i seem to have having an issue with a ccr1009 sending the router ip’s address instead of the wan address of the customer for a dst nat.

i have a RB1100AHx2 that is makeing use of the same dst nat on version 6.9 and its sending the wan address of the customer to the server..

is their a known issue or something i can look at on the ccr1009 to give me the same functionality?

ccr1009

mar/25/2015 19:49:37 by RouterOS 6.27

/ip firewall nat
add action=dst-nat chain=dstnat dst-address=wanip dst-port=80 protocol=tcp to-addresses=serverip to-ports=80
add action=dst-nat chain=dstnat dst-address=wanip dst-port=443 protocol=tcp to-addresses=serverip to-ports=443
add action=masquerade chain=srcnat

RB1100AHx2

mar/26/2015 03:33:57 by RouterOS 6.9

/ip firewall nat
add action=dst-nat chain=dstnat dst-address=WANIP dst-address-type=“” dst-port=80 protocol=tcp to-addresses=LANIP to-ports=80
add action=dst-nat chain=dstnat dst-address=WANIP dst-address-type=“” dst-port=443 protocol=tcp to-addresses=LANIP to-ports=443
add action=masquerade chain=srcnat out-interface=ether11

any help would be appreciated.

the masquerade rule on the CCR will masquerade both inbound and outbound.
The 1100AHx2 has a condition that limits this rule for packets going out ether11 (assuming that’s the WAN interface)

thank you.
not sure how i missed that.

NP - you may also want to include a masquerade rule on the inside that catches hairpin requests
e.g. action=masquerade src-address=192.168.10.0/24 out-interface=LAN

This way, if they don’t have “inside DNS” that gives the private IP, their server will still work.