My ISP gave to me a block 185.x.x.80/29 of IP addresses. I attempted to translate internal server IP to one of this external IP, but no success.
I made this:
chain=dstnat action=dst-nat to-addresses=10.3.2.12 to-ports=80 protocol=tcp dst-address=185.x.x.86 dst-port=80 log=yes log-prefix=“”
The WAN IP of the Mikrotik is 185.x.x.82 and NAT on interface works fine.
Also I made a filter rule:
but telnet to 185.x.x.86 80 says “No route to host”. Ping also doesn’t work. As I see, Mikrotik does not announce own WAN mac as 185.x.x.86 ( ARP ) to subnet 185.x.x.80/29 and ISP can’t understand where is 185.x.x.86, and drops incoming packet.
I did “Torch”, and see no packets from the Internet to 185.x.x.86. Log is also empty.
AS CZFan suggested, you can have mutple IP assigned to the same interface so you could give 185.x.x.80/29 to your WAN interface.
for port forwarding to work, you need dst nat, which you already have.
you also need hairpin nat, so traffic from the web server can travel back to the route it came from
this is a good demo: https://www.youtube.com/watch?v=_kw_bQyX-3U
but you could have
add chain=srcnat action=src-nat src-address=LAN IP of web server, to-address=WAN IP you wish to associate to the web server
PS: you don’t need the accept rule on input chain for port 80, if there is already a dst nat rule.
I am confused by past experience.
Typically, one takes the first or ONE of the block of IPs and assigns it to the router.
Practically speaking this if for the purposes of establishing a clear WAN to LAN relationship when one has one or more LANs they would like to have private.
The other block of IPs could be used for individual servers etc where external access is very likely.
Thus for all the services on the MAIN WAN (such as a private user on the LAN wants to run an FTP server for example), one does need port forwarding.
For the what is normally called ONE to ONE mapping (vice the above many to one), there is no port forwarding but FW rules are very much required.
Thus I differ from the above to help delineate what is going on and understandable. I would use one interface for my Main LAN, and I would use one interface for my LAN(s) and I would use other interfaces for my one to one mappings (one public IP to one private IP). The only instance where I would be lost is if I had less ports on the router(interfaces) then public IPs to deal with.
In that case agree one would have to learn how to combine these (more than one public IP) on a single interface. I would buy a router with more ports, much easier to think about, less stress
