Mikrotik Multi-NAT problem

koko · Wed Feb 22, 2017 9:00 pm

Hello,

I'm new to Mikrotik, and have been trying to set up my router to do the following:

My ISP gave me 4 usable IP addresses, that I want to map to NAT addresses as follows:
72.xxx.xxx.120
72.xxx.xxx.121 - 192.168.1.5 (Web Server)
72.xxx.xxx.122 - 192.168.1.4 (Mail Server)
72.xxx.xxx.123 - 192.168.1.3 (Web Server)

I want traffic to go inbound from the public IP addresses to these NAT servers, and I want outgoing traffic from the servers to go to the mapped public IP.
All other traffic should go out on 72.xxx.xxx.120.

I have an old Netgear router doing this now.

Using examples I found on this forum, I came up with the following config, which seems to do what I wanted.
But then intermittently I lose the connection to one or more IP address, and can't even ping it, of access the web server.
Then I'm able to again for a while until it drops again.
Sometimes I lose the connection and can't ping one IP address, but can ping another.

Anyone see any obvious errors in my config. that could cause this?

Thanks

/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=WAN
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
set [ find default-name=ether5 ] master-port=ether2-master
set [ find default-name=ether6 ] name=ether6-master
set [ find default-name=ether7 ] master-port=ether6-master
set [ find default-name=ether8 ] master-port=ether6-master
set [ find default-name=ether9 ] master-port=ether6-master
set [ find default-name=ether10 ] master-port=ether6-master
/ip neighbor discovery
set WAN discover=no
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=1w1d name=\
defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=ether6-master
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether2-master network=\
192.168.1.0
add address=72.xxx.xxx.120/24 interface=WAN network=72.xxx.xxx.0
add address=72.xxx.xxx.121/24 interface=WAN network=72.xxx.xxx.0
add address=72.xxx.xxx.122/24 interface=WAN network=72.xxx.xxx.0
add address=72.xxx.xxx.123/24 interface=WAN network=72.xxx.xxx.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=WAN
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=167.206.112.138,167.206.7.4
/ip dns static
add address=192.168.1.1 name=router
/ip firewall filter
add action=accept chain=input dst-address=72.xxx.xxx.121 in-interface=WAN \
protocol=icmp
add action=accept chain=input dst-address=72.xxx.xxx.122 in-interface=WAN \
protocol=icmp
add action=accept chain=input dst-address=72.xxx.xxx.123 in-interface=WAN \
protocol=icmp
add action=accept chain=input comment=RDP dst-address=72.xxx.xxx.121 \
dst-port=80,443 in-interface=WAN protocol=tcp
add action=accept chain=input comment=server2 dst-address=72.xxx.xxx.122 \
dst-port=25,110,143,53,80,443 in-interface=WAN \
protocol=tcp
add action=accept chain=input comment="server2 UDP" dst-address=\
72.xxx.xxx.122 dst-port=53 in-interface=WAN protocol=udp
add action=accept chain=input dst-address=72.xxx.xxx.123 dst-port=53 \
in-interface=WAN protocol=udp
add action=accept chain=input comment=server1 dst-address=\
72.xxx.xxx.123 dst-port=53,80,443 in-interface=WAN protocol=tcp
add action=accept chain=input comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" \
in-interface=WAN
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=WAN
/ip firewall nat
add action=dst-nat chain=dstnat disabled=yes dst-address=72.xxx.xxx.121 \
dst-port=3389 protocol=tcp to-addresses=192.168.1.254 to-ports=3389
add action=src-nat chain=srcnat comment="Rotue traffic via 72.xxx.xxx.120" \
src-address=192.168.1.153 to-addresses=72.xxx.xxx.120
add action=src-nat chain=srcnat out-interface=WAN src-address=192.168.1.154 \
to-addresses=72.xxx.xxx.121
add action=src-nat chain=srcnat out-interface=WAN src-address=192.168.1.5 \
to-addresses=72.xxx.xxx.121
add action=src-nat chain=srcnat comment=server1 out-interface=WAN \
src-address=192.168.1.3 to-addresses=72.xxx.xxx.123
add action=src-nat chain=srcnat comment=server2 out-interface=WAN \
src-address=192.168.1.4 to-addresses=72.xxx.xxx.122
add action=src-nat chain=srcnat comment="Rotue traffic via 72.xxx.xxx.121" \
disabled=yes src-address=192.168.1.154 to-addresses=72.xxx.xxx.122
add action=src-nat chain=srcnat disabled=yes protocol=tcp src-address=\
192.168.1.254 to-addresses=72.xxx.xxx.121
add action=dst-nat chain=dstnat dst-address=72.xxx.xxx.122 dst-port=443 \
in-interface=WAN protocol=tcp to-addresses=192.168.1.4 to-ports=443
add action=dst-nat chain=dstnat dst-address=72.xxx.xxx.122 dst-port=80 \
in-interface=WAN protocol=tcp to-addresses=192.168.1.4 to-ports=80
add action=dst-nat chain=dstnat dst-address=72.xxx.xxx.122 dst-port=53 \
in-interface=WAN protocol=tcp to-addresses=192.168.1.4 to-ports=53
add action=dst-nat chain=dstnat dst-address=72.xxx.xxx.122 dst-port=143 \
in-interface=WAN protocol=tcp to-addresses=192.168.1.4 to-ports=143
add action=dst-nat chain=dstnat dst-address=72.xxx.xxx.122 dst-port=110 \
in-interface=WAN protocol=tcp to-addresses=192.168.1.4 to-ports=110
add action=dst-nat chain=dstnat dst-address=72.xxx.xxx.122 dst-port=25 \
in-interface=WAN protocol=tcp to-addresses=192.168.1.4 to-ports=25
add action=dst-nat chain=dstnat dst-address=72.xxx.xxx.123 dst-port=80 \
in-interface=WAN protocol=tcp to-addresses=192.168.1.3 to-ports=80
add action=dst-nat chain=dstnat dst-address=72.xxx.xxx.123 dst-port=443 \
in-interface=WAN protocol=tcp to-addresses=192.168.1.3 to-ports=443
add action=dst-nat chain=dstnat dst-address=72.xxx.xxx.123 dst-port=53 \
in-interface=WAN protocol=tcp to-addresses=192.168.1.3 to-ports=53
add action=dst-nat chain=dstnat dst-address=72.xxx.xxx.121 dst-port=80 \
in-interface=WAN protocol=tcp to-addresses=192.168.1.5 to-ports=80
add action=dst-nat chain=dstnat dst-address=72.xxx.xxx.121 dst-port=443 \
in-interface=WAN protocol=tcp to-addresses=192.168.1.5 to-ports=443
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface=WAN
/ip route
add distance=1 gateway=72.xxx.xxx.119
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=bridge
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=bridge

