One To One NAT

RouterOS Beginner Basics
1

My setup as the following:

\

  • adsl modem/router workining in bridge mode connected to the phone line.

  • I have RB951Ui-2HnD (5 Ethernet ports and a Wireless chip).

  • The routerboard connected to the modem using first port in the routerboard (ether1-gateway).

  • the second port in the routerboard (ether2-master-local) connected to a small SOHO switch.

  • currently the wireless in routerboard is enabled.

  • NAT is enabled

  • I have one public static IP (xxx.xxx.238.162).

  • Also my ISP assign me a public static IP when I connect using PPPOE (xxx.xxx.239.75).

  • My local network is 192.168.1.0

  • I have a web server with the address 192.168.1.15


    Now what i’m trying to do.
    I want to link the public static IP xxx.xxx.238.162. to the Local address 192.168.1.15, so every one can access the web server using its public static IP xxx.xxx.238.162.

I want also the the web server to use its public static IP (xxx.xxx.238.162) when it access the internet (in other words to work bidirectional).


Now what i have done.
1- added the public static IP xxx.xxx.238.162 to address (to pppoe-out1 interface).
2-added two NAT rules above the default configuration.

  • First one:
    1.png
    2.png

  • Second one:
    3.png




The problem

Every thing works fine except when i try to access the web server from within the local network using its public static IP xxx.xxx.238.162, i can’t access or ping it or any thing (now i’m trying to do that using a laptop connected to the routerboard wifi).

I think there should be another NAT rule i should add , or at least modify one of the two i have already created.

2

add a rule in the srcnat chain as follows:
dst-address=192.168.1.15
src-address=192.168.1.0/24
action=masquerade

This is a hairpin nat rule - it’s necessary because without it, the server will see the private IP of the other computer, and will send its replies directly to the other host. The other host is expecting replies from the public IP, so when it sees these unexpected packets from 192.168.1.15, it discards them.

When the Mikrotik masquerades the source to itself, the server thinks it’s the Mikrotik asking for the service, and will send its replies to the Mikrotik.
The mikrotik will then replace the reply-source IP from 192.168.1.15 → xxx.xxx.238.162 which is what the client host is expecting to see replies coming from.

3

Thank you very much, it works now.

But i have a simple question, the rule works great whatever its order within other rules. but do you think i should put it in any specific order?

Thanks again.

4

Order is important, but in this case, the rules’ logic doesn’t interfere with each other. The outbound masquerade rule / srcnat rule for the server’s 1:1 nat all apply to traffic going out the wan interface, thus a hairpin connection doesn’t match these rules, and continues down to match the hairpin rule.
If the hairpin rule came first, then outbound connections wouldn’t match it, so flow would continue to hit the other rules.

5

Thank you