Hi, I want to get a ability of remote log on to my platforms that are inside a NAT’ed network.

WAN router is RB2011UAS-2HnD-IN
WAN port is eth10 with static IP address: xxx.xxx.47.18
There is only two subnets inside NAT’ed network :
xxx.xxx.10.0/24 on bridge 1 that compares ports from eth1 to eth5 and wlan1
xxx.xxx.5.0/30 on eth10 (WAN ethernet), I use this to get access to two UBIQUITI NanoBridge

I make masquerade with out interface eth10

I make some dst-nat that gives me remote access to UBIQUITI from Internet
I also make another dst-nat to get access to router boards that are inside the NAT’ed network xxx.xxx.10.0/24

and in this moment something is going wrong…

when I try to connect via winbox to router board from Internet i use WAN IP address and port that i set up in NAT rule
I see one or two packages that appears on this rule and its over


when I ping xxx.xxx.10.2 (one of RB IP address connected to RB2011) from RB2011 it works
when I add WAN IP src. address in advance chart ping tool then I GET TIMEOUTS
when I ping xxx.xxx.5.2 (one of UBIQUITI IP address conected to RB2011) from RB2011 it works
when i add WAN IP src. address in advance chart ping tool PING STILL WORKS

UBIQUITI network and WAN IP is on the same interface eth10

any suggestions why i cant ping xxx.xxx.10.2 from WAN IP xxx.xxx.47.18 ???

Your description is a bit vague. I suspect it is the masquerade, but I can’t tell from here. Is bridge1 assigned a public ip?

You should post “/ip address”, “/ip route”, “/ip firewall filter”, and “/ip firewall nat” to start.

THX for so fast reply

 
/ip address
#   ADDRESS            NETWORK         INTERFACE                   
 0   xxx.xxx.47.18/30   xxx.xxx.47.16   ether10 WAN1                    
 1   10.10.10.1/24      10.10.10.0      bridge1                         
 2   10.13.5.1/24       10.13.5.0       ether10 WAN1      

/ip routes
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          xxx.xxx.47.17             1
 1 ADC  10.10.10.0/24      10.10.10.1      bridge1                   0
 2 ADC  10.13.5.0/24       10.13.5.1       ether10 WAN1              0
 3 ADC  xxx.xxx.47.16/30   xxx.xxx.47.18   ether10 WAN1              0

/ip firewall nat
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=srcnat action=masquerade out-interface=ether10 WAN1 

 1   chain=dstnat action=dst-nat to-addresses=10.13.5.2 to-ports=8083 
     protocol=tcp dst-address=xxx.xxx.47.18 dst-port=8083 

 2   chain=dstnat action=dst-nat to-addresses=10.13.5.3 to-ports=8084 
     protocol=tcp dst-address=xxx.xxx.47.18 dst-port=8084 

 3   chain=dstnat action=dst-nat to-addresses=10.13.5.2 to-ports=4433 
     protocol=tcp dst-address=xxx.xxx.47.18 dst-port=4433 

 4   chain=dstnat action=dst-nat to-addresses=10.13.5.3 to-ports=4434 
     protocol=tcp dst-address=xxx.xxx.47.18 dst-port=4434 

 5   chain=dstnat action=dst-nat to-addresses=10.10.10.2 to-ports=8291 
     protocol=tcp dst-address=xxx.xxx.47.18 dst-port=8292 

 6   chain=dstnat action=dst-nat to-addresses=10.10.10.3 to-ports=8291 
     protocol=tcp dst-address=xxx.xxx.47.18 dst-port=8293

Firewall rules are empty

/ip address

ADDRESS NETWORK INTERFACE

0 109.196.47.18/30 109.196.47.16 ether10 WAN1
1 10.10.10.1/24 10.10.10.0 bridge1
2 10.13.5.1/24 10.13.5.0 ether10 WAN1

Which ip assigned to ether10 is used for the masquerade?

/ip firewall nat
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=srcnat action=masquerade out-interface=ether10 WAN1

You might want to put that other ip/subnet on a vlan.

I do not use any IP to masquerade, i use only Out interface eth10

…and which of the two ips is the router using for that masquerade? If it uses the ip you used for the ping, then you should get a response. If it uses the other ip, you won’t.

masquerade is probably using IP xxx.xxx.47.18 - it is my static public IP address (i think so, now I’m little confused )

most tutorials i read tells that masquerade with only out interface is the simplest way

It is if there is only one ip assigned to that interface. However, you have two.

THX again, i will back to this when i will be home (i don’t want to make more mess)