Port forwarding for entire subnet

RouterOS General
1

Is it possible to setup a single destination nat rule which would port forward as follows

assuming that my wan is 123.123.123.0/24

incoming requests to 123.123.123.0/24 on port 25 forwards to 192.168.1.0/24 on port 25

incoming requests to 123.123.123.0/24 on port 80 forwards to 192.168.2.0/24 on port 80

I know this can be done by setting up 2 dst-nat rules on each public IP, but that results in 500 dst-nat rules, is it possible to setup two single rule which would apply that same translation to the entire 123.123.123.x subnet?

2

i think you can use ‘same’ instead of ‘dstnat’ ? or maybe its ‘netmap’ - check the docs.

Sam

3

You can use netmap to do 1 to 1 address translation.

4

I tried forward port 16000 on my MT 2.9.22 just to allow trade Manager messenger and gave me an error saying “invalid value for argument min”

add chain=dstnat dst-address=10.254.225.3 protocol=tcp dst-port=16000 action=dst-nat to-addresses=192.168.10.0/24 to-ports=16000

I would love to have a way out

5

You cannot forward one port to the whole network behind the masquerading device - and it looks like you are trying to achieve this?!

You cannot map a whole class C network on one ip address and hope to get incoming connections on the same port 16000 through to EVERY device on the network.
Using dst-nat you can forward the external port 16000 to EXACTLY ONE device on your internal network, but not more or even all devices!

Best regards,
Christian Meis

6

In our case we are trying to provide two different 1-1 mappings based on the destination port

if it comes into 123.123.123.10 on port 25 > forward it to 192.168.1.10 on port 25

if it comes into 123.123.123.10 on port 80 > forward to 192.168.2.10 on port 80

I know we can accomplish this by making two destination nat rules for each public IP address, was just hoping to simplify our configuration by using 2 rules instead of 508 :slight_smile:

In any case, I’ll try both methods described (“same” and “netmap”) and will post the results here for future reference.

7

Netmap seems to work like a charm for this if you are performing multiple port forwards from a single public subnet to several private networks based on port.

We bound each public IP to the WAN card and setup netmap rules as follows in Winbox.

rule#1
General Tab
chain: dstnat
Dst address : 123.123.123.0/24
Protocol :TCP
Dst Port : 25

Action tab
Action : netmap
To Addresses : 192.168.1.0/24
To ports : 25

rule#2
General Tab
chain: dstnat
Dst address : 123.123.123.0/24
Protocol :TCP
Dst Port : 80

Action tab
Action : netmap
To Addresses : 192.168.1.0/24
To ports : 80

We handled incoming netmap exceptions (public IPs within the netmap range that actually as bound to external servers) by unbinding the public ip from the WAN port and adding an “accept” rule above our netmap rules.

General Tab
chain: dstnat
Dst address : 123.123.123.15

Action tab
Action : accept

We also used netmap to map outbound traffic from each private subnet back to a common public subnet.

rule#1
General Tab
chain: srcnat
Src address : 192.168.1.0/24

Action tab
Action : netmap
To Addresses : 123.123.123.0/24
To Ports : 0-65535

rule#2
General Tab
chain: srcnat
Src address : 192.168.2.0/24

Action tab
Action : netmap
To Addresses : 123.123.123.0/24
To Ports : 0-65535

We ran into an interesting behavior with outbound traffic if we netmapped an arbitrary range (123.123.123.10-123.123.123.20 > 192.168.1.10-192.168.1.20) instead of an entire subnet (123.123.123.0/24 > 192.168.1.0/24).
When using an artibtrary range, netmap did a round robin mapping (1st outbound connection from 192.168.1.10-192.168.1.20 mapped to .10, 2nd outbound connection mapped to .11, etc)
When using a subnet to subnet mapping, netmap used a true one to one mapping (192.168.1.10 always mapped to 123.123.123.10, 192.168.1.11 always maps to 123.123.123.11)



Thanks Mikrotik!! Our 2.9.x configuration is several hundred lines shorter then our old 2.8.x configuration because of netmap :slight_smile: