Community discussions

 
User avatar
sjoram
Member Candidate
Member Candidate
Topic Author
Posts: 116
Joined: Sun Feb 10, 2013 8:47 pm
Location: Essex, UK

NAT problem

Sat Feb 23, 2013 5:39 pm

Hoping someone can assist with the below.
New to RouterOS, gone live on a RB750 today.
Having an issue with one of my NAT rules.
Works great for users on other VLANs or on the Internet, but users on the same VLAN as the server are not connecting.
My old Netgear used to run its NAT rules on internal users going out, need to work out how I can make RouterOS do the same for clients on the same subnet/VLAN as the server.
Any suggestions?

Image
Home user, working in IT. Home network is my lab.
ISP: Uno Communications
Hardware:
RB750 - Draytek Vigor 120v2 ADSL2+ Annex M
RB750Gr3 - Draytek Vigor 130 FTTC (VDSL) & RBD52G-5HacD2HnD
 
User avatar
cbrown
Trainer
Trainer
Posts: 1839
Joined: Thu Oct 14, 2010 8:57 pm
Contact:

NAT problem

Sat Feb 23, 2013 8:05 pm

My guess is you need to setup hairpin NAT.

http://wiki.mikrotik.com/wiki/Hairpin_NAT
C.Brown

cbrown[at]ravenrocknetworks.com
MTCNA - MTCRE - MTCWE - MTCTCE
MTCSE - TRAINER-0179

Next Training
https://www.cbrown.co/2019/04/08/mtcna-june2019-wv/
 
User avatar
sjoram
Member Candidate
Member Candidate
Topic Author
Posts: 116
Joined: Sun Feb 10, 2013 8:47 pm
Location: Essex, UK

Re: NAT problem

Sat Feb 23, 2013 10:17 pm

Hmm, looks like what I need but can't make it work.
The example command on the wiki won't work for me because the interface has multiple IP addresses assigned so I can't use masquerade. Tried customising the rule to my situation but no joy.

Essentially for my situation, for example, I have

Web server on 10.0.0.5 port 80 available via NAT on 46.65.209.241
Clients connecting from 10.0.0.0/16 to 46.65.209.241 but then replies from 10.0.0.5 going back directly to 10.0.x.x address not via 46.65.209.241

I've tried
/ip firewall nat> add chain=srcnat src-address=10.0.0.0/16 src-port=80 dst-address=10.0.0.5 dst-port=80 protocol=tcp out-interface=VLAN10 action=src-nat to-address=46.65.209.241
I have a feeling the src and dst should be switched and one should not specify a port, but tried what I think and still no luck?
Home user, working in IT. Home network is my lab.
ISP: Uno Communications
Hardware:
RB750 - Draytek Vigor 120v2 ADSL2+ Annex M
RB750Gr3 - Draytek Vigor 130 FTTC (VDSL) & RBD52G-5HacD2HnD
 
User avatar
sjoram
Member Candidate
Member Candidate
Topic Author
Posts: 116
Joined: Sun Feb 10, 2013 8:47 pm
Location: Essex, UK

Re: NAT problem

Sun Feb 24, 2013 11:35 am

OK today I have tried

Chain srcnat
Src Add 10.0.0.0/16
Dst Add 46.65.209.241
Proto TCP
Dst Port 443
action = src-nat to 46.65.209.241

No joy

Interestingly, I have IIS running on port 80 NAT'ed against one IP address and that works without one of the above rules.
Services directed at port 80 on another public IP don't work with or without the above. Port 443 for the same IIS that works on Port 80 does not work either.
Home user, working in IT. Home network is my lab.
ISP: Uno Communications
Hardware:
RB750 - Draytek Vigor 120v2 ADSL2+ Annex M
RB750Gr3 - Draytek Vigor 130 FTTC (VDSL) & RBD52G-5HacD2HnD
 
marcus65
newbie
Posts: 26
Joined: Fri Feb 08, 2013 4:15 am
Location: Brooklyn, New York

Re: NAT problem

Sun Feb 24, 2013 9:40 pm

I posted this response without enough understanding of hairpin NAT.
I removed this response 4/11/2013
Last edited by marcus65 on Thu Apr 11, 2013 10:48 pm, edited 1 time in total.
Marcus.
_______|
 
dragon2611
Member Candidate
Member Candidate
Posts: 152
Joined: Fri Sep 25, 2009 12:06 am

Re: NAT problem

Sun Feb 24, 2013 11:13 pm

OK today I have tried

Chain srcnat
Src Add 10.0.0.0/16
Dst Add 46.65.209.241
Proto TCP
Dst Port 443
action = src-nat to 46.65.209.241

No joy

Interestingly, I have IIS running on port 80 NAT'ed against one IP address and that works without one of the above rules.
Services directed at port 80 on another public IP don't work with or without the above. Port 443 for the same IIS that works on Port 80 does not work either.
If i've understood the wiki correctly from the quick read i did of it earlier.

