NAT internal address to external

tvagge · November 27, 2018, 8:37am

Hi guys,

I have this situation. An old Cisco router died recently with this NAT configuration (check the attached image):

Original Address:
10.240.xx.0-10.240.xx.63
Translated Address:
10.xx.xx.251
Rule Type
Dynamic

Original Address:
10.240.xx.21 (8080)
Translated Address:
10.xx.xx.242 (8080)
Rule Type
Static

I want to implement these to a Mikrotik router which is gonna substitute the old one.
The Mikrotik router has 1 LAN interface and 2 WAN interfaces (WAN1 & WAN2), routing traffic for a specific IP address through WAN1 and all other traffic through WAN2
The above rules must use the WAN1 interface.
How can I accomplish that ?

Thanks in advance,

Thomas
RT NAT Page - edited.jpg

Anumrak · November 27, 2018, 10:16am

Hey. Maybe like this:

/ip firewall address-list
add list=LAN1 address=10.240.xx.0-10.240.xx.63
ip firewall nat
add action=src-nat chain=srcnat src-address-list=LAN1 dst-address=specific or 0.0.0.0/0 to-addresses=10.xx.xx.251 out-interface=WAN1
add action=src-nat chain=srcnat src-address=10.240.xx.21 src-port=8080 dst-address=specific or 0.0.0.0/0 to-addresses=10.xx.xx.242 to-ports=8080 out-interface=WAN1
add action=masquerade chain=srcnat src-address="some address space" dst-address=0.0.0.0/0 out-interface=WAN2

tvagge · November 27, 2018, 10:29am

I have already this rule in NAT:
chain=srcnat action=masquerade src-address=10.240.xx.0/26

I need this: If someone hits this address (external) : 10.xx.xx.242:8080, the router leads the request to the internal (LAN) address: 10.240.xx.21:8080, through WAN1 interface.
Should I use src-nat or dst-nat ?

Can you be more analytical, because I’m not very familiar with RouterOS…

Anumrak · November 27, 2018, 10:36am

Yeah, but this is not enough as you can see.

tvagge · November 27, 2018, 10:39am

Thank you for your snapy reply, please check my edited post before yours

sebastia · November 27, 2018, 1:52pm

Isn’t the 8080 port nat supposed to go from outside to inside? So dstnat instead of srcnat

Anumrak · November 27, 2018, 2:07pm

In this way, you should use destination nat, because of direction: your external IP address is destination address for someone, that is why you should use destination nat.
ip firewall nat
add action=dst-nat chain=dstnat src-address=0.0.0.0/0 src-port=8080 dst-address=10.xx.xx.242:8080 to-addresses=10.240.xx.21 to-ports=8080 in-interface=WAN1

P.S.: you have not to set src-address=0.0.0.0/0, because emtpy value means everyones.
P.P.S.: are you sure that src-port have to be 8080 from outside?

anav · November 27, 2018, 2:49pm

Actually, it appears that your src-nat rule is missing the out interface??

Amnurak provides the required destination nat rule for what is essentially port forwarding.
I dont like it, and offer the one below.
Best if you can limit those accessing your server (by address list via source address list if you can).

ip firewall nat
add action=dst-nat chain=dstnat dst-port=8080 protocol=tcp in-interface=WAN1 to-addresses=10.240.xx.21

(dont think you need to enter “to-ports” if there is no change from destination port but not sure).

tvagge · November 28, 2018, 6:46am

OK guys, let me try all your suggestions and I’ll get back to you, thank you