Sob · Fri Feb 24, 2017 4:56 pm

I don't see any such error in your config.

Only these rules are useless, when you dstnat same ports to internal servers:

/ip firewall filter
add action=accept chain=input comment=RDP dst-address=72.xxx.xxx.121 dst-port=80,443 in-interface=WAN protocol=tcp
add action=accept chain=input comment=server2 dst-address=72.xxx.xxx.122 dst-port=25,110,143,53,80,443 in-interface=WAN protocol=tcp
add action=accept chain=input comment="server2 UDP" dst-address=72.xxx.xxx.122 dst-port=53 in-interface=WAN protocol=udp
add action=accept chain=input dst-address=72.xxx.xxx.123 dst-port=53 in-interface=WAN protocol=udp
add action=accept chain=input comment=server1 dst-address=72.xxx.xxx.123 dst-port=53,80,443 in-interface=WAN protocol=tcp

But they can't hurt anything, except taking up space.

koko · Sun Mar 05, 2017 7:58 am

Still can't figure it out. Tried downgrading firmware, but that had no effect.
Everything seems to work as it should, but intermittently can't ping or access web servers on my network from the Internet?

dgnevans · Sun Mar 05, 2017 6:20 pm

If I look at your Nat this is how I would do it.

/ip firewall nat
add action=src-nat chain=srcnat comment=Web_Server1 out-interface=WAN src-address=192.168.1.5 to-addresses=72.xxx.xxx.121
add action=src-nat chain=srcnat comment=Mail_Server out-interface=WAN src-address=192.168.1.4 to-addresses=72.xxx.xxx.122
add action=src-nat chain=srcnat comment=Web_Server2 out-interface=WAN src-address=192.168.1.3 to-addresses=72.xxx.xxx.123
add action=masquerade chain=srcnat src-address=172.17.0.0/16 dst-address=0.0.0.0/0 comment="defconf: masquerade"out-interface=WAN
add action=dst-nat chain=dstnat dst-address=72.xxx.xxx.121 in-interface=WAN to-addresses=192.168.1.5
add action=dst-nat chain=dstnat dst-address=72.xxx.xxx.122 in-interface=WAN to-addresses=192.168.1.4 
add action=dst-nat chain=dstnat dst-address=72.xxx.xxx.123 in-interface=WAN to-addresses=192.168.1.3
add action=dst-nat chain=dstnat dst-address=72.xxx.xxx.120 dst-port=3389 protocol=tcp to-addresses=192.168.1.254 to-ports=3389

Now obviously not knowing exactly how it is working on the netgear there may be some changes. this is also very simple. you can stipulate each port to each end device if you prefer.

tonyxing · Mon Mar 06, 2017 4:35 am

try use mangle first

dgnevans · Mon Mar 06, 2017 12:39 pm

I wouldnt use mangle unless there are specific requirements. as this is a very simple forwarding 1 external ip to 1 internal server there should be no need for mangle and that would use resources that are not required. rather keep it simple

Mikrotik Multi-NAT problem

Mikrotik Multi-NAT problem

Re: Mikrotik Multi-NAT problem

Re: Mikrotik Multi-NAT problem

Re: Mikrotik Multi-NAT problem

Re: Mikrotik Multi-NAT problem

Re: Mikrotik Multi-NAT problem

Who is online