Need help with NAT with multiple external IPs

richie086a · March 17, 2020, 7:55pm

HI all

I have a pretty basic setup, but I am having issues with getting the NAT to work properly on a MikroTik Cloud Router. Here is my setup

Usable External IP Range 1.101.81.96-102
Network 1.181.81.96/29
Subnet 255.255.255.248
Gateway 1.181.81.97
Internal LAN 192.168.88.0/24
DHCP Range 192.168.88.101-240
Primary DNS 8.8.8.8
Secondary DNS 4.4.4.4

The mikrotik router is at 192.168.88.1 on the LAN. I want to be able to connect to the router remotely from my IP address so I can manage it from home. I have added an IP address list entry called RichardWAN (see config below) so I can reference it in a rule to allow me to do this.

As of right now, the LAN is able to get out to internet. I have a NAS at 192.168.88.102 set with a static lease so it always gets the same address from DHCP. I am trying to NAT 1.101.81.100 to 192.168.88.102 and allow traffic on port 8080 from specific other hosts on the internet.

Here is my config, it might have some errors considering NAT does not appear to be working right now;

# mar/17/2020 02:48:53 by RouterOS 6.44.5
# software id = GVYY-AEWD
#
# model = CRS112-8P-4S
# serial number = 9B210BB7FF0F
/interface bridge
add admin-mac=C4:AD:34:71:19:13 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether4 ] comment="Connection to NAS\
    \n" name=ether4-NAS
set [ find default-name=ether6 ] comment="To Richards MBP" name=ether6-MBP
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.88.100-192.168.88.254
/ip dhcp-server
add add-arp=yes address-pool=dhcp always-broadcast=yes bootp-support=dynamic \
    disabled=no interface=bridge name=dhcp1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4-NAS
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6-MBP
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp9
add bridge=bridge comment=defconf interface=sfp10
add bridge=bridge comment=defconf interface=sfp11
add bridge=bridge comment=defconf interface=sfp12
/interface list member
add interface=ether1-WAN list=WAN
add interface=bridge list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
    192.168.88.0
add address=1.181.81.99/29 interface=ether1-WAN network=1.181.81.96
add address=1.181.81.100 interface=ether1-WAN network=1.181.81.96
add address=1.181.81.101 interface=ether1-WAN network=1.181.81.96
add address=1.181.81.102 interface=ether1-WAN network=1.181.81.96
/ip dhcp-client
add dhcp-options=hostname,clientid interface=ether1-WAN
/ip dhcp-server lease
add address=192.168.88.102 client-id=1:24:5e:be:35:76:ad mac-address=\
    24:5E:BE:35:76:AD server=dhcp1
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=8.8.8.8 gateway=192.168.88.1 netmask=\
    24
/ip dns
set allow-remote-requests=no servers=8.8.8.8,4.4.4.4
/ip firewall address-list
add address=174.50.183.227 list=SteveExternal
add address=66.60.144.62 list=RichardWAN
add address=1.181.81.96/29 list=Public
add address=192.168.88.102 list=NAS
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
    protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    estmagablished,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward disabled=yes dst-address-list=Public log=yes \
    protocol=icmp
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN

Here is my attempt at dstnat’ing the 1.181.81.100 to 192.168.88.102 for port 8080.

add action=dst-nat chain=dstnat dst-address=1.181.81.100 log=yes protocol=\
    tcp src-address=73.235.116.199 src-port=8080 to-addresses=192.168.88.102 \
    to-ports=8080
add action=netmap chain=dstnat dst-address=1.181.81.100 log=yes protocol=\
    tcp src-address=73.235.116.199 src-port=8080 to-addresses=192.168.88.102 \
    to-ports=8080
/ip route
add distance=1 gateway=1.181.81.97
/system clock
set time-zone-name=America/Los_Angeles

Could someone please tell me how to get the NAT working properly?

Thanks

anav · March 18, 2020, 4:35pm

First comment. If you are managing the router from an external site, use a VPN do to so, any other way is a security risk (well I suppose port knocking can be effective).

Okay PF needs

A single firewall rule to allow destination packets to reach server
A single source nat rule to keep track of outgoing packets assigned the router WANIP outbound (sourcenat if a fixed IP, masquerate action if a dynamic wanip)
If you wish to access the server from the same subnet the server is on, simply use the LANIP of the server.
If you wish to access the server by using the WANIP of the router (as if you were external) but from the same subnet as the server that is called HAIRPIN NAT and you will need
an xtra source nat rule and will need to modify potentially the destination nat rule.
For each server you will need a single destination nat rule
If you can limite the external wanips requireing access the the server use source-address-list in the destination nat rule.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

(1) Lets have a look at your destination nat rules… I have no experience with netmap so not looking at that one..
add action=dst-nat chain=dstnat dst-address=1.181.81.100 log=yes protocol=
tcp src-address=73.235.116.199 src-port=8080 to-addresses=192.168.88.102
to-ports=8080
add action=netmap chain=dstnat dst-address=1.181.81.100 log=yes protocol=
tcp src-address=73.235.116.199 src-port=8080 to-addresses=192.168.88.102
to-ports=8080

Corrected: Good on source address if it was more than one then a list. Change src-port to dst-port. Dont need to-port if same as dest port.
add action=dst-nat chain=dstnat dst-address=1.181.81.100 log=yes protocol=
tcp src-address=73.235.116.199 dst-port=8080 to-addresses=192.168.88.102

(2) Lets look at source nat rules - no issues
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN

(3) Looking at firewall rules… Seems your covered!
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN