static NAT problem

mikuser · April 4, 2011, 1:40pm

Hello everybody
I setup hotspot gateway with mikrotik ver 4.11 and its work fine with masquerade local IP.
I want to NAT one server and see it through the internet
here is my configuration

   chain=unused-hs-chain action=passthrough 

 1   chain=srcnat action=masquerade src-address=10.6.10.0/24 
     out-interface=external 

 2   chain=dstnat action=dst-nat to-addresses=192.168.2.2   
     dst-address=x.x.x.30 in-interface=external 

 3   chain=srcnat action=src-nat to-addresses=x.x.x.30 
     src-address=192.168.2.2 out-interface=external

server (192.168.2.2) can not see public IP like 8.8.8.8 and NAT not work
I can not ping x.x.x.30 from outside
can anyone help me

fewi · April 4, 2011, 2:07pm

Those rules look OK, though just to check: you have a DMZ/third network for 192.168.2.2? Your LAN is otherwise referred to as 10.6.10.0. Also, is .30 an IP address implemented on a router interface?
If you can please post a network diagram.

But given that the IPs are correct those rules are correct. That you can’t ping could be due to any number of reasons, in order of likelihood the most common ones are: a host firewall on 192.168.2.2 blocks ICMP (recent Windows versions introduce the concept of zones, where the local network can ping the host, but remote networks cannot), you have firewall rules on the router that block ICMP (post the output of to get help troubleshooting that), and your ISP is dropping ICMP and there’s nothing you can do about (can be disproven by pinging the router WAN interface).

mikuser · April 4, 2011, 2:45pm

thank you for reply
this is network diagram

windows firewall is off . I can not ping cisco 2821 from server 192.168.2.2 but it ping from mikrotik

fewi · April 4, 2011, 3:08pm

You initial post mentions x.x.x.30, your diagram shows x.x.x.89. Any IP address that you NAT to must be implemented on a router interface - otherwise the directly connected router trying to forward traffic tries to ARP for that IP, doesn’t get a response from your router, and discards the packet since it doesn’t know where to send it. Do you have x.x.x.30 on an interface on the Mikrotik router? An alternative is proxy ARP, which is a fairly ugly solution and would only work if you own the ENTIRE subnet connected on the WAN router interface, with the only exception being the ISP router’s IP address.

If you need further help, please post the output of “/ip address print detail”, “/ip route print detail”, “/interface print”, and “/ip firewall export”.

mikuser · April 5, 2011, 5:50am

x.x.x.30 not an interface address
this is what I want to do
10.6.10.0/24…masquerade…>x.x.x.89
192.168.2.2…one to one NAT…>x.x.x.30
/ip address print

    address=192.168.88.1/24 network=192.168.88.0 broadcast=192.168.88.255 interface=ether1 actual-interface=ether1 

 1   address=10.6.10.233/24 network=10.6.10.0 broadcast=10.6.10.255 interface=internal actual-interface=internal 

 2   address=192.168.1.233/24 network=192.168.1.0 broadcast=192.168.1.255 interface=servers actual-interface=servers 

 3   address=x.x.x.89/24 network=x.x.x.0 broadcast=x.x.x.255 interface=external actual-interface=external 

 4   address=192.168.2.1/24 network=192.168.2.0 broadcast=192.168.2.255 interface=server2 actual-interface=server2

/ip route print

0 A S  dst-address=0.0.0.0/0 gateway=x.x.x.1 gateway-status=x.x.x.1 reachable external distance=1 scope=30 target-scope=10 

 1 ADC  dst-address=10.6.10.0/24 pref-src=10.6.10.233 gateway=internal gateway-status=internal reachable distance=0 scope=10 

 2 ADC  dst-address=x.x.x.0/24 pref-src=x.x.x.89 gateway=external gateway-status=external reachable distance=0 scope=10 

 3 A S  dst-address=172.17.1.0/24 gateway=192.168.1.8 gateway-status=192.168.1.8 reachable servers distance=1 scope=30 target-scope=10 

 4 A S  dst-address=172.17.2.0/24 gateway=192.168.1.8 gateway-status=192.168.1.8 reachable servers distance=1 scope=30 target-scope=10 

 5 A S  dst-address=172.17.10.0/24 gateway=192.168.1.8 gateway-status=192.168.1.8 reachable servers distance=1 scope=30 target-scope=10 

