Community discussions

MikroTik App
  4. RouterOS
  5. General

How to Preserve Source Ip when Port Forwarding  [SOLVED]

Post Reply
 
Hendy
just joined
Topic Author
Posts: 11
Joined: Thu Aug 02, 2018 5:59 am

How to Preserve Source Ip when Port Forwarding

Thu Aug 02, 2018 6:10 am

Hello Everyone

i'm new at using Mikrotik

i'm now trying to set a port forwarding for my sftp and it works. but the problem is i can't get the source ip when someone is connecting to my sftp and it always return 198.172.1.1 not the source IP

here's my configuration for NAT

note:

i dont have any mangle set

Code: Select all

add action=dst-nat chain=dstnat comment=ABC dst-address=1xx.1xx.1xx.1xx dst-port=22 protocol=tcp \
to-addresses=192.168.1.23 to-ports=22
add action=src-nat chain=srcnat disabled=yes dst-address=192.168.1.23 protocol=tcp to-addresses=\
1xx.1xx.1xx to-ports=22
add action=masquerade chain=srcnat dst-address=192.168.1.23
Code: Select all
Please Help, Thanks
Top
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: How to Preserve Source Ip when Port Forwarding

Thu Aug 02, 2018 11:10 am

The last rule with action=masquerade is the reason; that rule is only necessary for hairpin nat where you would like devices in the same subnet like 192.168.1.23 to be able to connect to the public address. So without that rule, the addresses of the clients in the internet will make it down to 192.168.1.23, but devices in the same subnet like 192.168.1.23 will not understand the response of 192.168.1.23 because it will be coming from its real address; to prevent this, the response needs to be forced to the Mikrotik which "un-dst-nats" it, which inevitably means that the 192.168.1.23 gets the Mikrotik's IP in 192.168.1.x as the source of the request.

You can configure that rule to act only when necessary by adding src-address=192.168.1.0/the-correct-mask to it.
Top
 
Hendy
just joined
Topic Author
Posts: 11
Joined: Thu Aug 02, 2018 5:59 am

Re: How to Preserve Source Ip when Port Forwarding

Fri Aug 03, 2018 6:39 am

Dear Sindy,
thanks for the reply
You can configure that rule to act only when necessary by adding src-address=192.168.1.0/the-correct-mask to it.
but what do you mean by the correct mask and also in which code should i put it ?

thx for the help
Top
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: How to Preserve Source Ip when Port Forwarding

Fri Aug 03, 2018 10:48 am

You have provided the address of the internal server - 192.168.1.23, but not the rest of your configuration. That address fits into many subnets of different size, starting from 192.168.1.16/28 up to 192.168.0.0/16 (if we stay in the domain of private subnets of course). So look at the network and mask you use on Mikrotik's own IP address in that subnet and use the same one in the rule. So if the mask is /24 as I guess, the network would be 192.168.1.0, and you would use the following code in the terminal window:

/ip firewall nat set [find action=masquerade dst-address=192.168.1.23] src-address=192.168.1.0/24
Top
 
Hendy
just joined
Topic Author
Posts: 11
Joined: Thu Aug 02, 2018 5:59 am

Re: How to Preserve Source Ip when Port Forwarding

Fri Aug 03, 2018 11:26 am

Dear Sindy
/ip firewall nat set [find action=masquerade dst-address=192.168.1.23] src-address=192.168.1.0/24
i already use this code in my mikrotik but i still got 192.168.1.1 for my log

here's an example of what output i want to have

client ip 2xx.2xx.2xx.2xx want to connect to my sftp via public ip 1xx.1xx.1xx.1xx
the output i want is to display my client ip not my local ip
the NAT that i use is this and i still get 192.168.1.1 for my output in bitvise ssh
Code: Select all
add action=dst-nat chain=dstnat comment=AJMI dst-address=1xx.1xx.1xx.1xx dst-port=22 protocol=tcp to-addresses=192.168.1.23 to-ports=22
add action=masquerade chain=srcnat dst-address=192.168.1.23 src-address=192.168.1.0/24
Thanks for the quick reply
Last edited by Hendy on Fri Aug 03, 2018 11:45 am, edited 1 time in total.
Top
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: How to Preserve Source Ip when Port Forwarding

Fri Aug 03, 2018 11:31 am

That seems impossible to me :-)

Please post your complete configuration following the hints in my automatic signature.
Top
 
