Server not logging external IP

janculis · January 21, 2013, 9:34am

Greetings.
I am using RB450G v5.22 router.
I setup nat from external IP (1.1.1.1) to internal IP (192.168.1.2), on which is server.
In my server log I see all connections are from my internal gateway (192.168.1.1), but I prefer to see external IP address (X.X.X.X), from which connection was made.

My firewall settings for server are

add action=dst-nat chain=dstnat comment="SERVER" disabled=no dst-address=1.1.1.1 to-addresses=192.168.1.2
add action=src-nat chain=srcnat disabled=no src-address=192.168.1.2 to-addresses=1.1.1.1

I also tried to use netmap, but also nothing.
How I must deal with that?

SurferTim · January 21, 2013, 10:50am

Do you have any other entries in the “/ip firewall nat” section? Maybe one like this?

add chain=srcnat action=masquerade

edit: If you have not figured out how to fix it, it should have been entered like this:

add chain=srcnat action=masquerade out-interface=ether1

If ether1 is not your WAN interface, change that. Otherwise, it masquerades out every interface, including your localnet interface.

janculis · January 21, 2013, 12:41pm

Yes, i have, but it is the last in order.
Full firewall export is

add action=accept chain=srcnat disabled=no dst-address=192.168.0.0/16 src-address=192.168.1.0/24
add action=masquerade chain=srcnat disabled=no dst-address=192.168.1.2 src-address=192.168.1.0/24
add action=dst-nat chain=dstnat comment="WESERVER" disabled=no dst-address=1.1.1.1 to-addresses=192.168.1.2
add action=src-nat chain=srcnat disabled=no src-address=192.168.1.2 to-addresses=1.1.1.1
add action=dst-nat chain=dstnat comment=CONTROL disabled=no dst-address=1.1.1.2 to-addresses=192.168.1.254
add action=dst-nat chain=dstnat disabled=no dst-address=1.1.1.3 to-addresses=192.168.1.200
add action=masquerade chain=srcnat disabled=no

First line is for IPSec

janculis · January 21, 2013, 1:17pm

I have masquerade section. But it is located at the end of configuration.
My full nat section is.

add action=accept chain=srcnat comment="IPSec" disabled=no dst-address=192.168.0.0/16 src-address=192.168.1.0/24
add action=dst-nat chain=dstnat comment="SERVER" disabled=no dst-address=1.1.1.1 to-addresses=192.168.1.2
add action=src-nat chain=srcnat disabled=no src-address=192.168.1.2 to-addresses=1.1.1.1
add action=dst-nat chain=dstnat disabled=no dst-address=1.1.1.2 to-addresses=192.168.1.254
add action=netmap chain=dstnat  disabled=no dst-address=1.1.1.3 to-addresses=192.168.1.200
add action=netmap chain=srcnat disabled=no src-address=192.168.1.200 to-addresses=1.1.1.3
add action=dst-nat chain=dstnat  disabled=no dst-address=1.1.1.4 to-addresses=192.168.101.3
add action=src-nat chain=srcnat disabled=no src-address=192.168.101.3 to-addresses=1.1.1.4
add action=masquerade chain=srcnat disabled=no

SurferTim · January 21, 2013, 2:09pm

That is it. The public ip as the source does not qualify for any of the srcnat rules above it, so when the router sends the packets to the private ip, it will masquerade those as the ip on that interface.
192.168.1.1

janculis · January 21, 2013, 2:31pm

Is it possible to achieve my wishes that server see public IP?
It is very hard to examine log files.

SurferTim · January 21, 2013, 2:34pm

Yes!

/ip firewall nat
add chain=srcnat action=masquerade out-interface=ether1

Then remove the rule without the out-interface.

janculis · January 21, 2013, 6:28pm

SurferTim, thank you kindly and very much
It is working as a charm.
When you some day come to Latvia, I will treat with best Latvian bear I know.