Portforward with preserved source ip

madmucho · August 14, 2014, 1:40pm

Dear Forum members,
need help with one scenario on routeros 6 regarding port forwarding.
Outside wan have multiple ip/interfaces. Current portforwarding state is is SRC NAT /DST NAT, outside wan ip and wanted ports to inside lan ip same wanted ports, that basicaly working ok.

Problem is that inside is mailserver, dns server and all connection from outside ips at service logs seems to came from mikrotik lan ip address, so i want preserve original requester ip address that servers inside can check, filter using blacklist etc…

How can i set t mikrotik preserve source ip?
Servers inside know by its routing tables in which way they need to answer.

Trying to find similar thread on forum but with not success.

I will be happy to any reply.

CyberTod · August 19, 2014, 10:29am

You are doing something wrong. Post your rules maybe.
But with dst-nat you preserve the src address.

docmarius · August 19, 2014, 1:23pm

Use dst-nat WITHOUT src-nat on the internal interface.

madmucho · August 19, 2014, 7:23pm

Dear CyberTod
here is snippet of my nat rules only for one concrete ip.

dstnat

add action=dst-nat chain=dstnat comment="bla in" dst-address=$wanip dst-port=25 protocol=tcp to-addresses=192.168.100.14 to-ports=25

mangle

add action=mark-routing chain=prerouting comment="bla mark" new-routing-mark=hl-srv-13_out passthrough=no src-address=192.168.100.14

srcnat

add action=src-nat chain=srcnat comment="bla out" routing-mark=hl-srv-13_out src-address=192.168.100.14 to-addresses=$wanip

and result in postfix log at target server, from unknown is router inside ip this expample is spam, cannot catch by fail2ban

 hl-srv-13 postfix/smtpd[11660]: NOQUEUE: reject: RCPT from unknown[192.168.100.125]: 554 5.7.1 <karelskiyve@samng.ru>: Relay access denied; from=<terloograg-denie@formula1-shop.ru> to=<karelskiyve@samng.ru> proto=SMTP hel
o=<Unknown>

Is there mistake ?

operez · May 26, 2016, 4:56pm

Hi.
I have the same problem.
And you fixed it?
Who?

Thank you,

OMAR PEREZ

tomwagner · February 8, 2017, 11:04pm

Finally found the solution which worked for me. You will have to setup masquarade output interface (default not set for me). When its not set, the source ip in dstnat is changed to ip of mikrotik gw. Hope it helps.

celetron · August 9, 2017, 6:50am

Can you provide some example?

you will have to setup masquarade output interface (default not set for me).

Thank you,
celetron

strods · August 11, 2017, 1:05pm

You should always specify interface on NAT rules:
https://wiki.mikrotik.com/wiki/Tips_and_Tricks_for_Beginners_and_Experienced_Users_of_RouterOS#Specify_corresponding_interface_for_firewall_NAT_rules