NAT - Source and Destination NAT on same router

mickdoev · October 30, 2023, 12:37am

I have a situation where I require both source and destination NAT on the same router.
The destination NAT rule redirects inbound requests on TCP port 50010 to TCP port 1880 on a host on the LAN side of the Mirktotik.
The source NAT rule is the default rule allowing LAN hosts to access the Internet (required).

/ip firewall nat
add action=dst-nat chain=dstnat dst-address=10.1.1.5 dst-port=50010 in-interface=ether1 protocol=tcp to-addresses=192.168.1.10 to-ports=1880
add action=masquerade chain=srcnat out-interface-list=WAN

The rules are currently working as desired. My concern is what may happen if/when the source NAT rule also happens to use TCP port 50010 ???
Is there a way to exclude that port from the source NAT?

rplant · October 30, 2023, 3:20am

I don’t think it matters.
The 4 parts of the connection need to match.

So a new outbound connection might be Natted to 50010 from the router, but it would not be to the same IP and port that has
an inbound connection into 50010, so it would be seen and handled different.

And the return traffic to this outbound connection would be seen as part of the outbound connection, not a new inbound connection.

mickdoev · October 30, 2023, 4:32am

I performed a test on this by modifying the source NAT rule so it was limited to only using TCP port 50100 for masquerade. I also enabled logging on the destination NAT rule.

add action=dst-nat chain=dstnat dst-address=10.1.1.5 dst-port=50010 in-interface=ether1 protocol=tcp to-addresses=192.168.1.10 to-ports=1880 log=yes log-prefix="DST NAT OCCURED - "
add action=masquerade chain=srcnat out-interface-list=WAN protocol=tcp to-ports=50100

As you advised, the source NAT return traffic (back to TCP port 50100) did not trigger the destination NAT rule
Thanks.