NAT.

Hello,
I have a microtik RouterOS with 3 interfaces
-INTERNET -internet provider
-WAN- Data communication with other cities
-LAN-internal LAN

i have several NAT rules that allow an application to access out SQL server on port 1433 from INTERNET and WAN like
connection comming from INTERNET-IP to port 1433 goes to localIP port 1433
connection comming from WAN-IP to port 1433 goes to localIP port 1433

NOW I want to configure another application that uses another port like 807 and to map it
to an internet address IP(PUBLIC IP ) (another server ) port 1433

How can this be done?

/ip firewall nat add chain=dstnat dst-address=0.0.0.0/0 dst-port=807 action=dst-nat to-addresses=PUBLICIP to-ports=1433

That should do it!

I tried :
/ip firewall nat add chain=dstnat dst-address=0.0.0.0/0 dst-port=807 action=dst-nat to-addresses=PUBLICIP to-ports=1433

not forwarding packets to the PUBLICIP. Application not accessing the SQL Server.

May be I didn’t mentioned that the PUBLICIP is not on my local network. It is somewhere in the internet.


before your reply I tried to do this in two rules :
/ip firewall nat add chain=dstnat dst-address=wanIPAdress dst-port=807 action=dst-nat to-addresses=PUBLICIP to-ports=1433

/ip firewall nat add chain=dstnat dst-address=INTERNET IP dst-port=807 action=dst-nat to-addresses=PUBLICIP to-ports=1433

If you do a traceroute to that PUBLIC IP, does the trace actually go via the router you are doing the routing on? And if you do a trace to the IP of the internal server, does the traffic also go via the router you are doing the routing on?

It sounds like all your traffic might not go via that router which could be your problem. The DSTNAT rule I posted has to work if your traffic really goes via it.

Do a couple of tests. Look on that rule if theres any traffic passing through it (go to the counters and look carefully).
Try accessing the server on both the public address and the local address:807 on a device directly connected to that router. (If you can access the public IP on the default port, the local ip:807 should work unless some other NAT rule is at play)

Please post your results. G

From my computer on local LAN :
tracert PUBLICIP

Tracing route to PUBLICIP over a maximum of 30 hops

1 <1 ms <1 ms <1 ms 192.168.0.1 (Microtik)
2 <1 ms <1 ms <1 ms PUBLICIP
Trace complete.

from the microtik router :
[admin@MikroTik] tool> traceroute PublicIP
ADDRESS STATUS
1 PublicIP 1ms 1ms 1ms
[admin@MikroTik] tool>

those are my NAT rules :


chain=dstnat in-interface=INTERNET dst-address=MyPublicIP protocol=tcp
dst-port=25 action=dst-nat to-addresses=LocalMailServer to-ports=25

1 chain=dstnat in-interface=ASA dst-address=WANIP protocol=tcp
dst-port=25 action=dst-nat to-addresses=LocalMailServer to-ports=25

2 chain=dstnat dst-address=MyPublicIP protocol=tcp dst-port=3000
action=dst-nat to-addresses=LocalMailServer to-ports=3000

3 chain=dstnat dst-address=WANIP protocol=tcp dst-port=3000
action=dst-nat to-addresses=LocalMailServer to-ports=3000

4 chain=dstnat in-interface=ASA dst-address=WANIP protocol=tcp
dst-port=110 action=dst-nat to-addresses=LocalMailServer to-ports=110

5 chain=dstnat in-interface=INTERNET dst-address=MyPublicIP protocol=tcp
dst-port=1433 action=dst-nat to-addresses=LocalSQLServer to-ports=1433

6 chain=dstnat in-interface=ASA dst-address=WANIP protocol=tcp
dst-port=1433 action=dst-nat to-addresses=192.168.0.50 to-ports=1433

7 chain=srcnat out-interface=ASA src-address=192.168.0.0/24
action=masquerade

8 chain=srcnat out-interface=INTERNET src-address=192.168.0.0/24
action=masquerade

9 chain=dstnat in-interface=INTERNET dst-address=MyPublicIP protocol=tcp
dst-port=80 action=dst-nat to-addresses=192.168.0.205to-ports=80

10 chain=dstnat in-interface=ASA dst-address=WANIP protocol=tcp
dst-port=80 action=dst-nat to-addresses=192.168.0.205 to-ports=80

11 chain=dstnat in-interface=INTERNET dst-address=MyPublicIP protocol=tcp
dst-port=11111 action=dst-nat to-addresses=192.168.0.50 to-ports=11111

12 chain=dstnat in-interface=ASA dst-address=WANIP protocol=tcp
dst-port=11111 action=dst-nat to-addresses=192.168.0.50 to-ports=11111

13 chain=dstnat in-interface=INTERNET dst-address=MyPublicIP protocol=tcp
dst-port=110 action=dst-nat to-addresses=192.168.0.69 to-ports=110

15 chain=dstnat dst-address=0.0.0.0/0 protocol=tcp dst-port=97 action=dst-nat>
to-addresses=PUBLICIP to-ports=1433
the last is the rule I added based on your suggestions

Is it at all possible to disable your masquerading rules for 10min and testing your DST NAT rule then? I am not sure what your interfaces are called and does, so I can’t say for sure if it would help.

What I would suggest, of possible, is to disable all NAT rules and only enable the rule you are trying to get to work. Just to eliminate the fact that other rules could interfere. The only two rules that could really interfere is the MASQ rules.

You didn’t answer my previous question about the counters for the rule we are trying to get to work. When attempting to access the server on port 907, does the counters run or not? If it does, it at least shows you that it is picking up your traffic.

Another question. While your rule is active and you attempt to access the SQL server on port 907, does it connect to the LOCALIP, or doesn’t it connect to any server at all? I was just thinking that perhaps you need more than one port to access SQL. I don’t know much about SQL, does anyone know if SQL uses more than one port to connect?

I opted for another solution. I changed the routing tables on the routers of the branches and main office to allow the IP te be visible.
Thank you any way for your replies.

Best Regards,
Luan