Community discussions

MikroTik App
 
Goozomba
just joined
Topic Author
Posts: 1
Joined: Mon Apr 16, 2018 5:26 pm

Double NAT port forwarding

Mon Apr 16, 2018 5:43 pm

Hello!

I'm trying to configure port forwarding for double NAT with no success. I can see incoming packets (WAN -> internal server), but no internal server -> WAN are received by WAN.

WAN device is Mikrotik SXT LTE and it cannot be configured as bridge (LTE->Ethernet due to modem limitations), so it's using as router with DMZ to my router Mikrotik RB3011 (3011 is used for some heavy CPU tasks: VPN, etc).

I'm trying to achieve following to work:
LTE WAN on SXT -> DMZ -> RB3011 -> Home web server

I have two rules on SXT (first NAT / router):

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=lte1
add action=dst-nat chain=dstnat dst-address-type="" in-interface=lte1 to-addresses=192.168.88.253

and two rules on RB3011 (second NAT / router):
/ip firewall nat
add action=masquerade chain=srcnat comment="WAN nat" out-interface=WAN
add action=dst-nat chain=dstnat comment="DMZ forward" dst-address-type="" to-addresses=192.168.1.101 to-ports=80

I've checked to port 80 with Wireshark and can see packets incoming from WAN to my internal 192.168.1.101 IP and that my 192.168.1.101 responds correctly to WAN packets, but they are not getting transmitted to WAN client.

I'm expecting something is wrong with srcnat inside Router 1 (SXT LTE) or Router 2 (RB3011).

Can you, please, help or provide some information what can be also checked?

Thank you.
 
anavds
newbie
Posts: 38
Joined: Wed Apr 04, 2018 2:47 pm

Re: Double NAT port forwarding

Thu Apr 26, 2018 8:44 pm

Double NAT as I know it is a case of where one has a router and cannot avoid having a secondary router between the internet and the server.
Double NAT also assumes you have the ability to program both routers.

Basically in the first router, you port forward the traffic such that the destination address is a LANIP on the network.
In this case the LANIP identified just so happens to be the LANIP of the secondary router (from the primary router perspective).

From the secondary Router perspective, this IP is its WANIP.
On the secondary router, one port forwards the traffic to the destination IP address on the different LAN behind the second router.

Easy to do on many routers, but I can sympathize daunting when thinking about this on the Mikrotik side.....................
I would note its nuts to have a home server on port 80. Does the application not let you choose which port?
Opening up port 80 on your external facing router is not usually recommended.
I hope your server has security protocols in place and that you can limit the users who can gain access on the port forwarding!!!

Assuming everything else is setup right
It would appear you need a dsntnat rule for each router.

Primary - chain = dstnat
/ip firewall nat
1-add action=dst-nat chain=dstnat in-interface=<WAN> To-port=80 protocol=tcp To-192.168.88.253 src-address-list="Allowed_Users"

Secondary - chain = dstnat
/ip firewall nat
1-add action=dst-nat chain=dstnat in-interface=<WAN> To-port=80 protocol=tcp To-192.168.1.101

Personally, If didnt need to run port 80 on the server i would change it......
However if you cant, I would get users to come in on a non-standard port solely to be less confusing for both routers in terms of not being standard internet port use.

Just for fun........
Come in on 45000 first router and translate to 55000 ( so end users would use port 45000, such as dyndns name: "MYHOMESERVER":45000 )
Come in on 55,000 on second translate to 80.
 
neu
newbie
Posts: 36
Joined: Sat Apr 07, 2018 9:58 pm

Re: Double NAT port forwarding

Thu Apr 26, 2018 9:57 pm

add action=dst-nat chain=dstnat comment="DMZ forward" dst-address-type="" to-addresses=192.168.1.101 to-ports=80
in the above line of code you haven't specified neither in-interface nor wan ip-address.

my working NAT configuration is :
 /ip firewall nat add action=dst-nat chain=dstnat comment="web server" dst-address=24.84.x.x \
    dst-port=80 protocol=tcp to-addresses=192.168.1.3 to-ports=80 
Here 24.84.x.x is WAN side Public IP address.

Alternatively
 /ip firewall nat add action=dst-nat chain=dstnat comment="web server" in-interface=ether1 \
    dst-port=80 protocol=tcp to-addresses=192.168.1.3 to-ports=80 
Here ether1 is my WAN interface.
neuCRM (http://neucrm.com) is full featured ISP Billing CRM software package for Mikrotik RouterOS.
 
anavds
newbie
Posts: 38
Joined: Wed Apr 04, 2018 2:47 pm

Re: Double NAT port forwarding

Thu Apr 26, 2018 10:03 pm

Hi neu what is the difference in terms of naming your WANIP in your first example, vice simply stating as you did in the second rule in-interface ether1?
Both are specific (not the generic in-interface list WAN).

The only reason I can think of is that its a dynamically changing public IP address and thus the second rule is much better?
 
Spides
just joined
Posts: 1
Joined: Sat May 16, 2020 11:56 pm

Re: Double NAT port forwarding

Sun May 17, 2020 12:04 am

Hello,

I found this forum and was trying to apply what I saw in it without success.
I have a dual Nat happening with a Mikro Tik V6-34 and a Asus RT-AC66U.

I am not as familiar with Mikro Tik. I'm looking to either disable the DHCP from the Mikro Tik
or place the Asus into a DMZ. I followed the Nat rules that were outlined in the forum,
replacing the IP addresses that I have. I kept disabling my internet so i disabled the rule.

I've included pictures below of what is happening and what I hope to achieve.
thank you for any help in advance
Artboard 1-100.jpg
Artboard 1.1-100.jpg
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 5660
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Double NAT port forwarding

Sun May 17, 2020 4:15 pm

You are supposing solution without explaining the use cases.
The use cases will logically determine the setup of the system.

For example the modem and the two routers dont come into play yet.
What is that you need the network for.
a. groups of users (home, guest, smart devices, servers etc.....)
b. needs of each group
c. limitations you want to put on each group
d. way of connectivity for groups, wired, wifi etc....
e. common access to devices (ie printer)??

Given the above information and any other equipment in the mix ----- access points, managed switches also handy to know.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!

Who is online

Users browsing this forum: tdw, vasilevdim and 82 guests