Hello.
I have a rather unique situation. I have to forward port from WAN to LAN, but I have to assure the LAN host gets connection from LAN IP. The reason behind this is complicated and boils down to this, that the target host uses different route back to original internet IP. Please don’t elaborate on why it’s like that, and try to change this scenario, it’ll just cause a lot of unnecessary explaining. I have reasons.
I tried to src-nat as I understand it should do what I want, but I can’t prodce a rule that matches incoming packets. Here’s a sample that I tried:
/ip firewall nat
add action=src-nat chain=srcnat comment=“qnap SNMP backup” dst-address=INTERNET_SRC_IP protocol=udp dst-port=16158 to-addresses=LAN_IP to-ports=xxx
It does not match (moved to position 0).
I think it replaces src IP with WAN IP of router.
Here’s an excerpt from log. I logged both rules and added forward logging in filter based on dst address TARGET_IP.
It could be out of order due to way mikrotik logs things. I bolded a line from the forward filter, where You have WAN_IP->TARGET_IP. Does that mean that router replaces SOURCE_IP with WAN_IP ? I would want RTR_LAN_IP instead.
12:49:31 firewall,info DSTNAT dstnat: in:ether1E-WAN out:(none), src-mac f8:8e:85:6a:fd:81, proto UDP, SOURCE_IP:47160->WAN_IP:16158, len 75
12:49:31 firewall,info FWD forward: in:ether1E-WAN out:bridge-DS, src-mac f8:8e:85:6a:fd:81, proto UDP, SOURCE_IP:47160->TARGET_IP:161, NAT SOURCE_IP:47160->(WAN_IP:16158->TARGET_IP:161), len 75
12:49:31 firewall,info FWD forward: in:ether1E-WAN out:bridge-DS, src-mac f8:8e:85:6a:fd:81, proto UDP, SOURCE_IP:47160->TARGET_IP:161, NAT SOURCE_IP:47160->(WAN_IP:16158->TARGET_IP:161), len 75
12:49:31 firewall,info SRCNAT srcnat: in:(none) out:bridge-DS, src-mac f8:8e:85:6a:fd:81, proto UDP, SOURCE_IP:47160->TARGET_IP:161, NAT SOURCE_IP:47160->(WAN_IP:16158->TARGET_IP:161), len 75 12:49:33 firewall,info FWD forward: in:ether1E-WAN out:bridge-DS, src-mac f8:8e:85:6a:fd:81, proto UDP, SOURCE_IP:47160->TARGET_IP:161, NAT (SOURCE_IP:47160->RTR_LAN_IP:161)->(WAN_IP:16158->TARGET_IP:
161), len 75
12:49:33 firewall,info FWD forward: in:ether1E-WAN out:bridge-DS, src-mac f8:8e:85:6a:fd:81, proto UDP, SOURCE_IP:47160->TARGET_IP:161, NAT (SOURCE_IP:47160->RTR_LAN_IP:161)->(WAN_IP:16158->TARGET_IP:
161), len 75
No, it looks right. Look at the very next entry after the one you highlighted.
12:49:33 firewall,info FWD forward: in:ether1E-WAN out:bridge-DS, src-mac f8:8e:85:6a:fd:81, proto UDP, SOURCE_IP:47160->TARGET_IP:161, NAT (SOURCE_IP:47160->RTR_LAN_IP:161)->(WAN_IP:16158->TARGET_IP:161), len 75
The blue portion is the actual connection being tracked, using the actual source and the actual destination.
The text after NAT explains what the nat state of this connection is.
The red text in the NAT portion refers to the source NATing which is taking place and the green text shows the destination NATing which is taking place. Each is correct.
That is what you want.
You can confirm with a packet sniffer on the physical interface that the packets leave the Mikrotik heading for the target box. Capture to a file in the Mikrotik, send some test packets, and then stop the capture and download it and open it in Wireshark. You should see the TARGET IP as the destination address, and the LAN_IP as the source.
it took some time. I’ve skipped the first case but lately I was faced with the same problem elsewhere. I am gladly reporting that those rules do what they are supposed to.
Thanks again for all of your help.
I do the suggested routes but in the log it registers that it takes the wan ip address of the mikrotik router. how do I define which of the local interfaces I want to use?