Hendy
just joined
Topic Author
Posts: 11
Joined: Thu Aug 02, 2018 5:59 am

Re: How to Preserve Source Ip when Port Forwarding

Fri Aug 03, 2018 11:48 am

Dear Sindy
Please post your complete configuration following the hints in my automatic signature.
does this include my configuration for Public Ip configuration and Local Ip configuration or just the NAT?
Top
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: How to Preserve Source Ip when Port Forwarding

Fri Aug 03, 2018 12:47 pm

/ip firewall nat export

should be enough. But if there are any public addresses possibly identifying you, obfuscate them.
Top
 
Hendy
just joined
Topic Author
Posts: 11
Joined: Thu Aug 02, 2018 5:59 am

Re: How to Preserve Source Ip when Port Forwarding

Mon Aug 06, 2018 8:03 am

Dear Sindy
sorry for the late reply
/ip firewall nat export

should be enough. But if there are any public addresses possibly identifying you, obfuscate them.
this is the code that i have exported from mikrotik NAT
Code: Select all
add action=dst-nat chain=dstnat comment=SVN dst-address=1xx.1xx.1xx.1xx dst-port=8443 protocol=tcp \
    to-addresses=192.168.1.21 to-ports=8443
add action=src-nat chain=srcnat dst-address=192.168.1.21 protocol=tcp to-addresses=\
    1xx.1xx.1xx to-ports=8443
[b]add action=dst-nat chain=dstnat comment=A dst-address=1xx.1xx.1xx.1xx dst-port=22 protocol=tcp \[/b]
    to-addresses=192.168.1.23 to-ports=22[/b]
add action=src-nat chain=srcnat disabled=yes dst-address=192.168.1.23 protocol=tcp to-addresses=\
    1xx.1xx.1xx to-ports=22
add action=masquerade chain=srcnat dst-address=192.168.1.23
add action=dst-nat chain=dstnat comment=B dst-address=1xx.1xx.1xx.1xx dst-port=1378 protocol=tcp \
    to-addresses=192.168.1.23 to-ports=1378
add action=masquerade chain=srcnat dst-address=192.168.1.23
add action=dst-nat chain=dstnat comment=C dst-address=1xx.1xx.1xx.1xx dst-port=1380 protocol=tcp \
    to-addresses=192.168.1.23 to-ports=1380
add action=masquerade chain=srcnat dst-address=192.168.1.23
add action=dst-nat chain=dstnat comment=Mantis dst-address=1xx.1xx.1xx.1xx dst-port=80 protocol=tcp \
    to-addresses=192.168.1.5 to-ports=80
add action=src-nat chain=srcnat dst-address=192.168.1.5 protocol=tcp to-addresses=\
    1xx.1xx.1xx to-ports=80
add action=dst-nat chain=dstnat comment=cctv dst-address=1xx.1xx.1xx.1xx dst-port=8081 protocol=tcp \
    to-addresses=192.168.1.2 to-ports=8081
add action=src-nat chain=srcnat dst-address=192.168.1.2 protocol=tcp to-addresses=\
    1xx.1xx.1xx to-ports=8081
the bold one is the one that i have set to the original setting before getting your answer
Last edited by Hendy on Tue Aug 07, 2018 9:44 am, edited 1 time in total.
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9120
Joined: Mon Apr 20, 2009 9:11 pm

Re: How to Preserve Source Ip when Port Forwarding

Mon Aug 06, 2018 4:34 pm

Wow. :) It looks all wrong to me. You're making sure that connections to most ports forwarded from public address will have their source set to same public address. You want nothing of the sort, if you want to see original source adressess. On top of that, you have not one, but three exactly the same rules guaranteeing that anything to 192.168.1.23 (except to port 22 covered by previous rule) will get the source masqueraded.

Interestingly, I don't see the only srcnat rule you should have, the main NAT to access internet. So unless this is some special config with more routers, the only two srcnat rules you should ever need are:
Code: Select all
/ip firewall nat
add chain=srcnat out-interface=<WAN> action=src-nat to-addresses=1xx.1xx.1xx
add chain=srcnat src-address=192.168.1.0/24 dst-address=192.168.1.0/24 action=masquerade
It's possible to do some fine-tuning, but this is the starting point.
Top
 
Hendy
just joined
Topic Author
Posts: 11
Joined: Thu Aug 02, 2018 5:59 am

Re: How to Preserve Source Ip when Port Forwarding

Tue Aug 07, 2018 9:41 am

dear Sindy

Thanks for the reply

so what you are saying is that all the src nat must be changed to the code you have given?

