I have just replaced our firewall with a MT have the following problem. I have both dstnat and srcnat from a public network /28 to a private network /16. Services dstnat’ed to my servers work fine when sitting on the public network but from the private network I can not get to them using the public address. What do I need to add so that traffic from the private network to the public IP gets sent to the private server. So going to http://144.92.249.226 works fine from the outside but not from the inside. I get a page not found or the MT web server if that is enabled.
Try this:
/ip firewall nat add chain=dstnat action=dst-nat dst-address=144.92.249.226 to-addresses=192.168.0.2 in-interface=wlan1
Change in-interface to the local interface your requests come in on and the to-addresses to the correct IP for your local server.
The order in this list is important. Insure it is the first dstnat rule. Use place-before entering the command, or the “move” command if you find they are out of order.
This rule (without the in-interface) should be how you sent the outside world there. Don’t see why it did not work…unless another rule intercepted the request before it got to that rule. Look for a port redirect from port 80 to port 8080. That would be a proxy redirect. Maybe put this dstnat rule before it?
ADD: Did you:
- have more than one IP assigned to that interface?
- on chain=srcnat, use “action=src-nat to-addresses=144.92.249.x” (not the IP above) instead of “action=masquerade out-interface=ether1”?
If yes to both, add this:
/ip firewall nat add chain=srcnat action=src-nat dst-address=144.92.249.226 to-addresses=144.92.249.226 place-before=0
I finally got back to this and can not get it to work. Looks like the rule:
/ip firewall nat add chain=dstnat action=dst-nat dst-address=144.92.249.226 to-addresses=192.168.0.2 in-interface=wlan1
Get’s traffic but nothing is returned to the internal IP browser (request times out). Seems there needs to be some src-nat rule to route the return traffic.
Do you have a masquerade?
/ip firewall nat add chain=srcnat action=masquerade out-interface=ether1
or
/ip firewall nat add chain=srcnat action=src-nat to-addresses=144.92.249.226
I have several src nats because I have the entire 144.92.249.225/255.25.255.240 mapped to ether1. The one that should hit first is:
chain=srcnat action=src-nat to-addresses=144.92.249.226 src-address=10.4.2.4
The first rule is:
chain=dstnat action=dst-nat to-addresses=10.4.2.4 to-ports=80 dst-address=144.92.249.226 in-interface=ether2 dst-port=80 protocol=tcp
Seems I am missing a basic concept here. Is there any good reading on IP chains and how they work?
You missed this part of my previous post then. Did you:
- have more than one IP assigned to that interface?
- on chain=srcnat, use “action=src-nat to-addresses=144.92.249.x” (not the IP above) instead of “action=masquerade out-interface=ether1”?
And you answered ‘yes’ to both just now, so add this:
/ip firewall nat add chain=srcnat action=src-nat dst-address=144.92.249.226 to-addresses=144.92.249.226 place-before=0
Make it first rule.
Or just remove the src-address from your first rule:
chain=srcnat action=src-nat to-addresses=144.92.249.226
OK I think I have it. The rule you have above means that all my machines get nat’ed to 144.92.249.226 which I do not want. I need mail servers to NAT to specific IP’s for reverse lookup and the such. This will work I think at least for the one server but I will need to have this work for other servers and would really like each one to map to a different external IP:
0 chain=dstnat action=dst-nat to-addresses=10.4.2.4 to-ports=80
dst-address=144.92.249.226 in-interface=ether2 dst-port=80 protocol=tcp
1 chain=srcnat action=src-nat to-addresses=144.92.249.226
dst-address=10.4.0.0/16
But why would this not work as well so each server goes out a different IP?
1 chain=srcnat action=src-nat to-addresses=144.92.249.226 src-address=10.4.2.4
Confused!
This only srcnats if the destination address is your IP (website):
/ip firewall nat add chain=srcnat action=src-nat dst-address=144.92.249.226 to-addresses=144.92.249.226 place-before=0
Place the rest of your srcnat rules after it. They will apply if the destination address is NOT 144.92.249.226.
Order in this list is important. If you had these rules IN THIS ORDER:
chain=srcnat action=src-nat dst-address=144.92.249.226 to-addresses=144.92.249.226
chain=srcnat action=src-nat to-addresses=144.92.249.225
then all would show as 144.92.249.226 to your server only. To all else, they would be 144.92.249.225.
ADD: I forgot to mention the “move” command. If the rules are not in the correct order, then
move 5 3
moves the rule in the #5 position to #3, and moves the other rules down.
Doesn’t work. Here are the first 2 rules from a print command in ip/firewall/nat and the last rule to nat all else.
0 chain=srcnat action=src-nat to-addresses=144.92.249.226
dst-address=144.92.249.226
1 chain=dstnat action=dst-nat to-addresses=10.4.2.4 to-ports=80
dst-address=144.92.249.226 in-interface=ether2 dst-port=80 protocol=tcp
43 ;;; NAT all src traffic
chain=srcnat action=src-nat to-addresses=144.92.249.238
dst-address=0.0.0.0/0 out-interface=ether1
No traffic hits rule 1 but traffic hits rule 2 when you request the web page. Browser shows time out.
