/24 interface=Private network=10.0.0.0
/ip firewall nat
add action=dst-nat chain=dstnat disabled=no dst-address=1.1.1.1 dst-port=\
    443 protocol=tcp to-addresses=10.0.0.2 to-ports=443

Looking at the packet sniffer, nothing is responding from 10.0.0.2 but I can telnet to port 443
just fine from the Mtik.

Any ideas?

Port forwarding from one router to another
2

The default gateway is used to send packets where the destination address is not in the subnet of the interface.

In your example a request packet comes in from outside, lets say 212.212.212.212, and gets sent to 10.0.0.2

It replies to 212.212.212.212 using the only route it has for that address, its default gateway, so the return packet gets sent to 10.0.0.1 which I guess does some NAT, and you end up with the return packet with a different src IP and so somewhere it gets dropped.

When you telnet form the mikrotik, you are within the subnet, eg 10.0.0.254 going to 10.0.0.2 so the reply comes straight back and it works.

There are a few of ways you can fix this, either add a route for the original request which goes via the mikrotik

/ip route add dst-address=212.212.212.0/24 gateway=10.0.0.254

or you could src nat the inbound traffic so that it appears as if it is coming form the MikroTik
something like this - you need to choose how to match and translate the traffic, eg.

/ip firewall nat add chain=srcnat protocol=tcp dst-port=443 out-interface=laninterface action=masquerade

or you could make the device have a default route of the mikrotik and then make the mikrotik route via the old default gateway (10.0.0.1) for most traffic and by its own default gateway for returning packets for those port 443 connections (hint use mangle rules to mark connections)

Hope that helps

Nick.

3

The srcnat rule worked like a charm. Thanks.