port forward keeping client ip

farhadhelix · April 13, 2016, 9:18pm

hello

i have a server that running some services on UDP protocol

for some reason i want to hide the server ip so i rented a mikrotik routeros on somewhere and i port forwarded using dsnat + masquerade and its ok

the problem is the clients ip that are connected to server is the mikrotik ip which is a problem

how exactly i suppose to keep the clients orginal ip ?

here is the senario of my situation

mikrotik has only 1 interface with a public IP:

i used dsnat on 555 port UDP on action dsnat to “server ip” “port”

and srcnat UDP out net:“my only interface” action masquerade

Sob · April 13, 2016, 10:04pm

Instead of forwarding port from one public address to another, use tunnel/VPN between router and server. Configure server to use router as default gateway through tunnel and then you can use it as standard internal network, i.e. just dstnat packets to server, without the need to use masquerade.

farhadhelix · April 15, 2016, 8:09pm

single dsnat to server is not working and no connection
when i add srcnat it will work
what else am i missing?

Sob · April 15, 2016, 10:48pm

Current setup: Publicly visible forwarder has 1.1.1.1. Hidden server has 2.2.2.2 with default gateway 2.2.2.1. You have dstnat rule forwarding traffic from 1.1.1.1 to 2.2.2.2. And you also need srcnat rule that makes all traffic look like it comes from 1.1.1.1. Otherwise server would try to reply directly to client and it would not work, because client wanted to talk to 1.1.1.1 and does not know anything about 2.2.2.2.

If you want to see real client adresses, create a tunnel/vpn between 1.1.1.1 and 2.2.2.2. It will have e.g. 192.168.1.1 on router side and 192.168.1.2 on server side. Remove original default route from server. Add only route to 1.1.1.1 via 2.2.2.1 to allow tunnel connection. Then add new default route via 192.168.1.1. And instead of forwarding traffic from 1.1.1.1 to 2.2.2.2, forward it from 1.1.1.1 to 192.168.1.2.

It will basically simulate simple internal network. You won’t need srcnat anymore, because server will have only one (and therefore always correct) way to send replies to clients. It will completely hide server’s real address 2.2.2.2, any connection from server to outside world will look like it comes from 1.1.1.1.

farhadhelix · April 16, 2016, 4:16pm

The second server itself has itsown connections on other services
If i do this all the traffics should pass throght the mikrotik i thing and server will lose its own connections

Any method you have in mind so i can make it to work

Sob · April 16, 2016, 5:43pm

Well, you could use the same basic idea and only route reply traffic back to tunnel. But it gets a little tricky, because it won’t “just work” with any server.
If the server had RouterOS, you’d add another routing table with default route, mark incoming connections from tunnel and then use the second routing table for replies, which would send them via tunnel. It’s the same mechanism as used for multiple WANs.
But your server does not run on RouterOS. I’m sure the same thing is possible with Linux and similar systems, but I can’t give you exact config.

farhadhelix · April 16, 2016, 6:09pm

well thanks for your time and your help