Hi to all,
I would to have a NAT 1:1 in my network.
I configured on my RouterOS 5.8 a public interface with 10 ip address and I would to redirect traffic to host in my lan.
I added all 10 ip addresses on public interface of router and used this configuration natting:
ip firewall nat add chain=srcnat src-address=192.168.0.1 action=src-nat to-addresses=“IP PUBLIC 1”
ip firewall nat add chain=dstnat dst-address=“IP PUBLIC 1” action=dst-nat to-addresses=192.168.0.1
ip firewall nat add chain=srcnat src-address=192.168.0.2 action=src-nat to-addresses=“IP PUBLIC 2”
ip firewall nat add chain=dstnat dst-address=“IP PUBLIC 2” action=dst-nat to-addresses=192.168.0.2
etc …
in this way I configured NAT 1:1 between each public ip address to a local lan ip address…
The question is: when the routeros try to communicate to the internet which ip address it will use???
ip firewall nat add chain=srcnat src-address=127.0.0.1 action=src-nat to-addresses=“IP PUBLIC PREFERRED”
ip firewall nat add chain=dstnat dst-address=“IP PUBLIC PREFERRED” action=dst-nat to-addresses=127.0.0.1
mmm… I need destination natting only if I would to redirect my public preferred address to router itself right?
In particular:
If I want only that router os can communicate with internet I use only source nat.
But If I would to connect via winbox trought Internet then I must enable destination natting too … right?
You use whichever IP address isn’t destination NATed to an inside host. The router can listen on ALL IP addresses configured on its interfaces, but will sometimes - when you configure destination NAT - send that traffic to somewhere else rather than listen to it. So your problem isn’t what destination NAT rule to apply, but your problem is NOT to apply destination NAT at all for traffic that is destined to the router directly. It’s already going to the router because the destination IP address is one configured on a router interface, after all.
I would always do a NAT 1:1 but I would also providing a firewall then I use this configuration:
ip firewall nat add chain=srcnat src-address=192.168.0.1 action=src-nat to-addresses=“IP PUBLIC 1”
ip firewall nat add chain=dstnat dst-address=“IP PUBLIC 1” action=dst-nat to-addresses=192.168.0.1
I did an other test.
I used a packet sniffer betwenn remote server and mikrotik router os and:
When I run “Telnet remote server” on 192.168.0.1 the remote server reply correctly. I see packets with source port 23 and ip address of remote host destinated to IP PUBLIC 1.
in public interface of router os with torch tool I see the remote host that send packet with source port 23 to my IP PUBLIC 1.
I think the problem is that this packet are not forwarded to 192.168.0.1 … Why ???
I attach you a layout of network.
Please, consider, 172.16.0.0/24 public ip addresses.
I disabled firewall on router os and now I have only this configuration:
ip firewall nat add chain=srcnat src-address=192.168.0.1 action=src-nat to-addresses=“172.16.0.1”
ip firewall nat add chain=dstnat dst-address=“172.16.0.1” action=dst-nat to-addresses=192.168.0.1
ip firewall nat add chain=srcnat src-address=192.168.0.2 action=src-nat to-addresses=“172.16.0.5”
ip firewall nat add chain=dstnat dst-address=“172.16.0.5” action=dst-nat to-addresses=192.168.0.2
etc …
then I inserted between router os public interface and ISP router a packet sniffer and :
when I run “telnet to remote host on 192.168.0.1” I see on sniffer :
172.16.0.1 → remote host
and
remote host → 172.16.0.1
on public interface of router of I see:
remote host → 172.16.0.1
Then, I think that the source natting run correctly because 192.168.0.1 go to the internet always with 172.16.0.1 and the remote host receive correctly packets but when it reply this packets arrive to public interface of router os but not to 192.168.0.1 … THIS IS THE PROBLEM … on 192.168.0.1 there isn’t any firewall … Consider that before of mikrotik router I used without problem linux debian with iptables :
I did other tests … I think the problem is router os BUG.
I explain you …
I solved the problem simply activating one ip address on public interface … and this’isnt normal.
For example.
If I activate ONLY 172.16.0.1/24 the src nat and destination nat run correctly …
If I activate ONLY 172.16.0.5/24 the src nat and destination nat run correctly …
It is exceedingly unlikely you found a bug in the Linux NAT implementation. It’s far more likely your router is subtly misconfigured.
Go back to the configuration you want to run. Then post it - so far you’ve only been showing snippets. That would include the output of “/ip address print detail”, “/ip route print detail”, “/interface print detail”, “/ip firewall export”, and a network diagram.
This is the configuration. The firewall is disabled… I only posted nat table …
The network in ip route are unrecheable beacause I disattached the router … and another think … I replaced my ip public with 172.16.0.0/24 …
I would to remember you that if I active only one ip address for example 172.16.0.5 the nat, source and destination, run correctly… I have problem if add another ip to the same interface…
Nope - it certainly doesn’t hurt, but it’s not necessary as such.
I don’t see anything wrong with what you pasted. It should work. That it doesn’t mean that you either left something out, or edited it in such a way that it hides the problem.
Again, it is close to impossible you found a bug in how Linux handles NAT. You’re not doing anything special, and if there was a related bug it would have already been reported by hundreds of thousands of people.
Try resetting the router to scratch and setting up two simple NAT rules and see if it works.
Hi fewi and hi to all,
this morning I resetted the router and I only addedd this one:
I added ip addresses to interfaces …
I implemented source and destination natting without firewall
I added default route…
It’s the same! It’s incredible …
In particular only some private ip can communicate with internet. For example:
192.168.0.1 and 192.168.0.2 run telnet correctly but 192.168.0.3 no. If I disable all interface public and enable only 172.16.0.15 public ip then 192.168.0.3 can communicate correctly … if I add also 172.16.0.10 then 192.168.0.3 continue to communicate with 192.168.0.2 too while 192.168.0.1 is down… It’s strange !!!
I’m thinking … Is there some problem in MTU configuration ??? I configured it to 1500 because the router is connected to ethernet intefaces only. Can the nic of server incompatible with mikrotik interface ??? I’m using all server dell, in particular dell 1750, 2950…
In the past I had this problem:
I implemented a mesh network with ospf ; each routeros was connected to another via wifi and have its local network private. The local network of each routers guested some devices but there is always one device type that is impossible to communicate with it… I solved this problem simply configuring local interface with arp-proxy …
Hi fewi,
I tried to use torch command.
If I run on 192.168.0.1 “telnet public_ip” I see in torch tool on public interface an entry with:
public_ip:23 → 172.16.0.5:random_port
It’s clare. The packet from 192.168.0.1 arrive to public_ip and this respond correctly. The packet SYN,ACK from public_ip to 172.16.0.5 enter in the router but the router don’t redirect it to 192.168.0.1.
I want to remember that it happens only if I have different ip address to router public interface.
If I have only ip 172.16.0.5 on routeros public inteface without changing any configuration the source nat and destination nat run correctly…
This is very strange!
