Community discussions

 
tr00g33k
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 84
Joined: Sun Mar 29, 2015 3:58 pm

MikroTik "masquerade" public IP to LAN IP of router

Sun Aug 14, 2016 12:04 pm

Hello!

I have a question I have two "routers" on network one MikroTik and one L7 firewall for testing purposes. The LAN network have default route (default gateay) set to firewall. But the LAN network can have access through MikroTik to, so the MikroTik and the L7 firewall both have WAN IP.

Now the problem is because of default gateway is L7 firewall, when i create NAT on MikroTik to LAN, when LAN PC gets request from WAN IP it replies on defualt gateway (L7 firewall) instead to MikroTik (which holds the NAT session). Is is possible to somehow masqureade public IP to LAN IP of MikroTik so that PC would reply back to MikroTik instead to default gateway.

Example PC from wan (3.3.3.3) => goes for NAT 3389 on MikroTik ( WAN IP: 1.1.1.1 that is NATed => 192.168.1.10) but now the PC 192.168.1.10 replies to 192.168.1.2 (default gateway) instead MikroTik (192.168.1.1) Is it possible to achieve somethink like this:

When PC from wan (3.3.3.3) => goes for NAT 3389 on MikroTik (WAN IP: 1.1.1.1, MikroTik masqureades 3.3.3.3 to his local IP 192.168.1.1, and send it forward to PC 192.168.1.10, and then PC replies to 192.168.1.1, and MikroTik forwards packet back to WAN PC 3.3.3.3).

Any help would be much appreciated.

Image
 
Sob
Forum Guru
Forum Guru
Posts: 4780
Joined: Mon Apr 20, 2009 9:11 pm

Re: MikroTik "masquerade" public IP to LAN IP of router

Sun Aug 14, 2016 3:35 pm

Of course it's possible, it's exactly the same as "outgoing" NAT on WAN. Just add one rule:
/ip firewall nat
add action=masquerade chain=srcnat out-interface=<LAN>
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
tr00g33k
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 84
Joined: Sun Mar 29, 2015 3:58 pm

Re: MikroTik "masquerade" public IP to LAN IP of router

Sun Aug 14, 2016 11:43 pm

Thank you for the TIP i knew that already but i wanted to masqureade only one port. So today i was playing around and i found the way to do this, but i dont know if this is the way it should be done:

/ip firewall nat add action=dst-nat chain=dstnat dst-port=3389 in-interface="Eth1 - WAN" protocol=tcp to-addresses=192.168.1.10 to-ports=3389

/ip firewall nat add action=masquerade chain=srcnat dst-address=192.168.1.10 dst-port=3389 out-interface="LAN Bridge" protocol=tcp
 
Sob
Forum Guru
Forum Guru
Posts: 4780
Joined: Mon Apr 20, 2009 9:11 pm

Re: MikroTik "masquerade" public IP to LAN IP of router

Mon Aug 15, 2016 2:57 am

If it works, it's correct. Well, not always, but with these simple things it usually is. :) So yes, it will do what you want, without any unwanted side effects I can think of.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
jarda
Forum Guru
Forum Guru
Posts: 7603
Joined: Mon Oct 22, 2012 4:46 pm

Re: MikroTik "masquerade" public IP to LAN IP of router

Mon Aug 15, 2016 7:46 am

Don't forget to allow dstnatted traffic in firewall filter. Otherwise it would be dropped.

Who is online

Users browsing this forum: No registered users and 17 guests