Hello,

We're using a Mikrotik as a Wifi Router (connected though ethernet port 2, local address 192.168.1.101/24, in bridge with wifi). We have as well a Reverse proxy in the network (connected to another switch and not directly to Mikrotik), and the Reverse Proxy shows the logs with the Mikrotik Gateway IP (192.168.1.101), instead of the client IP (connected through wifi). How can we NAT to have the Client IP displayed?
Thank you

If you want to see real client IPs, you probably don't want NAT. Because it's what NAT does, it changes addresses. In any case, if it changes source address, it's done in srcnat chain, so check what exactly you have there, or post it here and add some more details what exactly you expect to happen.

If you want to see real client IPs, you probably don't want NAT. Because it's what NAT does, it changes addresses. In any case, if it changes source address, it's done in srcnat chain, so check what exactly you have there, or post it here and add some more details what exactly you expect to happen.

Hi Sob,

Thank you very much for the Reply. Some more details about my problem. In our network we have an Apache Reverse Proxy, and when somebody connects to it locally (connected through Wifi on a Mikrotik router), the Mikrotik Router IP address (192.168.1.101) on the Reverse Proxy is displayed, instead of the Client local IP (192.168.1.54 for example). Not sure if the problem is in the Mikrotik acting as a local Wifi Router, or in the Mikrotik where the Apache Reverse Proxy server is connected, but I guess it should be in the local Wifi Router most probably. What we need is to have in the Apache logs the real Client IP address, and not the Mikrotik Gateway Router.

On the Mikrotik Wifi Router, in Firewall Nat I have only 1 rule set, chain=srcnat and Action=masquerade. Maybe the action should be changed, and instead of masquerade to have action=same or any else?
Thank you

If your wifi interface is bridged to the ethernet interface, try disabling NAT. You shouldn't need it.

If the rule contains only chain=srcnat and action=masquerade without any other options, then it works for connections in any direction (incoming, outgoing, everything) and that's not what you want. You need to limit it further, most likely with out-interface=<WAN interface> option.

Thanks, will try to check it.

One more question please if possible, related to same subject, on another Mikrotik.

We have several WAN connections on it and a NAT rule with dst-nat, dst.address - WAN Public IP, dst port=443, dst-nat to Internal IP 192.168.101.22, port 8443.
While checking in Mikrotik connections, I can public IP's of the client -> local IP 192.168.101.22, with the Reply SRC Address 192.168.101.1 (Mikrotik Address_
While checking in the Server Logs (IBM traveler), the Mikrotik Gateway IP is displayed.

Should be as well related to NAT and the Reply SRC address. Any hint what settings might it be related? I guess if Reply SRC address will be the client Public IP (SRC address), the server logs will have the correct IP displayed as well.

Screenshots attached below:
http://www.pixhost.org/show/367/6283922 ... 3bd1d4.jpg
http://www.pixhost.org/show/367/6283922 ... 18bc9f.jpg
http://www.pixhost.org/show/367/6283923 ... 4baae1.jpg
http://www.pixhost.org/show/367/6283923 ... 042035.jpg

It should be exactly the same problem, some srcnat rule matching also incoming connections. When you have only port forwarding using dstnat, without srcnat mistakenly interfering, then both Src. Address and Reply Dst. Adress contain address of client, and it's also what internal server sees.

Thank you very much
Setting out-interface=<WAN interface> solved the problem in both cases.
Thanks once again

Hi guys

it looks like i have the same or a very similar issue here

we have a ASN /22 block..

we have setup a client static public ip with /30 and client company has setup a mikrotik on their end.. so IP1 gateway on our side, and IP2 on client side..

internet working just fine..

but when external connection when arrives, instead of displaying the external public ip on the logs, is just displays incomming connection from our gateway IP1...

we have on our side a firewall rule, with vlan interface chain: src-nat out-interface : specific-client-vlan-interface action: masquerade


any clues on what could be wrong, in order to display the correct incomming external connections on the client end ip

Thank you very much
Setting out-interface=<WAN interface> solved the problem in both cases.
Thanks once again

Unfortunately this did not work for us..


We have BGP with our IPV4 /22 configured..

then we forward our public ips in smaller blocks to other Mikrotik devices..

then from one specific device we forware via vlan connection to clients with static ip block /30

internet works fine.. all ports open external for clients usage.. only issue his on client mikrotik device incomming connections via external ips..it does not display the external ips only our public gateway ip configured to that specific client.