Hi,
i want to check if i can put for example:
/ip firewall nat> add chain=srcnat out-interface=ether1-wan action=src-nat to-addresses=199.10.1.224/22
instead of: 199.10.1.225 as a public IP.
Would MK, take all usage of pulic IPs in 199.10.1.224/22 ???
Thanks.
Hello ,
First of all i Hope your Public ip ist a Real ip it’s Not recomended to Share your ip on the Forums.
What Kind of Network you have if you can explain it more ! For what use would you src nat your Traffic .
Gesendet von iPhone mit Tapatalk
Instead of asking for some bizarre solution, why not tell us up front what the functional requirement is…
For example, If have a block of public IPs, how do I ensure srcnat will work for all outgoing traffic for all users/servers etc…
In other words why are you trying to mash a list of public IPs into one rule vice simply using in-interface-list WAN, for example.
There are probably lots of ways to solve a puzzle but if you give us the pieces to play with instead of the picture of the finished puzzle its much harder.
Need context!!!
[emoji106]
Gesendet von iPhone mit Tapatalk
I dont want to distribtue my pulic IPs. I just want to use srcnat instead of masquerade based on recommendations by Mikrotik Guys.
Guys,
the goal of my question is that if i use CIDR notation, will Mikrotik take the whole range and make inside users’ ips srcnatted based on a round-robin way.?
Or i have to just use one public ip and lose the others within the range.
Thanks
So use this :
chain=srcnat out-interface=WAN src-address=192.168.1.0/24(private netz)
action=src-nat to-addresses=xx.xx.xx.xx (Public IP ) to-ports=0-65535
Gesendet von iPhone mit Tapatalk
By the way were Are you from alot in My Country have your Name 
Gesendet von iPhone mit Tapatalk
Thanks. But this is not what i am asking about.
@Discmandj
I am from Lebanon. And u?
Welcome eben El 3am , me too , so you want to use src nat instead of masquerade right?
Gesendet von iPhone mit Tapatalk
If your public IPs do not change then I think its okay to use srcnat vice masquerade.
However, I have a dual WANIP and dynamic public IPs and by using masquerade and out-interface list=WAN, I am covered!
Also I believe if one wants to use hairpin nat, its necessary to identify the public IPs??
The ****
src-nat
rule will let you translate the source address of the outgoing packet to just any address, even completely unrelated to any subnet used on your router, and remember that as a
reply-dst-address
in the connection context:
[me@MyTik] > ip firewall connection print detail where src-address~":59891"
Flags: E - expected, S - seen-reply, A - assured, C - confirmed, D - dying, F - fasttrack, s - srcnat, d - dstnat
0 SAC Fs protocol=tcp
src-address=192.168.99.242:59891 dst-address=104.40.240.50:443
reply-src-address=104.40.240.50:443 reply-dst-address=192.168.10.88:59891
tcp-state=established timeout=23h58m17s orig-packets=12 orig-bytes=2 390
orig-fasttrack-packets=0 orig-fasttrack-bytes=0 repl-packets=13 repl-bytes=12 175 repl-fasttrack-packets=9
repl-fasttrack-bytes=10 592 orig-rate=0bps repl-rate=0bps
The only thing you have to ensure is that your ISP would send packets for all these addresses to your device, and it depends on how the connection between you and the ISP looks like. If your router is not a gateway to the subnet you’ve made up in the example but is a member of that subnet, you need to make sure that it would respond to arp requests for all the IP addresses you use as
src-nat to-addresses
, even those not attached to any interface This does not happen automatically by default:
[me@MyTik] > ip firewall nat print where dst-address="193.108.106.40"
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=src-nat to-addresses=192.168.10.122 dst-address=193.108.106.40 out-interface=ether1
[me@MyTik] > ip firewall connection print detail where dst-address~"193.108.106.40"
Flags: E - expected, S - seen-reply, A - assured, C - confirmed, D - dying, F - fasttrack, s - srcnat, d - dstnat
0 C s protocol=tcp
src-address=192.168.99.242:59937 dst-address=193.108.106.40:80
reply-src-address=193.108.106.40:80 reply-dst-address=192.168.10.122:59937
tcp-state=syn-sent timeout=1s orig-packets=2 orig-bytes=104
orig-fasttrack-packets=0 orig-fasttrack-bytes=0 repl-packets=0 repl-bytes=0 repl-fasttrack-packets=0
repl-fasttrack-bytes=0 orig-rate=0bps repl-rate=0bps
To do the trick, you need to change the arp mode of the WAN interface from the default ****
enabled
to
local-proxy-arp
:
[me@MyTik] > /interface ethernet set ether1 arp=local-proxy-arp
Bro, i am a pro…but…i am getting old…hahahahah
Check https://www.youtube.com/watch?v=XkKj9rj4quQ&t=21s by Janis Megis and his presentation on: https://mum.mikrotik.com/presentations/EU18/presentation_5143_1523360368.pdf
I know all what you said…plz check starting page 23…
Best Regards…
eben El 3am!!! UMMMMMMMMMMMm…
Call me @ my number…you can know it.
Best Regards.
When you configure an IP address on an interface, ****
192.168.254.9/22
is a valid notation which actually expresses "single address
192.168.254.9
in network
192.168.252.0/22
".
When you configure ****
to-addresses
in a nat rule, the above is not a valid notation and you must enter either
192.168.254.9
192.168.254.9-192.168.254.11
or
192.168.254.0-192.168.254.15
192.168.254.0/28
which is another way to express the same interval like the second one above.
Choose the variant depending on what was your actual intention.