Two gateways NAT problem

Edoras · February 27, 2018, 10:52pm

I have LAN and 2 internet gateways - Mikrotiks CCR.
One of the computers in LAN I want to make NAT 1:1 to public IP . The public IP is routed to IGW2, so all trafic from internet to the computer public IP comes through IGW2. But trafic FROM the computer can be sent by both IGWs.
Everything works fine, when packet is sent by IGW2, there it is NATted to public IP, then answer comes back to IGW and it is NATted back to local IP. It works fine.
But problem is, when packet is sent by IGW1, there it is NATted, answer will come to IGW2. Then IGW2 sent the packet back to the internet, it will make no NAT. The packet is not going to the IP FIREWALL NAT.

What I want:

What happends:

On both IGW are same rules:

add action=jump chain=srcnat  jump-target=nattopublic src-address=10.0.0.0/8
add action=jump chain=dstnat  dst-address=94.124.109.0/24 jump-target=natfrompublic
add action=src-nat chain=nattopublic src-address=10.140.4.2 to-addresses=94.124.109.71
add action=dst-nat chain=natfrompublic dst-address=94.124.109.71 to-addresses=10.140.4.2

When I ping from the computer to 178.217.148.40, in log on IGW2 I can see, packet are received from 178.217.148.40, but they are sent back to internet interface without any NAT.
When I added log rule on the 1st place to the NAT table, I can see, packets are not going to the NAT table anyway.

22:31:06 firewall,info forward: in:vlan503-Inet out:vlan503-Inet, src-mac 44:f4:77:9e:5f:f8, proto ICMP (type 0, code 0), 178.217.148.40->94.124.109.71, len 56
22:31:07 firewall,info forward: in:vlan503-Inet out:vlan503-Inet, src-mac 44:f4:77:9e:5f:f8, proto ICMP (type 0, code 0), 178.217.148.40->94.124.109.71, len 56

WHY???

Petri · February 28, 2018, 10:00am

The way NAT works is that the router keeps a database of open sessions. That’s how it can route the return packets to correct destinations. Now the session is in IGW1 and when IGW2 receives a return packet it has no idea what to do with it. AFAIK there is no way to sync this information between the routers.

Why do you want to source the packets from IGW1 with the IP address of IGW2? The solution is to let IGW1 have its own public IP address. It can be dynamic, it doesn’t matter. That way all traffic going through IGW1 will use the same return path. Only traffic originating from the internet, destined to the static public IP address, will go through IGW2.

Edoras · March 1, 2018, 9:08pm

Yes, that’s what I supposed … but is there any way, how to switch off this behaviour? I just want NAT 1:1 … change source or destination IP of packets exactly 1:1 and not check, if the session is opened or not.

sebastia · March 1, 2018, 10:12pm

pe1chl · March 2, 2018, 10:04am

I think you have a routing problem in IGW2, the route for 94.124.109.71 is pointing back to internet.
Setup an interface where this IP address or its subnet is local to the router. Could be a bridge without any ports.
(often termed a Loopback in other routers)

Petri · March 2, 2018, 2:49pm

I was wrong and @pe1chl is right (he often is). My mind was preoccupied with masquerading. 1-to-1 NAT is just address rewriting, no bookkeeping.

sebastia · March 2, 2018, 3:11pm

Wouldn’t the dst-nat rule be applied before routing is performed?

add action=dst-nat chain=natfrompublic dst-address=94.124.109.71 to-addresses=10.140.4.2

Then then dst address should already be rewritten?

pe1chl · March 2, 2018, 3:23pm

Probably yes. Anyway, with such 1:1 mapping you should use action netmap, not dst-nat.