Trouble accessing dst-nat'ted IP's from src-nat'ted system.

Hi,

I have two systems, both on the same private subnet.
Both are connected to a WAN (actually a wifi user group). As the one machine is a server, I’ve got it 1:1 natted so that external users can fully access it. The rules I’ve used for this is:

 0   chain=srcnat action=src-nat to-addresses=172.21.3.90 src-address=192.168.0.170 
 1   chain=dstnat action=dst-nat to-addresses=192.168.0.170 dst-address=172.21.3.90

This works fine, users on the external network can access the system just fine.

My personal system makes use of src-nat to go via the external IP of my wifi interface:

10  chain=srcnat action=src-nat to-addresses=172.21.254.17 dst-address=172.16.0.0/12

This also works as expected, the problem however is that I cannot access my server via it’s external IP - at least not fully - I can ping it, but cannot access any services on it, such as the http server.
Obviously I don’t really need to, as I can access it via the local IP, but for testing purposes it would be nice to be able to access the external IP.

I imagine I need to use mangle rules or something to accomplish this, but I don’t really know where to start.

Any ideas?
Thanks.

Last time I checked with mrz, you would need a masquerade rule for local-to-local. I will use the 192.168.0.0/24 net for this example:

/ip firewall nat
add chain=srcnat action=masquerade src-address=192.168.0.0/24

You appear to be correct!
I replaced my src-nat rule with yours and now it’s working fine!

Thanks very much!

You are welcome!

Myth: You can’t “double back” to a localnet address by using the public address.
Result: BUSTED!!

actually, myth is: You can’t “double back” to a localnet address by using the public address and not hiding your address by router’s one.

you busted wrong myth =)

I don’t remember that as part of the ground rules. I (edit: mrz actually) busted right myth!

then use search: it was busted long time ago =)