Hi

I have a 497AH
I have a 6 static IPs from the telco.......152-157
I have ethernet 2 set as the Wan port with all addresses 152-157 listed on that port

I added 157 as the first IP entry on Ethernet 2 and it showed up in the route list as follows

Destination = x.x.x.157/29 ....gateway=blank ...gateway interface= blank...Interface=Ether2 distance=0....Routing Mark=blank...........Pref Source=x.x.x.157

None of the other IPs added to Ether2 showed up in the Route list.

I have Ethernet 1 set up with 10.100.123.21/19
all trafic from my network hits ethernet 1 and uses 10.100.123.21 as their gateway.

I am trying to pass one of my global IPs to a specific IP IE: 10.100.121.48

so I set dstnat and scrnat as instructed here

Destination NAT

If you want to link Public IP 10.5.8.200 address to Local one 192.168.0.109, you should use destination address translation feature of the MikroTik router. Also if you want allow Local server to talk with outside with given Public IP you should use source address translation, too.

Add Public IP to Public interface:

/ip address add address=10.5.8.200/32 interface=Public
Add rule allowing access to the internal server from external networks:

/ip firewall nat add chain=dstnat dst-address=10.5.8.200 action=dst-nat \
to-addresses=192.168.0.109
Add rule allowing the internal server to talk to the outer networks having its source address translated to 10.5.8.200:

/ip firewall nat add chain=srcnat src-address=192.168.0.109 action=src-nat \
to-addresses=10.5.8.200

ok so I did

step 1
/ip address add address=x.x.x.154/29 interface=Public

Step 2
/ip firewall nat add chain=dstnat dst-address=x.x.x.154 action=dst-nat \
to-addresses=10.100.121.48

Step 3
/ip firewall nat add chain=srcnat src-address=10.100.121.48 action=src-nat \
to-addresses=x.x.x.154

So what happens is when you are remoting into the host at 10.100.121.48 using the global of x.x.x.154 it goes in on that global address and hits the Host the the dstnat rule is working

However when the host does an ip check they do not get x.x.x.154 they get x.x.x.157 which as I stated above was the first IP i added to tha interface and the only IP tha showed up in the route list.

Why does it not show the IP as the 154 address why is the scrnat not working .............I am lost

Any help would be great

Thanks for your time and input in advance

Stephen

The order of firewall rules is very important. Check to see if the server on the private side is getting caught by a NAT rule that is higher up on the list and adjust accordingly.

I have found a rule at the top of the nat list.............. under the general tab............. it say scrnat and then on the action page it is set to masquerade but neither page has IPs.......... that is all there is set in that rule............. if I disable it I lose connectivity with the internet if I place my rule above it in the list That host loses internet access but not other hosts.

