I have to admit, I'm still new at this. I've had an email server set up at home for a few years now, but I've always had difficulty getting it to send email and have it delivered unless I use a third-party service such as No-IP. I now have business class service, I've got port 25 unblocked, and I have a block of 5 static IPs for my two servers. However, my main base address is still dynamically allocated by AT&T U-Verse. In my most recent email test two of the emails did go through to Yahoo and Gmail, but upon reading the headers I noticed that the "sent-from" address was my dynamic base address and not the static IP addresses which have a reverse DNS record pointing back to my servers' FQDNs. So what it looks like I need is a rule which will tell my router (an hAP-AC) to make sure that all outgoing traffic (especially from port 25) on these two servers originates from the corresponding static IP of the server and not the dynamic IP of the base address. I'm sure it's extremely simple and if I only knew what search terms to use I could find it in five seconds. As it is...I'm asking for help!

you need src NAT: place this above you masquerade rule in NAT

Thanks; that was just what I needed!

you need src NAT:

Code: Select all

/ip firewall nat
add chain=srcnat action=src-nat to-addresses=currect_Public_IP src-address=IP_of_email_server

place this above you masquerade rule in NAT

Hi Solar, I am still reading the other post, but I see a similar item that is nagging me and specifically the use of to-addresses:

I am not in front of a hex at the moment and thus trying to imagine making the rule.
I understand source and destination and Interfaces in out, but where the heck is TO??????? (purpose, use and differentiation from the other typical directional items)?

you need src NAT:

Code: Select all

/ip firewall nat
add chain=srcnat action=src-nat to-addresses=currect_Public_IP src-address=IP_of_email_server

place this above you masquerade rule in NAT

Hi Solar, I am still reading the other post, but I see a similar item that is nagging me and specifically the use of to-addresses:

I am not in front of a hex at the moment and thus trying to imagine making the rule.
I understand source and destination and Interfaces in out, but where the heck is TO??????? (purpose, use and differentiation from the other typical directional items)?

My simple, none technical understanding, is that the action src-nat, change the source IP address, you can specify exactly what the IP is by using to-address.
if you use action=masquerade, it means change source IP to the IP assigned to the out-interface. which is what you normally need for NAT your internet access through WAN interface in a standard single WAN network.

Dst-nat, is to change the destination IP address, again, you specify what you want to change it to, by using to-address. typical use of this is port forwarding, so traffic heading to your WAN IP address, is then changed to your LAN IP so it knows where to go.

Hope this helps.

Hi Solar,
Hmmmmmmmmm
SourceNAT ensuring LAN traffic is tagged when leaving the WAN so its recognized and allowed back in through same WAN and to the source LAn
DestinationNAT ensured unsolicited traffic with pre-identified ports and a private LANIP destination (both identified in rule) and even better, an allowable external IP, gets to the server etc....

Thus, masquerade selection is a default type of rule that has limitations?
If one has two WANs, why does the masquerade rule not track which WAN was used on the way out and thus can come back on?
Why the need to identify the specific public IP?
Routing rules determine which WAN is used for the initial going external to the internet anyway!
What am I missing???

(what I meant about the TO, is I dont recall seeing that as a selection in the webgui. I recall seeeing address source/destination (or address lists) and interface in-out, but not TO.
Where is the FROM: located (haha bad joke).

Okay seeing you post this elsewhere..............
add chain=srcnat action=masquerade out-interface=ether2

Why did you not say
add chain=srcnat action=srcnat to-publicIPofether2

I think your mixed up LOL. srcnat is for identifying complexity on the LAN side not the WAN side. Routing is to be used for complexity on the WAN side!!!

Hi anavds,

about action src-nat and masquerade, this two rules does the same thing for me: my ether1 has IP address 192.168.1.30 assigned to it by DHCP client .
first rule is standard usage, I get Internet access
if I disable first rule and enable 2nd rule, I get Internet access.

action masquerade is basically action src-nat but the masquerade has its "to-address" to be the address assigned to that out-interface. this is useful when this address could change, in case of dynamic public IP address on a home broadband.
https://wiki.mikrotik.com/wiki/Manual:I ... squerade_2

Okay its sinking in LOL.
But this does not absolve the admin from ensuring proper routing out of the router. (tells the packets where to go when forwarded by the user).
The srcnat rules simply ensure return traffic is allowed in and will go back to the originator. (tells the packets that they will be given a specific IP address upon exiting the router and that the packets will be tracked such that return packets will be recognized and get back to the originator - it does NOT route the packets out of the router)