Hi!
I’m switching my servers from having a public addressing scheme, to a private addressing scheme, but I’m having troubles with my proxy server.
My servers (Proxy in this example) now belong to the 192.168.37.x/24 network. That’s how things are connected with my PPPoE, which works as a NAT and Firewall too, server:
ether1 ---- > Switch → Internet Gateway 2, Proxy Server and other servers
ether2 -----> Internet Gateway 1
ether3 -----> Radio Network (Bridges and other mikrotik machines)
ether1 has 2 addresses, one of Gateway2 subnet and one of server subnet (192.168.37.1).
What’s my problem?
I need to be able to reach Proxy server through NAT (done via dst-nat) and I also need proxy to fetch web pages from internet, via Internet Gateway 1. That’s what I’ve done so far:
/ip firewall nat add chain=srcnat out-interface=ether2 src-address=192.168.37.0/24 \
action=masquerade disabled=no
/ip firewall nat add chain=dstnat dst-address=PublicIP_onGW1 protocol=tcp dst-port=49152 \
action=dst-nat to-addresses=192.168.37.251 to-ports=22 disabled=no
/ ip firewall mangle add chain=prerouting src-address=192.168.37.0/24 action=mark-routing \
new-routing-mark=Server_PVT passthrough=no disabled=no
/ip route add dst-address=0.0.0.0/0 gateway=Gateway1_IP distance=1 scope=255 \
target-scope=10 routing-mark=Server_PVT disabled=yes
If I enable the 4th rule, proxy can perfectly get to Internet without problems, but the NAT rule won’t work anymore (can’t SSH to proxy). Otherwise if the 4th rule is disabled, I can SSH to proxy but I have problems getting to the Internet.
One thing that you should know is that my collegue is using a rule to get 2 packets go through GW1 and one go to GW2 (pretty rude balancing I think).
/ ip route
add dst-address=0.0.0.0/0 gateway=GW1_IP, GW1_IP, GW2_IP \
distance=1 scope=255 target-scope=10 comment="" disabled=no
What could it be?
Thank you