post
/ip firewall nat export

[admin@S 493AH Router] > /ip nat firewall export
bad command name nat (line 1 column 5)
[admin@S 493AH Router] > /ip firewall nat export
# jan/01/1970 01:25:00 by RouterOS 3.20
# software id = AH7I-LTT
#
/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no
add action=netmap chain=dstnat comment=RAdmin disabled=no dst-address=x.x.x.157 dst-port=4899 protocol=tcp \
to-addresses=10.100.127.21 to-ports=4899
add action=netmap chain=dstnat comment="Captain Pump" disabled=no dst-address=x.x.x.157 dst-port=4032 protocol=\
tcp to-addresses=10.100.120.71 to-ports=4032
add action=netmap chain=dstnat comment="Mcbain Remote" disabled=no dst-address=x.x.x.157 dst-port=4389 protocol=\
tcp to-addresses=10.100.121.183 to-ports=3389
add action=netmap chain=dstnat comment="Gateway Water Router" disabled=yes dst-address=x.x.x.157 dst-port=8080 \
protocol=tcp to-addresses=10.100.122.100 to-ports=8080
add action=netmap chain=dstnat comment="Gateway Treatment" disabled=no dst-address=x.x.x.157 dst-port=2222 \
protocol=tcp to-addresses=10.100.122.10 to-ports=2222
add action=netmap chain=srcnat comment="Gateway Treatment" disabled=no dst-address=x.x.x.157 dst-port=44818 \
protocol=tcp to-addresses=10.100.122.100 to-ports=44818
add action=netmap chain=dstnat comment="Gateway Treatment" disabled=no dst-address=x.x.x.157 dst-port=5080 \
protocol=tcp to-addresses=10.100.122.100 to-ports=5080
add action=netmap chain=dstnat comment="Captains Water Router" disabled=no dst-address=x.x.x.157 dst-port=1080 \
protocol=tcp to-addresses=10.100.121.70 to-ports=1080
add action=netmap chain=dstnat comment="Sorrento Remote" disabled=no dst-address=x.x.x.157 dst-port=3389 \
protocol=tcp to-addresses=10.100.127.22 to-ports=3389
add action=netmap chain=dstnat comment="Rick Camera 1" disabled=no dst-address=x.x.x.157 dst-port=3000 protocol=\
tcp to-addresses=10.100.121.27 to-ports=3000
add action=netmap chain=dstnat comment="Rick Camera 2" disabled=no dst-address=x.x.x.157 dst-port=3001 protocol=\
tcp to-addresses=10.100.121.27 to-ports=3001
add action=netmap chain=dstnat comment="Rick Camera 3" disabled=no dst-address=x.x.x.157 dst-port=3002 protocol=\
tcp to-addresses=10.100.121.27 to-ports=3002
add action=netmap chain=dstnat comment="Rick Camera 4" disabled=no dst-address=x.x.x.157 dst-port=3003 protocol=\
tcp to-addresses=10.100.121.27 to-ports=3003
add action=dst-nat chain=dstnat comment="Captains Global In" disabled=no dst-address=x.x.x.155 protocol=tcp \
to-addresses=10.100.121.137 to-ports=0-65535
add action=src-nat chain=srcnat comment="Captains Global Out" disabled=no protocol=tcp src-address=10.100.121.137 \
to-addresses=x.x.x.155 to-ports=0-65535
add action=netmap chain=dstnat comment="Net booter" disabled=no dst-address=x.x.x..157 dst-port=80 protocol=tcp \
to-addresses=10.100.122.24 to-ports=80
add action=dst-nat chain=dstnat comment="LRB Global In" disabled=no dst-address=x.x.x..156 protocol=tcp \
to-addresses=10.100.121.6 to-ports=0-65535
add action=src-nat chain=srcnat comment="LRB Global Out" disabled=no protocol=tcp src-address=10.100.121.6 \
to-addresses=x.x.x.156 to-ports=0-65535
add action=dst-nat chain=dstnat comment="Rona Global In" disabled=no dst-address=x.x.x.153 protocol=tcp \
to-addresses=10.100.121.10 to-ports=0-65535
add action=src-nat chain=srcnat comment="Rona Global Out" disabled=no protocol=tcp src-address=10.100.121.10 \
to-addresses=x.x.x.153 to-ports=0-65535
add action=src-nat chain=srcnat comment="Peoples Global Out" disabled=no protocol=tcp src-address=10.100.121.48 \
to-addresses=x.x.x.154 to-ports=0-65535
add action=dst-nat chain=dstnat comment="Peoples Global In" disabled=no dst-address=x.x.x.154 protocol=tcp \
to-addresses=10.100.121.48 to-ports=0-65535
add action=dst-nat chain=dstnat comment="" disabled=no dst-address=x.x.x..152 protocol=tcp to-addresses=\
10.100.127.190 to-ports=0-65535
add action=netmap chain=srcnat comment="" disabled=no protocol=tcp src-address=10.100.127.190 to-addresses=\
x.x.x.152 to-ports=0-65535
[admin@Ss 493AH Router] >

you 1:1 nat has to be above your PAT (masquerade), if it is not it NATs all IP to the one you have set in your masquerade rule

First of all, correct, these rules needs to come before the masquerade.

Second, your DST-NAT and SCR-NAT rules are too specific to work very well, use these instead, and model the rest of them after these:
the SRC-NAT rule should stay the same, if you want to forward just certain ports to those IP addresses, you can be more specific on the dst-nat rules, such as dst-port=80 protocol=tcp to forward port 80 to the server.

Third, why are you using action=netmap on several of your rules? This is usually used to translate a subnet to the LAN. DST-NAT and SCR-NAT are generally used more for signle IP addresses.