Hi!
I have an internal machine with no default gateway (for reasons).
Because of that I can’t dst-nat ports against that machine.
In linux I can solve that, so the firewall just acts as a “proxy”, so
the internal machine sees the firewall internal adress instead of the
real external source.
Is that possible to achieve in ROS?
Chris
Sure, just masquerade on the inside interface the internal machine is behind. If the internal machine carries 192.168.1.100 and sits behind an interface named ‘LAN’, something like this should work:
/ip firewall nat
add chain=srcnat out-interface=LAN dst-address=192.168.1.100 action=masquerade
Hmm, but in that example there are no match on the traffic from the outside.
Lets say like this:
External Client 88.100.100.37 connects to Mikrotik Outside 78.108.40.3 on port 5555.
Then Mikrotik Inside 192.168.1.1 should be seen on the internal machine 192.168.1.15 port 5555.
Yes, you need to both destination and source NAT and I only described the one you didn’t know how to do. You destination NAT 78.108.40.3 to 192.168.1.15 so that traffic gets forwarded to the internal machine, and you source NAT 88.100.100.37 to 192.168.1.1 so that the internal machine believes the traffic was sourced by a machine on its broadcast domain that it can reach without a default gateway. NAT decisions are reversed to return traffic as per the state table.
/ip firewall nat
add chain=dstnat dst-address=78.108.40.3 action=dst-nat to-addresses=192.168.1.15
add chain=srcnat out-interface=LAN dst-address=192.168.1.100 action=masquerade
Yes ofcourse, I’m a bit tired. THANK YOU!
Chris
add chain=srcnat out-interface=LAN dst-address=192.168.1.100 action=masquerade
can you explain logic of that expression?
you’ll find it useful >> http://wiki.mikrotik.com/wiki/Hairpin_NAT