Hello!
I'm trying to configure port forwarding for double NAT with no success. I can see incoming packets (WAN -> internal server), but no internal server -> WAN are received by WAN.
WAN device is Mikrotik SXT LTE and it cannot be configured as bridge (LTE->Ethernet due to modem limitations), so it's using as router with DMZ to my router Mikrotik RB3011 (3011 is used for some heavy CPU tasks: VPN, etc).
I'm trying to achieve following to work:
LTE WAN on SXT -> DMZ -> RB3011 -> Home web server
I have two rules on SXT (first NAT / router):
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=lte1
add action=dst-nat chain=dstnat dst-address-type="" in-interface=lte1 to-addresses=192.168.88.253
and two rules on RB3011 (second NAT / router):
/ip firewall nat
add action=masquerade chain=srcnat comment="WAN nat" out-interface=WAN
add action=dst-nat chain=dstnat comment="DMZ forward" dst-address-type="" to-addresses=192.168.1.101 to-ports=80
I've checked to port 80 with Wireshark and can see packets incoming from WAN to my internal 192.168.1.101 IP and that my 192.168.1.101 responds correctly to WAN packets, but they are not getting transmitted to WAN client.
I'm expecting something is wrong with srcnat inside Router 1 (SXT LTE) or Router 2 (RB3011).
Can you, please, help or provide some information what can be also checked?
Thank you.
Re: Double NAT port forwarding
Double NAT as I know it is a case of where one has a router and cannot avoid having a secondary router between the internet and the server.
Double NAT also assumes you have the ability to program both routers.
Basically in the first router, you port forward the traffic such that the destination address is a LANIP on the network.
In this case the LANIP identified just so happens to be the LANIP of the secondary router (from the primary router perspective).
From the secondary Router perspective, this IP is its WANIP.
On the secondary router, one port forwards the traffic to the destination IP address on the different LAN behind the second router.
Easy to do on many routers, but I can sympathize daunting when thinking about this on the Mikrotik side.....................
I would note its nuts to have a home server on port 80. Does the application not let you choose which port?
Opening up port 80 on your external facing router is not usually recommended.
I hope your server has security protocols in place and that you can limit the users who can gain access on the port forwarding!!!
Assuming everything else is setup right
It would appear you need a dsntnat rule for each router.
Primary - chain = dstnat
/ip firewall nat
1-add action=dst-nat chain=dstnat in-interface=<WAN> To-port=80 protocol=tcp To-192.168.88.253 src-address-list="Allowed_Users"
Secondary - chain = dstnat
/ip firewall nat
1-add action=dst-nat chain=dstnat in-interface=<WAN> To-port=80 protocol=tcp To-192.168.1.101
Personally, If didnt need to run port 80 on the server i would change it......
However if you cant, I would get users to come in on a non-standard port solely to be less confusing for both routers in terms of not being standard internet port use.
Just for fun........
Come in on 45000 first router and translate to 55000 ( so end users would use port 45000, such as dyndns name: "MYHOMESERVER":45000 )
Come in on 55,000 on second translate to 80.
Double NAT also assumes you have the ability to program both routers.
Basically in the first router, you port forward the traffic such that the destination address is a LANIP on the network.
In this case the LANIP identified just so happens to be the LANIP of the secondary router (from the primary router perspective).
From the secondary Router perspective, this IP is its WANIP.
On the secondary router, one port forwards the traffic to the destination IP address on the different LAN behind the second router.
Easy to do on many routers, but I can sympathize daunting when thinking about this on the Mikrotik side.....................
I would note its nuts to have a home server on port 80. Does the application not let you choose which port?
Opening up port 80 on your external facing router is not usually recommended.
I hope your server has security protocols in place and that you can limit the users who can gain access on the port forwarding!!!
Assuming everything else is setup right
It would appear you need a dsntnat rule for each router.
Primary - chain = dstnat
/ip firewall nat
1-add action=dst-nat chain=dstnat in-interface=<WAN> To-port=80 protocol=tcp To-192.168.88.253 src-address-list="Allowed_Users"
Secondary - chain = dstnat
/ip firewall nat
1-add action=dst-nat chain=dstnat in-interface=<WAN> To-port=80 protocol=tcp To-192.168.1.101
Personally, If didnt need to run port 80 on the server i would change it......
However if you cant, I would get users to come in on a non-standard port solely to be less confusing for both routers in terms of not being standard internet port use.
Just for fun........
Come in on 45000 first router and translate to 55000 ( so end users would use port 45000, such as dyndns name: "MYHOMESERVER":45000 )
Come in on 55,000 on second translate to 80.
Re: Double NAT port forwarding
Hi neu what is the difference in terms of naming your WANIP in your first example, vice simply stating as you did in the second rule in-interface ether1?
Both are specific (not the generic in-interface list WAN).
The only reason I can think of is that its a dynamically changing public IP address and thus the second rule is much better?
Both are specific (not the generic in-interface list WAN).
The only reason I can think of is that its a dynamically changing public IP address and thus the second rule is much better?
Re: Double NAT port forwarding
Hello,
I found this forum and was trying to apply what I saw in it without success.
I have a dual Nat happening with a Mikro Tik V6-34 and a Asus RT-AC66U.
I am not as familiar with Mikro Tik. I'm looking to either disable the DHCP from the Mikro Tik
or place the Asus into a DMZ. I followed the Nat rules that were outlined in the forum,
replacing the IP addresses that I have. I kept disabling my internet so i disabled the rule.
I've included pictures below of what is happening and what I hope to achieve.
thank you for any help in advance
I found this forum and was trying to apply what I saw in it without success.
I have a dual Nat happening with a Mikro Tik V6-34 and a Asus RT-AC66U.
I am not as familiar with Mikro Tik. I'm looking to either disable the DHCP from the Mikro Tik
or place the Asus into a DMZ. I followed the Nat rules that were outlined in the forum,
replacing the IP addresses that I have. I kept disabling my internet so i disabled the rule.
I've included pictures below of what is happening and what I hope to achieve.
thank you for any help in advance
You do not have the required permissions to view the files attached to this post.
Re: Double NAT port forwarding
You are supposing solution without explaining the use cases.
The use cases will logically determine the setup of the system.
For example the modem and the two routers dont come into play yet.
What is that you need the network for.
a. groups of users (home, guest, smart devices, servers etc.....)
b. needs of each group
c. limitations you want to put on each group
d. way of connectivity for groups, wired, wifi etc....
e. common access to devices (ie printer)??
Given the above information and any other equipment in the mix ----- access points, managed switches also handy to know.
The use cases will logically determine the setup of the system.
For example the modem and the two routers dont come into play yet.
What is that you need the network for.
a. groups of users (home, guest, smart devices, servers etc.....)
b. needs of each group
c. limitations you want to put on each group
d. way of connectivity for groups, wired, wifi etc....
e. common access to devices (ie printer)??
Given the above information and any other equipment in the mix ----- access points, managed switches also handy to know.