Why does masquerade send routers ip address to source

kameelperdza · June 10, 2010, 6:49am

Hi there at the moment i am using a rb750g to relay dns requests from 172.16.3.0/24 and 172.16.4.0/24.

One of the statis relays is set to a samba server, the ip is 172.16.1.5.
I also had to add masquerade to the rb750g and i am able to conenct and ping the samba router.

But i have set the samba firewall to only allow 172.16.3.4.

I did some test and found that when samba firewall is active then i am unable to connect to it, but when i add 172.16.1.0/24 to allow list then it works. The rb750g has a ip address of 172.16.1.200 and i think that this ip is forwarded and not 172.16.3.4.

Is it possible to setup mikrotik to redirect source ip to dst-ip?

Here is what i would like to acomplish…

All requests is send to the rb750g and then it redirects the incomming ip address(172.16.3.4) to dst source without changing ip address.

sergejs · June 10, 2010, 8:16am

I suppose you need to use DST-NAT.
Add rule to /ip firewall nat
Set src-address, action=dsnat and to-addresses (local IP address, where traffic should be redirected to).

kameelperdza · June 10, 2010, 12:10pm

I suppose you need to use DST-NAT.
Add rule to /ip firewall nat
Set src-address, action=dsnat and to-addresses (local IP address, where traffic should be redirected to).

Thank you. I tried this.

ip firewall nat add chain=dstnat src-address=172.16.3.0/24 action=dst-nat to-addresses=172.16.1.0/24

But it does not work.

When i putty to samba server then it says last login was from 172.16.1.200(rb750g ether1 address)

Chupaka · June 13, 2010, 4:38pm

that’s because you’re using masquerading. remove that srcnat rule =)

p.s. for me, “Why does masquerade send routers ip address to source?” sounds like “Why does Sun shine?..”
masquerade DOES replace packet src-address with router’s address - it is for what it was introduced =)

kameelperdza · June 18, 2010, 1:03pm

Hi i did some test. And i am unable to fix this.

What i would like to know is..

under action → dst-nat must the ip address be the address of a dns server? I tried to put the targer server address there but that does not work.

fewi · June 18, 2010, 1:15pm

As others said: If your problem is that the source IP address is translated, stop source NAT’ing that traffic. That has nothing to do with destination NAT.

Edit: Generally speaking without seeing your configuration and what you’re trying to do (network diagram) you probably want to add an ‘out-interface=WAN-port’ to any NAT rules with an action of ‘masquerade’ in your configuration.

Edit 2: Add “Edit:” to above since there’s been a post since.

Chupaka · June 18, 2010, 1:15pm

it should work. post your NAT config

kameelperdza · June 18, 2010, 1:54pm

Hi Chupaka!

Ok here is what i currently have.

[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
 0   chain=srcnat action=masquerade src-address=172.23.128.0/24

 1   chain=dstnat action=dst-nat to-addresses=172.16.1.0-172.16.1.255
     src-address=172.16.3.0/28
[admin@MikroTik] /ip firewall nat>

PS: 172.23.128.0/24 is my wan ip address, i am also using the rb750g as time server and radius server

Chupaka · June 18, 2010, 1:59pm

if you want to redirect DNS requests, you should use something like

chain=dstnat src-address=172.16.3.0/24 protocol=udp dst-port=53 action=dst-nat to-addresses=172.16.1.5

kameelperdza · June 18, 2010, 2:21pm

So that means that all request from 172.16.3.0/24 will be forwarded to 172.16.1.5 ?

or

when i putty to 172.16.1.5 then i will connect to server with the ip address of the computer that i am using?

Chupaka · June 18, 2010, 2:32pm

that means that all DNS request from 172.16.3.0/24 will be forwarded to 172.16.1.5

kameelperdza · June 18, 2010, 2:40pm

Thank you. So all i need to do is to setup a dns server on the 172.16.1.0/24 side.

thank you