It should work. Your localnet addresses (IP sets assigned to interfaces on this box) should hit the srcnat chain first according to my log tests. Are you certain the rest is set correctly? Like /ip route (gateways)? How are your localnet IPs setup? Is that IP range assigned to an interface on this box? Check your netmasks carefully.
Can you ping the server IP from your localnet? Traceroute may help.
I don’t know how you have your Apache set on your server either. Insure your Apache server is listening on your localnet IP as well as your public IP if you are calling it from there.
0 chain=srcnat action=src-nat to-addresses=144.92.249.226
dst-address=144.92.249.226
The above isnt right… why would you src-nat the same address to the same address ? I think something is being overlooked. Please post the following:
/ip route print
/ip firewall nat export
What your asking for is nat-on-a-stick I believe… if you and your server are on the same subnet, you have to srcnat and dstnat that traffic, and when the server sees it they will see the router IP, not yours. This may or may not be acceptable; do you care if your web server sees all your internal users as the router ip ?
The best solution is to use a hostname that resolves to the internal IP when inside, and an external IP when outside.
Sam
HI changeip,
I have this setup with the conditions I described above. Multiple IPs on one interface, and the localnet traffic must appear as a different IP to the outside world. If I tried it any way else, no go. This way works great with only the one entry.
If you know a better way to do it, let both of us in on it.
i think the poster was asking about traffic inside his firewall going to a server behind his firewall … not outside in.
Maybe I have it backwards, so that is what I want to see! 
ADD: But I think there is something else wrong. He is hitting the dstnat chain rules when he should be hitting the srcnat chain rules. That leads me to believe that the router does not know how to find the localnet IPs that he is using. Otherwise it would use the srcnat chain. That is why I asked about the IPs and the /ip route settings.
Let me try to clerify. All current NAT is working - both dst and src. All my services are availble to the outside world. All my services are available to the private network BECAUSE I have an internal DNS server to resolve private IP addresses. BUT for testing simplicity (I can test from the private network) and in case my internal DNS fails I want an internal client to be able to connect to a given internal service using the public IP number. Right now when I use the public IP number from the private IP space I get the MT routers service NOT the nat’ed private service. Sitting on the private network and going to http:\PUB.LI.C.IP:80 I get the MT web page. I am setting up a simple test router with with one client and I can post those nat rules so I don’t have to post my current setup with 20+ rules. This should be something that a LOT of people do and should also be more straight forward than it is. Even a simple linksys home router and port forwarding does this correctly. All the above have not worked.
I know exactly what you are trying to accomplish. The posts up until I posted have been solving a different situation. No one knows what this is called so its very hard to find in the forums, although it’s asked about once a month. “NAT ON A STICK” is what I’m going to call it because I think thats what Cisco calls it.
Think about this. Your server is 192.168.1.100. Your router is 192.168.1.1, and it also has the public IP address on the WAN interface. You are 192.168.1.200.
If you dst-nat PU.BL.IC.IP → 192.168.1.100, it will send the traffic to your server. First step has been accomplished. Now, the server gets the request and sees the reply address is 192.168.1.200. Ah ha, the server sent the traffic back DIRECTLY to your browser (not thru the router) because you are on the same subnet. Oh, but your workstation says ’ I didnt ask for anything from 192.168.1.100 ’ so it rejects it.
You need to add a src-nat rule also that masquerades the traffic coming in your private interface destined for port 80. Masquerade that traffic with your routers IP address. Now the traffic going to server will have the routers source ip, and traffic will come back to the router. Now the router can use the connection table and send it back to the original workstation.
The only caviat is that every request to that web server will look like its coming from the router. If you are relying on internal DNS and this is only a failover that’s probably acceptable.
PSSSST - Change the www service port on Mikrotik from 80 to 800 or 8080 or something else.
Sam
Sam you hit the nail on the head. Thanks for the explination! Can you reply in MT talk what NAT rules I need to accomplish this? I tried a few things that made sense to me. You can use the IP numbers in your example and I will translate to my situation. Thanks again!
Pete
OK, simple test setup.
- One private client 192.168.1.254 running IIS on Ether2
- MT on a “Public” network on Ether1
- NO filter rules
- Nat rules:
0 chain=dstnat action=dst-nat to-addresses=192.168.1.254 to-ports=80
protocol=tcp dst-address=10.4.30.30 in-interface=ether2 dst-port=80
1 chain=srcnat action=masquerade out-interface=ether1
2 chain=dstnat action=dst-nat to-addresses=192.168.1.254 to-ports=80
protocol=tcp dst-address=10.4.30.30 in-interface=ether1 dst-port=80
Public access works. Private access to the world works. Private access to 10.4.30.30 times out. Rule number 0 shows it is processing packets. If I disable rule number 0 then I get the MT web page.
This is way too frustrating!
Add another src-nat with ‘dst-address=192.168.1.254’ and in-interface=ether2 (I think) and action=masquerade. Basically you’ve changed the destination address going to the server, now you need to change the source IP to be the routers so it gets the reply packets.
Another way of doing this would be to put your servers on a different subnet from your workstations. This has it’s negatives and positives.
On rule the WAN rules you can remove 'dst-address=10.4.30.30 ’ if you have just a single wan IP and it changes. That way you dont have to update the external IP in your rules if it changes.
i would set this up and give you the exact configs but Im not in a position that I have development routers that I can change that much. Sorry.
Sam