NAT question

RouterOS General
1

I’m having problems figuring out how to set up a Mikrotik router to NAT in this situation. Take the following situation:


192.168.0.1/24
     LAN1
       |                                              gateway: 172.16.0.1
   ROUTER A - 172.16.0.1/29 --eth-- 172.16.0.2/29 - PTP RADIO A
                                                        |
                                                      802.11
                                                        |
   ROUTER B - 172.16.0.4/29 --eth-- 172.16.0.3/29 - PTP RADIO B
       |                                              gateway: 172.16.0.1
     LAN2
192.168.1.1/24

These are two routers, each with management on a ethernet interface connected to a LAN, and with another port connected to a /29 connecting the two routers. In that /29 are also the management interfaces of a pair of devices. However, these devices only support setting a single default route in each, which is set to router A’s IP in that subnet. When the link it up, management can be hit on both devices from either side of the network. if the link goes down, however, 172.16.0.3 cannot be hit from LAN2 as it’s trying to gateway through the router on the other side of the link.

While I could set each device to have the near router as the gateway, this then becomes a problem in other situations (for example, from LAN A, router B going offline is indistinguishable from radio B going offline as either will cause radio B to stop routing out of the network.)

What I’d like to do instead is set the routers up to perform relay to the device’s management IPs. Assume there’s redundant, unshown paths between router A and router B. I’d like to set up NAT on router B so that I can hit 192.168.1.1:8080 and have it relay the socket to 172.16.0.3:80, effectively proxying the connection.

I can’t simply do a port forward (/ip firewall nat add chain=dstnat dst-address=192.168.1.1 dst-port=8080 action=dst-nat protocol=tcp to-address=172.16.0.3 to-port=80) as that still leaves the source address out of the 172.16.0.3 network, which leaves the radio trying to route the reply through the potentially unreachable 172.16.0.1 default route.

What I need to have the router do is:

  • Rewrite the src-address to 172.16.0.4
  • Rewrite the dst-address/port to 172.16.0.3:80
  • Send the packet out
  • On replies from the device, rewrite the dst-address/port back to the original source address/port.

How would I go about doing this?