Chain srcnat
Src Add 10.0.0.0/16
Dst Add 46.65.209.241
Proto TCP
Dst Port 443
out interface= <Lan interface e.g ether1>
action = Masquerade
 
User avatar
sjoram
Member Candidate
Member Candidate
Topic Author
Posts: 116
Joined: Sun Feb 10, 2013 8:47 pm
Location: Essex, UK

Re: NAT problem

Mon Feb 25, 2013 8:58 am

Yep, problem I have is I'm not sure I can use masquerade as I have a number of IP addresses assigned to that particular interface, so how would it know which to use for masquerade?
Home user, working in IT. Home network is my lab.
ISP: Uno Communications
Hardware:
RB750 - Draytek Vigor 120v2 ADSL2+ Annex M
RB750Gr3 - Draytek Vigor 130 FTTC (VDSL) & RBD52G-5HacD2HnD
 
User avatar
cbrown
Trainer
Trainer
Posts: 1839
Joined: Thu Oct 14, 2010 8:57 pm
Contact:

Re: NAT problem

Mon Feb 25, 2013 2:31 pm

Try this instead. Make sure you move the rule to the top as well.
/ip fi nat add action=masquerade chain=srcnat dst-address-10.0.0.5 src-address=10.0.0.0/16
C.Brown

cbrown[at]ravenrocknetworks.com
MTCNA - MTCRE - MTCWE - MTCTCE
MTCSE - TRAINER-0179

Next Training
https://www.cbrown.co/2019/04/08/mtcna-june2019-wv/
 
User avatar
sjoram
Member Candidate
Member Candidate
Topic Author
Posts: 116
Joined: Sun Feb 10, 2013 8:47 pm
Location: Essex, UK

Re: NAT problem

Mon Feb 25, 2013 7:38 pm

This is why I don't think masquerade will work on VLAN10.
Do I actually need the IP addresses assigned to VLAN10 for NAT to work?
I have srcnat rules running to mask external traffic going to the internet behind two IPs (rather than using the default masquerade), one of these is not included on the below and still works, so not sure if I can remove the public IPs from VLAN10 and the NAT rules still pick up traffic for those IPs?

Image

This may just be newbie errors on my part and I might be able to use masquerade if I remove the public IPs from the interface if they are not required?
Home user, working in IT. Home network is my lab.
ISP: Uno Communications
Hardware:
RB750 - Draytek Vigor 120v2 ADSL2+ Annex M
RB750Gr3 - Draytek Vigor 130 FTTC (VDSL) & RBD52G-5HacD2HnD
 
CelticComms
Forum Guru
Forum Guru
Posts: 1766
Joined: Wed May 02, 2012 5:48 am

Re: NAT problem

Mon Feb 25, 2013 10:52 pm

1) You would typically have the public IPs to which you are source NATing outbound traffic on your WAN/outside interface - not the LAN/inside interface.

2) What cbrown indicated above will work if you only have relevant private IPs on the router interface that the server is connected to. If there is more than one IP you could change the action to source NAT and explicitly indicate the IP to be used.

Your inbound destination NAT entry takes traffic bound for (say) port 80 on a public IP and NAT/PATs the traffic to a chosen port on the private IP host.

The hairpin entry looks for traffic from your private network which has been NATed by the first rule (because it met the rules) and performs a further source NAT so that the traffic will appear to your (say) web server as coming from the router itself thus forcing return traffic back via the router.

There as a similar question from aomu this morning so it might be worth reading that short thread too.
Interlynx | Networking and Information Security Consultants & Trainers | Email: routerlynx@gmail.com
BGP | EIGRP | OSPF | MPLS | Firewall | VPN | IPsec | Multicast | QOS | IPv4/6 | STP | VLAN | PON | AE | M2M | and more!

