Filter rules: apllied to the HostRange using the foreward chain and the router itself on the input chain.
Pub. IPs used for web servers and other services demanding static IPs.
I would like to use one of the static IP to hide a local network behind a NAT - I have used a separate Mikrotik router for this - which work fine.
Now I would like to drop the second Router and include the NAT function in my MainRouter.
Is that possible ?
So far I have added interface “ether3 local”
add address=192.168.1.1/24 network=192.168.1.0 broadcast=192.168.1.255
interface=“ether3 local” comment=“” disabled=no
NAT:
add chain=srcnat action=src-nat to-addresses=85.0.0.70 to-ports=0-65535
out-interface=“ether2 PubIPs” src-address=192.168.1.0/24 comment=“”
disabled=no
Local network gets behind the NAT with the public IP 85.0.0.70
Local network has 192.168.1.1 as GateWay
From the local network I can ping other servers in my HostRange - but nothing outside - how do I route packet to the internet ?
How do I apply Filter rules for the In and outgoing traffic for the Natted local network.
I’m not sure what you are trying to do is possible with just one router. When you are doing the NAT for the 192.168.1.0/24 subnet you are sending the traffic out of ether2, that traffic has no way of getting back to the router for further routing, it just leaves the interface.
You can try something like that is described in this thread, but I don’t know if it will do what you want. http://forum.mikrotik.com/t/loopback-interface/20725/1
I.E. place your /27 on a bridge with no interfaces assigned to it and NAT out of that interface and see what happens.
Unless I’m thinking about this wrong you should be ble to just adjust the source NAT rule and set the out-interface to ether1. The NAT algorithm shouldn’t care that you’re translating to an address found behind ether2. Also remove the to-ports option as it is unnecessary.
If it does not work like that the loopback trick should work just fine. Assign the /32 to NAT to as the address of a bridge without any ports, source NAT the LAN to that IP for an out-interface of ether1.
Filtering works as usual - just refer to the packet flow diagram. For outbound traffic the forward chain comes before source NAT so you refer to real (private) IP addresses. For return traffic in established connections source NAT is undone in destination NAT before the forward chain, so again you refer to real IPs. For inbound traffic initiated from the WAN (requires port forwarding due to NAT) prerouting is before destination NAT and you use the public IP, everything afterwards is after destination NAT and you refer to the real IP.
Adjusting the SourceNAT to Out-interface ether1 worked. Thx
(The to-ports option - remove ?)
feklar: did not try the loopback trick.
Outbound traffic can be filtered in the Forward chain by using the In. Interface: “ether3 local” + Dst. Port
Inbound traffic initiated from the WAN on the public IP 85.0.0.70 needs forwarding - only if needed. However traffic like portscans ect. is handle in the Input chain together with the Router itself
I now have a poster of the packet flow diagram very good for a beginner like my self.
What else should i look into for securing my NAT network ?