 6 ADC  dst-address=192.168.1.0/24 pref-src=192.168.1.233 gateway=servers gateway-status=servers reachable distance=0 scope=10 

 7 ADC  dst-address=192.168.2.0/24 pref-src=192.168.2.1 gateway=server2 gateway-status=server2 reachable distance=0 scope=10

/interface print

 #     NAME                                                                                                                        TYPE             MTU   L2MTU
 0     ether1                                                                                                                     ether            1500  1526 
 1  R  internal                                                                                                                    ether            1500  1522 
 2  R  servers                                                                                                                     ether            1500  1522 
 3  R  external                                                                                                                    ether            1500  1522 
 4     ether5                                                                                                                      ether            1500  1522 
 5     ether6                                                                                                                      ether            1500  1522 
 6     ether7                                                                                                                      ether            1500  1522 
 7     ether8                                                                                                                      ether            1500  1522 
 8  R  server2                                                                                                                    ether            1500  1522

/ip firewall export

# apr/05/2011 10:53:50 by RouterOS 4.11
# software id = S469-VITZ
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s \
    tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m \
    udp-timeout=10s
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=drop chain=input comment="" disabled=no dst-address=x.x.x.89 dst-port=80 in-interface=external protocol=tcp
add action=drop chain=input comment="" disabled=no dst-address=x.x.x.89 dst-port=21 in-interface=external protocol=tcp
add action=drop chain=input comment="" disabled=no dst-address=x.x.x.89 dst-port=23 in-interface=external protocol=tcp
add action=drop chain=input comment="" disabled=no dst-address=x.x.x.89 dst-port=22 in-interface=external protocol=tcp
add action=drop chain=input comment="" disabled=no dst-address=x.x.x.89 dst-port=135-139 in-interface=external protocol=tcp
add action=drop chain=input comment="" disabled=no dst-address=x.x.x.89 dst-port=445 in-interface=external protocol=tcp
/ip firewall mangle
add action=mark-packet chain=forward comment="" disabled=no dst-address=192.168.1.0/24 in-interface=internal new-packet-mark=ToserverPacket out-interface=\
    servers passthrough=yes src-address=10.6.10.0/24
add action=mark-packet chain=input comment="" disabled=no dst-address=!192.168.1.0/24 in-interface=internal new-packet-mark=ToWebPacket passthrough=no \
    src-address=10.6.10.0/24
add action=mark-connection chain=forward comment="" disabled=no new-connection-mark=user-con passthrough=yes src-address=172.17.2.0/24
add action=mark-packet chain=forward comment="" connection-mark=user-con disabled=no new-packet-mark=VPNuser-pac passthrough=yes
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="" disabled=no out-interface=external packet-mark=!ToserverPacket src-address=10.6.10.0/24
add action=masquerade chain=srcnat comment="" disabled=no src-address=172.17.2.0/24
add action=masquerade chain=srcnat comment="" disabled=no src-address=172.17.1.0/24
add action=masquerade chain=srcnat comment="" disabled=no src-address=172.17.10.0/24
add action=dst-nat chain=dstnat comment="" disabled=no dst-address=x.x.x.30 in-interface=external to-addresses=192.168.2.2
add action=src-nat chain=srcnat comment="" disabled=no out-interface=external src-address=192.168.2.2 to-addresses=x.x.x.30
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no

192.168.1.0//24 used for RADIUS server and have no problem

mikuser · April 5, 2011, 1:33pm

I am still waiting

fewi · April 5, 2011, 1:34pm

Read my post - you need to add .30 as an additional IP to your WAN interface.

When traffic goes to .30 on the ISP router it needs to know where to send it. It’s a multiaccess Ethernet interface so it’s going to ARP for that IP. Unless your router responds to the ARP request for .30 the ISP router will not be able to resolve to a MAC address, and will not send the packet. In your situation the only way to get your router to answer ARP requests for .30 is to implement that IP on your WAN interface.

It would also be best practice to move the specific destination and source NAT rules for 192.168.2.2 above any other source NAT and destination NAT rules. You don’t have any that interfere right now, but might in the future. NAT rules are evaluated in order, so you should list the most specific first.

mikuser · April 5, 2011, 3:36pm

thanks.
I assign x.x.x.30 to an interface and it did work
but is it the only way?I want not to use another interface

fewi · April 5, 2011, 3:52pm

You can assign two IP addresses to the same interface. Assign both .89 and .30 to the interface named ‘external’.