 
User avatar
sjoram
Member Candidate
Member Candidate
Topic Author
Posts: 116
Joined: Sun Feb 10, 2013 8:47 pm
Location: Essex, UK

Re: NAT problem

Tue Feb 26, 2013 7:15 pm

This is what I have at the moment. The masquerade issue aside, should the below work?
Yes I know some are disabled - I disabled them after they didn't work as expected, until I had the chance to look at it again.
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=accept chain=input comment="default configuration" disabled=no \
    protocol=icmp
add action=accept chain=input comment="default configuration" \
    connection-state=established disabled=no in-interface=ether1-gateway
add action=accept chain=input comment="default configuration" \
    connection-state=related disabled=no in-interface=ether1-gateway
add action=drop chain=input comment="default configuration" disabled=no \
    in-interface=ether1-gateway

/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="default configuration" disabled=\
    yes out-interface=ether1-gateway
add action=src-nat chain=srcnat disabled=yes dst-address=46.65.209.241 \
    dst-port=80 out-interface=VLAN10 protocol=tcp src-address=10.0.0.0/16 \
    to-addresses=46.65.209.241
add action=dst-nat chain=dstnat disabled=no dst-address=46.65.209.241 \
    dst-port=80 protocol=tcp to-addresses=10.0.0.5 to-ports=80
add action=src-nat chain=srcnat disabled=yes dst-address=46.65.209.241 \
    dst-port=443 out-interface=VLAN10 protocol=tcp src-address=10.0.0.0/16 \
    to-addresses=46.65.209.241
add action=dst-nat chain=dstnat disabled=no dst-address=46.65.209.241 \
    dst-port=443 protocol=tcp to-addresses=10.0.0.5 to-ports=443
add action=dst-nat chain=dstnat disabled=no dst-address=46.65.209.242 \
    dst-port=25 protocol=tcp to-addresses=10.0.0.5 to-ports=25
add action=dst-nat chain=dstnat disabled=no dst-address=46.65.209.242 \
    dst-port=2525 protocol=tcp to-addresses=10.0.0.5 to-ports=25
add action=dst-nat chain=dstnat disabled=no dst-address=46.65.209.242 \
    dst-port=993 protocol=tcp to-addresses=10.0.0.5 to-ports=993
add action=dst-nat chain=dstnat disabled=no dst-address=46.65.209.242 \
    dst-port=80 protocol=tcp to-addresses=10.0.0.5 to-ports=9326
add action=dst-nat chain=dstnat disabled=no dst-address=46.65.209.242 \
    dst-port=443 protocol=tcp to-addresses=10.0.0.5 to-ports=9443
add action=src-nat chain=srcnat disabled=yes dst-address=46.65.209.242 \
    dst-port=143 out-interface=VLAN10 protocol=tcp src-address=10.0.0.0/16 \
    to-addresses=46.65.209.242
add action=dst-nat chain=dstnat disabled=no dst-address=46.65.209.242 \
    dst-port=143 protocol=tcp to-addresses=10.0.0.5 to-ports=143
add action=dst-nat chain=dstnat disabled=no dst-address=46.65.209.241 \
    dst-port=2525 protocol=tcp to-addresses=10.0.0.5 to-ports=25
add action=dst-nat chain=dstnat disabled=no dst-address=46.65.209.241 \
    dst-port=25 protocol=tcp to-addresses=10.0.0.5 to-ports=25
add action=dst-nat chain=dstnat disabled=no dst-address=46.65.209.243 \
    dst-port=80 protocol=tcp to-addresses=10.0.0.5 to-ports=6245
add action=dst-nat chain=dstnat disabled=no dst-address=46.65.209.243 \
    dst-port=443 protocol=tcp to-addresses=10.0.0.5 to-ports=6443
add action=dst-nat chain=dstnat disabled=no dst-address=46.65.209.243 \
    protocol=gre to-addresses=10.0.0.5
add action=dst-nat chain=dstnat disabled=no dst-address=46.65.209.243 \
    dst-port=1723 protocol=tcp to-addresses=10.0.0.5 to-ports=1723
add action=dst-nat chain=dstnat disabled=no dst-address=46.65.209.243 \
    dst-port=8080 protocol=tcp to-addresses=10.0.0.5 to-ports=8080
add action=src-nat chain=srcnat disabled=no out-interface=ether1-gateway \
    src-address=10.0.0.0/16 to-addresses=46.65.209.244
add action=src-nat chain=srcnat disabled=no out-interface=ether1-gateway \
    src-address=10.1.0.0/16 to-addresses=46.65.209.244
add action=src-nat chain=srcnat disabled=no out-interface=ether1-gateway \
    src-address=10.2.0.0/16 to-addresses=46.65.209.244
add action=src-nat chain=srcnat disabled=no out-interface=ether1-gateway \
    src-address=10.3.0.0/16 to-addresses=46.65.209.244
add action=src-nat chain=srcnat disabled=no out-interface=ether1-gateway \
    src-address=10.4.0.0/16 to-addresses=46.65.209.245
Home user, working in IT. Home network is my lab.
ISP: Uno Communications
Hardware:
RB750 - Draytek Vigor 120v2 ADSL2+ Annex M
RB750Gr3 - Draytek Vigor 130 FTTC (VDSL) & RBD52G-5HacD2HnD
 
