Hi, I have the following problem, I have a port foward which I would like to translate the source address to specific local network (192.168.10.0/24). I don’t know how to do it! Can you point me out the direction what to read so I can achieve that?
Thanks
Port forwarding is a dst-nat operation, which is performed before the packet enters the routing process. Source address change (a src-nat operation) takes place after the packet has been routed. Hence you need a separate action=src-nat rule in chain=srcnat of /ip firewall nat.
Maybe you need the action=src-nat rule to selectively treat only connections previously handled by that particular action=dst-nat rule, but while passing through the srcnat chain, the initial packets of these connections cannot be distinguished any more from those that have not been redirected by that action=dst-nat rule. If this is the case, you have to assign a connection-mark using a rule in chain=prerouting of /ip firewall mangle with the same set of match conditions you used in the action=dst-nat rule, and let the action=dst-nat and action=src-nat rules match on that connection-mark value. In the prerouting chain, mangle is placed even before dstnat.
Thanks for your useful information! I will try and if I fail, I will came back with an example.
Hi, here is my example:
/ip firewall nat
chain=dstnat action=dst-nat to-addresses=192.168.50.48 to-ports=50003 protocol=tcp dst-address=1.2.3.4 connection-mark=PortFowardMark dst-port=50003 log=yes log-prefix=“”
chain=srcnat action=src-nat to-addresses=192.168.10.0/24 to-ports=50003 protocol=tcp dst-address=192.168.50.48 connection-mark=PortFowardMark dst-port=50003 log=yes log-prefix=“”
/ip firewall mangle
chain=prerouting action=mark-connection new-connection-mark=PortFowardMark passthrough=yes protocol=tcp dst-address=1.2.3.4 dst-port=50003 log=no log-prefix=“”
OK, and what do you expect from me now? To me this example seems to work, does it fail? It could be also simplified to reduce the CPU load.