Port forward problem

RouterOS Beginner Basics
1

Hello,

I have two Synology NAS systems. One in the datacenter (directly with fixed IP) and one at home (using NAT with DHCP, WAN has fixed IP using xDSL). Synology uses port 5000 (or 5001) to access the NAS.

This is the situation:

  • I can use the NAS at home correctly using the internal IP 10.0.0.110
  • I can use the NAS at home from other networks
  • From outside I can connect to the NAS in the datacenter and the NAS at home
  • But since i’ve created the port forward at home (to make my NAS reachable from outside) I can’t connect to the NAS in the datacenter anymore.
  • When I disable the NAT rule, I can access the NAS in the datacenter

So … The NAT rule i’ve created will be bad :slight_smile:

In IP > Firewall > NAT, i’ve created this input:
Tab “General”
Chain : dstnat
Protocol : 6 (tcp) (unchecked)
Dst. Port : 5000 (unchecked)

Tab “Action”
Action : dst-nat
To Addresses : 10.0.0.110
To Ports : 5000

Does somebody see a mistake?
I want to :

  • Connect to the NAS in the datacenter using external.ip.address:5000
  • Connect to the NAS at home, using my.xDSL.ip:5000 (doing NAT to 10.0.0.110:5000)
  • Connect to the NAS at home when I am at home, using 10.0.0.110:5000
  • Connect to the NAS in the datacenter when I am at home, using fixed.ip.address:5000
2

“Does somebody see a mistake?”

Yeah… You are asking your unit to send ALL traffik to port 5000 to the internal NAS.

Think about that a moment… ALL traffic to port 5000. REGARDLESS of destination address and REGARDLESS of source address will be processed by your rule.

So, the rule does exactly what you have told it to do.

You want to use either SRC-address, or In-interface as a part of your rule. Personally i would probably be lazy and slap a !10.0.0.0/24 as a source qualifier. Or less lazy and define an andress list for your internal networks, and use a !adresslist as qualifier.,

3

Or specify in-interface for that dst-nat.