Public IP display problem

k750 · March 28, 2016, 12:48pm

Hello everyone
I have a display problem of public IP of my server Synology connected person
Before as it logs on to my server ip public could see the connected person
Since I have my new router CCR1009 I see more public IP but the IP of the router that is 192168.1.1
Do you know why ?
Thanks in advance for your help
Claude

Sorry for the English translation

ShayanFiroozi · March 28, 2016, 7:33pm

Hi,
it’s about NAT , send your router configuration please

k750 · March 28, 2016, 10:35pm

Hello,
Here are the rules that I set

add chain=dstnat dst-address-type=local dst-address=!192.168.0.0/16 action=jump jump-target=pinholes
add chain=pinholes protocol=tcp dst-port=80,443 action=dst-nat to-address=192.168.1.198
add chain=pinholes protocol=tcp dst-port=98,8443 action=dst-nat to-address=192.168.1.198

ShayanFiroozi · March 28, 2016, 11:03pm

it seems you need this : http://wiki.mikrotik.com/wiki/Hairpin_NAT

Sob · March 28, 2016, 11:12pm

I’d say you’re hiding something from us. What about srcnat rules?

k750 · March 29, 2016, 12:59am

The problem is that I know nothing has it all

k750 · March 29, 2016, 1:00am

No I have nothing to hide
Here are my 2 other rules

add action=masquerade chain=srcnat out-interface=vlan832-orange
add action=masquerade chain=srcnat out-interface=all-ethernet

Sob · March 29, 2016, 1:14am

So, which one of those two rules do you think is the reason of your problem? You have two guesses.

…

Yes, it’s number two. Why? Because out-interface=all-ethernet means any ethernet interface. So when packet from internet goes to your LAN and your LAN is connected to router’s ethernet interface, …

k750 · March 29, 2016, 8:15am

Hello,
At first I was given this line: add action = masquerade chain = srcnat out-interface = vlan832 orange-to-addresses = 0.0.0.0
But to-addresses = 0.0.0.0 does not pass
Regarding the content add action=masquerade chain=srcnat out-interface=all-ethernet
What do I do ?
A switch was made to the ports 1 to 4
Sorry but I know nothing has it all

ShayanFiroozi · March 29, 2016, 8:45am

At first I was given this line: add action = masquerade chain = srcnat out-interface = vlan832 orange-to-addresses = 0.0.0.0
But to-addresses = 0.0.0.0 does not pass

what is orange-to-addresses = 0.0.0.0 ?

we don’t know how your Synology connected to your network , and which interface , but excluding that interface from NAT may solve the problem

k750 · March 29, 2016, 9:27am

Grieve if my information is incomplete
The router interface: 192.168.1.1
The interface of the server 192.169.1.198
The server is connected to the port Ether3
I also try the little ether8 port ?
Access to the server is outside via a domain name

ShayanFiroozi · March 29, 2016, 11:39am

disable this add action=masquerade chain=srcnat out-interface=all-ethernet
and check your Synology log , see what happens ?

k750 · March 29, 2016, 12:12pm

From the outside I arrive on the server, log shows me the same IP, the router
By cons I do not have access to any site from my computer

k750 · March 29, 2016, 12:57pm

When I get this line via winbox /ip firewall nat add chain=srcnat action=masquerade out-interface=Public
Here is the response from the router

mrz · March 29, 2016, 1:01pm

Because you do not have any interface named “Public”

k750 · March 29, 2016, 1:17pm

Yeah but I do how to do this ?

Sob · March 29, 2016, 4:17pm

For basic setup, you need only one srcnat rule:

/ip firewall nat
add action=masquerade chain=srcnat out-interface=<name of your WAN interface>

I though your WAN interface was vlan832-orange, but perhaps it’s not. If you look in IP->Routes, what is the name of interface with default route (the one with destination address 0.0.0.0/0)?

Or you can just post complete export (/export hide-sensitive) and let us look.

Pea · March 29, 2016, 6:27pm

Remove those 4 NAT rules:
add action=masquerade chain=srcnat out-interface=all-ethernet
add chain=dstnat dst-address-type=local dst-address=!192.168.0.0/16 action=jump jump-target=pinholes
add chain=pinholes protocol=tcp dst-port=80,443 action=dst-nat to-address=192.168.1.198
add chain=pinholes protocol=tcp dst-port=98,8443 action=dst-nat to-address=192.168.1.198

Then add these 2 rules:

add action=dst-nat chain=dstnat dst-address-type=local dst-port=80,98,443,8443 protocol=tcp to-addresses=192.168.1.198 comment="WAN pinhole to Synology"
add action=masquerade chain=srcnat dst-address=192.168.1.198 protocol=tcp src-address=192.168.0.0/16 comment="LAN to Synology"

You will see in Synology log external IP addresses of connected users from internet.
With this you can connect also from inside your LAN using your external IP or your domain name.
Only side effect is that all connections from your LAN will show as router address 192168.1.1

ShayanFiroozi · March 29, 2016, 8:19pm

as i suggested : http://wiki.mikrotik.com/wiki/Hairpin_NAT

but he’s using internet too , so a NAT should be added for internet access

k750 · March 29, 2016, 8:42pm

Error message

The road