Problem to see source address - port forward

SpringWaltz · July 14, 2021, 11:57am

Hello friends,

thanks in advance for help, Iam for first time doing port forward.

I set port forward like everything that comes from internet to port 80 go to my local server to port 80 where I have IIS with aplication, and this works fine.

My problem is i can’t get the source ip when someone is connecting to my server and it always return address of LAN intefrace, not the source IP.

On log in my IIS source ip is allways LAN port of Mikrotic 10.6.1.201, its looks like this:

2021-07-14 11:53:50 10.6.0.85 GET /images/categories/5.jpg - 80 - 10.6.1.201 Mozilla/5.0+(Linux;…etc.
Where first addres is address of server and second addres is address of Mikrotik LAN intefrace

Here’s my configuration for NAT:

add action=masquerade chain=srcnat src-address=192.168.100.0/24
add action=masquerade chain=srcnat src-address=10.6.0.0/21
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat dst-port=80 in-interface=ether1 l
protocol=tcp to-addresses=10.6.0.85 to-ports=80
add action=dst-nat chain=dstnat dst-port=3389 in-interface=ether1
to-addresses=192.168.100.253 to-ports=3389
add action=dst-nat chain=dstnat dst-port=8181 in-interface=ether1
to-addresses=192.168.100.253 to-ports=8181

Once again, thanks in advance for help.

rextended · July 14, 2021, 12:38pm

Is not possible, if are your RouterBOARD than NATranslate, you can see only the IP of the RouterBOARD.
For see also the IP, you must set one Public IP address on your server, and leave conect directly from out to your server.

Why this?
add action=masquerade chain=srcnat src-address=192.168.100.0/24
add action=masquerade chain=srcnat src-address=10.6.0.0/21
add action=masquerade chain=srcnat

The last rule “supersedes” the previous two

mkx · July 14, 2021, 1:37pm

You messed with src-nat royaly. Default src-nat rule is single one:

add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

and does as much src-nat as needed (assuming your WAN interface, whichever that might be, is properly set as member of WAN interface list).

The only reason for messing with src-nat rules in usual SOHO environment would be the need for hairpin NAT.

anav · July 14, 2021, 3:51pm

Sourcenat is a funny being.
The typical source nat rule is
add action=masquerade chain=srcnat comment=“SCR_NAT FOR LAN USERS”
ipsec-policy=out,none out-interface-list=WAN

Which basically applies WANIP to all outgoing traffic from the LAN

I have two WAN interfaces and chose to handle each one separately for no good reason as the above rule would do the same thing.
add action=masquerade chain=srcnat comment=“SCR_NAT FOR LAN - FibreOP”
ipsec-policy=out,none out-interface=vlanbell
add action=masquerade chain=srcnat comment=“SCR_NAT for LAN - Cable”
ipsec-policy=out,none out-interface=Eastlink_eth7

The above situation describes the majority of situations, public IPs that are dynamic and applied to all internet outbound traffic.
IF ones public IP is static fixed, the above should work but more accurately is something like.

add action=src-nat chain=srcnat out-interface=fixed wan interface to-address=WANIP