Community discussions

 
DeamonMV
just joined
Topic Author
Posts: 18
Joined: Thu May 28, 2015 8:58 pm
Location: Ukraine Kharkov

If I use "src-nat" i can not ping external(internet) resources

Fri May 10, 2019 4:57 pm

Hello.

I have a mikrotik router on which assigned few public IPs.
By that reason i'm using "src-nat" instead of Masquerade, because i need to separation which users go out through which public IP


My rules

/ip firewall nat
add action=src-nat chain=srcnat  disabled=no\
    out-interface=ether1-gateway protocol=tcp to-addresses=3x.xx.xx.xx \
    to-ports=0-65535
add action=src-nat chain=srcnat  disabled=no\
    out-interface=ether1-gateway protocol=udp to-addresses=3x.xx.xx.xx \
    to-ports=0-65535

protocol=icmp not allowed.

How make possible working ping to internet resources for cases with src-nat?
 
pe1chl
Forum Guru
Forum Guru
Posts: 5291
Joined: Mon Jun 08, 2015 12:09 pm

Re: If I use "src-nat" i can not ping external(internet) resources

Fri May 10, 2019 5:17 pm

ping uses the icmp protocol so when you do not allow icmp you will not be able to ping.
 
DeamonMV
just joined
Topic Author
Posts: 18
Joined: Thu May 28, 2015 8:58 pm
Location: Ukraine Kharkov

Re: If I use "src-nat" i can not ping external(internet) resources

Sat May 11, 2019 8:05 pm

I do not have any restriction for ICMP.
If i change scr-nat to masquerade, pings starts working
 
Sob
Forum Guru
Forum Guru
Posts: 4158
Joined: Mon Apr 20, 2009 9:11 pm

Re: If I use "src-nat" i can not ping external(internet) resources

Sat May 11, 2019 8:49 pm

It doesn't make sense. If there's icmp ping, then neither of these two rules with protocol=tcp/udp will touch it, no matter what other options they have. There must be something else.
 
User avatar
AminYounessi
Trainer
Trainer
Posts: 51
Joined: Wed Nov 23, 2016 7:39 am

Re: If I use "src-nat" i can not ping external(internet) resources

Tue May 14, 2019 9:35 am

Hello.

I have a mikrotik router on which assigned few public IPs.
By that reason i'm using "src-nat" instead of Masquerade, because i need to separation which users go out through which public IP


My rules

/ip firewall nat
add action=src-nat chain=srcnat  disabled=no\
    out-interface=ether1-gateway protocol=tcp to-addresses=3x.xx.xx.xx \
    to-ports=0-65535
add action=src-nat chain=srcnat  disabled=no\
    out-interface=ether1-gateway protocol=udp to-addresses=3x.xx.xx.xx \
    to-ports=0-65535

protocol=icmp not allowed.

How make possible working ping to internet resources for cases with src-nat?

Hi,

Of course you can open ping and maybe traceroute to the addresses in internet, if you specify the protocol(tcp,udp for example) in the nat rule so your ping traffic discard there nad it means you wrote some rules that is not include icmp traffic. But you can add an extra rule in your firewall nat table and let your router do src-nat process for just ping and trace route traffic, As you might know the ICMP is a protocol with many types(ping is one of the icmp protocol types), if you google icmp protocol types, you can find the types.
In nat table you need to add another rule and specify the protocol:icmp in general tab, then you need to go to advanced tab and choose the icmp option and choose which icmp type and code that you want.
 
mkx
Forum Guru
Forum Guru
Posts: 2309
Joined: Thu Mar 03, 2016 10:23 pm

Re: If I use "src-nat" i can not ping external(internet) resources

Tue May 14, 2019 3:31 pm

In nat table you need to add another rule and specify the protocol:icmp in general tab, then you need to go to advanced tab and choose the icmp option and choose which icmp type and code that you want.
Or, if you don't have a good reason to only src-nat some particular protocols, create src-nat rule without referring to protocol type and ditch the rest.
/ip firewall nat
add action=src-nat chain=srcnat out-interface=ether1-gateway to-addresses=3x.xx.xx.xx/yy
BR,
Metod
 
anav
Forum Guru
Forum Guru
Posts: 2734
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: If I use "src-nat" i can not ping external(internet) resources

Tue May 14, 2019 5:17 pm

Exactly what I was going to suggest. See great minds do think alike@! ;-)
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)

Who is online

Users browsing this forum: Bing [Bot] and 13 guests