Which dstnat rules?

Nuelan · June 27, 2024, 2:40pm

Hi,

If I want a packet from the internet to reach my LAN server 192.168.88.3 on port 1234,
I can use any of the four following NAT rules. They all work. Apart from the possibilities offered by each of them, from a purely safety point of view, is there one better than the others?

/ip firewall nat add action=dst-nat chain=dstnat in-interface-list=WAN dst-port=1234 protocol=tcp to-addresses=192.168.88.3
/ip firewall nat add action=dst-nat chain=dstnat in-interface-list=all dst-port=1234 protocol=tcp to-addresses=192.168.88.3
/ip firewall nat add action=dst-nat chain=dstnat dst-address-list=my_public_ip_list dst-port=1234 protocol=tcp to-addresses=192.168.88.3
/ip firewall nat add action=dst-nat chain=dstnat  dst-address-type=local dst-address=!192.168.88.1 protocol=tcp dst-port=1234 to-addresses=192.168.88.3

Thx

tangent · June 27, 2024, 4:25pm

The first is best, being straightforward, yet flexible.

If the second succeeds, it is only by the accident that there is no service at port 1234 on the router itself. It would not work for port-forwarding external HTTP conns to your public IP while still allowing WebFig access from the LAN, for example.

The third is brittle unless you have a static IP assignment, requiring you to update the list each time DHCP/SLAAC assigns you a new IP.

The fourth is excessively clever. Any virtues it possesses are swamped by the simplicity of the first alternative you give.

Nuelan · June 27, 2024, 4:30pm

Thank you very much for these precise answers, which are exactly what I was looking for.

llamajaja · June 27, 2024, 7:04pm

The answer provided was incomplete and missed the mark.
Note: Teh to-port entry, IS required, if the incoming port will be different from the port hitting the server (port translation by the router).

There are two main categories to consider in DST NAT RULES

a. Static IP ( your IP address is static/fixed ).
The correct format is
add action=dst-nat chain=dstnat dst-address=myWAN-IP list dst-port=1234 protocol=tcp to-addresses=192.168.88.3

b. DYNAMIC WANIP ( your IP address can change )
The correct format is as your first iteration:
add action=dst-nat chain=dstnat in-interface-list=WAN dst-port=1234 protocol=tcp to-addresses=192.168.88.3

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

The above works very well for external users.
The next consideration is what happens when you have internal users…
We need to look at our two categories above and ensure they meet the requirements.
There are two cases to consider…

Are internal users using direct LANIP of the server? Yes, no change is required.

Are internal users using a DYNDNS URL (same as external users) to reach the server. YES, then we need to modify the rules above and ensure an applicable FW rule.

a. Fixed Static IP - no change
b. Dynamic IP - There are several options here, the most commonly used is creating a firewall address list entry for your IP address using the dyndns URL or mynetname from IP cloud etc..
The more elegant solution is DNS based for example.

Thus recommend/
/ip firewall address-list
add address=mynetname.net list=MyWAN
/ip firewall nat add action=dst-nat chain=dstnat dst-address-list=myWAN dst-port=1234 protocol=tcp to-addresses=192.168.88.3

This solution micmics the fixed IP address scenario.

In addition to modifying the DSTNAT Rule, this is the right time to modify the forward chain rule allowing port forwarding.
Remove the default rule which discusses only WAN incoming DSTNAT to a more inclusive rule.
add chain=forward action=accept connection-nat-state=dstnat comment=“enable port forwarding”

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Finally, we get to the final consideration of Local Users using DYNDNS type url to reach local servers.
THIS APPLIES regardless if WANIP is static or dynamic.

Are the Users in the same subnet as the Server itself? NO, then no further action required.
Are the Users in the same subnet as the Server itself? YES, we have a problem called the hairpin NAT problem or loopback problem.
The solution to this is the following sourcenat rule.
add chain=srcnat action=masquerade src-address=192.168.88.0/24 dst-address=192.168.88.0/24 ( or whatever the applicable subnet both users and server are located in ).