CelticComms
Forum Guru
Forum Guru
Posts: 1766
Joined: Wed May 02, 2012 5:48 am

Re: NAT problem

Tue Feb 26, 2013 8:06 pm

I suggest that you tidy it up to have only current entries present. I don't know what the IP address allocations are at this point.

Make sure that your public IPs are on the WAN facing interface and make sure that your basic inbound destinations NATs are working.

I only saw one internal server mentioned so the hairpin NAT entry would be:

add action=masquerade chain=srcnat dst-address=10.0.0.5 out-interface=VLAN10 src-address=10.0.0.0/16

If that doesn't work upload /export compact so we can see the total current config.
Interlynx | Networking and Information Security Consultants & Trainers | Email: routerlynx@gmail.com
BGP | EIGRP | OSPF | MPLS | Firewall | VPN | IPsec | Multicast | QOS | IPv4/6 | STP | VLAN | PON | AE | M2M | and more!

 
User avatar
sjoram
Member Candidate
Member Candidate
Topic Author
Posts: 116
Joined: Sun Feb 10, 2013 8:47 pm
Location: Essex, UK

Re: NAT problem

Tue Feb 26, 2013 8:50 pm

Thanks, I'll wait till the weekend to move the public IPs so I'm on site if things go wrong.
Will then take a look and see what I have.
Thanks all for the input so far.
Home user, working in IT. Home network is my lab.
ISP: Uno Communications
Hardware:
RB750 - Draytek Vigor 120v2 ADSL2+ Annex M
RB750Gr3 - Draytek Vigor 130 FTTC (VDSL) & RBD52G-5HacD2HnD
 
User avatar
sjoram
Member Candidate
Member Candidate
Topic Author
Posts: 116
Joined: Sun Feb 10, 2013 8:47 pm
Location: Essex, UK

Re: NAT problem

Tue Dec 24, 2013 9:09 pm

The above masquerade didn't work. I'm currently running a f/w version that doesn't allow export compact (reluctant to upgrade unless I have a particular issue to solve - been a victim of failed firmware upgrades on devices in the past!).

Tell me what sections I need to post from the config and I'll do so.
Home user, working in IT. Home network is my lab.
ISP: Uno Communications
Hardware:
RB750 - Draytek Vigor 120v2 ADSL2+ Annex M
RB750Gr3 - Draytek Vigor 130 FTTC (VDSL) & RBD52G-5HacD2HnD
 
User avatar
sjoram
Member Candidate
Member Candidate
Topic Author
Posts: 116
Joined: Sun Feb 10, 2013 8:47 pm
Location: Essex, UK

Re: NAT problem

Sun Jul 20, 2014 5:26 pm

Just in case anyone does a search and is reading this thread, I resolved.

http://forum.mikrotik.com/viewtopic.php?f=2&t=87170
/ip firewall nat
add chain=dstnat action=dst-nat to-addresses=<private IP e.g. 10.0.0.5> to-ports=<private port e.g. 9326> protocol=tcp dst-address=<public IP> dst-port=<public port e.g. 80>
/ip firewall nat
add chain=srcnat action=masquerade protocol=tcp src-address=<private subnet e.g. 10.0.0.0/16> dst-address=<private IP e.g. 10.0.0.5> dst-port=<private port e.g. 9326>
Home user, working in IT. Home network is my lab.
ISP: Uno Communications
Hardware:
RB750 - Draytek Vigor 120v2 ADSL2+ Annex M
RB750Gr3 - Draytek Vigor 130 FTTC (VDSL) & RBD52G-5HacD2HnD

Who is online

Users browsing this forum: No registered users and 19 guests