this code
Code: Select all
/ip firewall nat
add chain=srcnat out-interface=<WAN> action=src-nat to-addresses=1xx.1xx.1xx
add chain=srcnat src-address=192.168.1.0/24 dst-address=192.168.1.0/24 action=masquerade

example

this code
Code: Select all
add action=dst-nat chain=dstnat comment=SVN dst-address=1xx.1xx.1xx.1xx dst-port=8443 protocol=tcp \
    to-addresses=192.168.1.21 to-ports=8443
add action=src-nat chain=srcnat dst-address=192.168.1.21 protocol=tcp to-addresses=\
    1xx.1xx.1xx to-ports=8443
add action=dst-nat chain=dstnat comment=B dst-address=1xx.1xx.1xx.1xx dst-port=1378 protocol=tcp \
    to-addresses=192.168.1.23 to-ports=1378
add action=masquerade chain=srcnat dst-address=192.168.1.23
add action=dst-nat chain=dstnat comment=C dst-address=1xx.1xx.1xx.1xx dst-port=1380 protocol=tcp \
    to-addresses=192.168.1.23 to-ports=1380
add action=masquerade chain=srcnat dst-address=192.168.1.23
should be
Code: Select all
add action=dst-nat chain=dstnat comment=SVN dst-address=1xx.1xx.1xx.1xx dst-port=8443 protocol=tcp \
    to-addresses=192.168.1.21 to-ports=8443
add action=dst-nat chain=dstnat comment=B dst-address=1xx.1xx.1xx.1xx dst-port=1378 protocol=tcp \
    to-addresses=192.168.1.23 to-ports=1378
add action=dst-nat chain=dstnat comment=C dst-address=1xx.1xx.1xx.1xx dst-port=1380 protocol=tcp \
    to-addresses=192.168.1.23 to-ports=1380
add chain=srcnat out-interface=<WAN> action=src-nat to-addresses=1xx.1xx.1xx
add chain=srcnat src-address=192.168.1.0/24 dst-address=192.168.1.0/24 action=masquerade
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9120
Joined: Mon Apr 20, 2009 9:11 pm

Re: How to Preserve Source Ip when Port Forwarding

Tue Aug 07, 2018 5:15 pm

Yes, but it also applies to other srcnat rules. What I'm saying is that your current srcnat rules make no sense to me and you shouldn't need any of them. I mean, is this regular router, does it have the public 1xx.1xx.1xx.1xx assigned to some WAN interface, LAN 192.168.1.x/24 to another, etc? Or is it part of some larger and strangely complex network?

The part that confuses me, if it's regular router, how can internet work, when you don't have any srcnat for outgoing traffic? All your srcnat rules have dst-address=192.168.1.x, so they apply to traffic to LAN but not from LAN. Did you omit some rules from what you posted?

Next, what you do is really strange, e.g.:
Code: Select all
add action=dst-nat chain=dstnat comment=SVN dst-address=1xx.1xx.1xx.1xx dst-port=8443 protocol=tcp to-addresses=192.168.1.21 to-ports=8443
Dstnat rule is fine, outside clients connect to 1xx.1xx.1xx.1xx:8443 and it gets forwarded to internal 192.168.1.21:8443. But then you have this:
Code: Select all
add action=src-nat chain=srcnat dst-address=192.168.1.21 protocol=tcp to-addresses=1xx.1xx.1xx to-ports=8443
It takes those connections (and not only them, any tcp connection to 192.168.1.21 to any port) and makes them look as if they came from 1xx.1xx.1xx.1xx:8443. But why? What's the idea behind that?

All you should need is two srcnat rules:

1) Main NAT for working internet:
Code: Select all
/ip firewall nat
add chain=srcnat out-interface=<WAN> action=src-nat to-addresses=1xx.1xx.1xx.1xx
2) Hairpin NAT rule, if you want to connect to services on 1xx.1xx.1xx.1xx from same LAN 192.168.1.0/24 (optional, you can skip this rule, if you don't need to do this):
Code: Select all
/ip firewall nat
add chain=srcnat src-address=192.168.1.0/24 dst-address=192.168.1.0/24 action=masquerade
Top
 
Hendy
just joined
Topic Author
Posts: 11
Joined: Thu Aug 02, 2018 5:59 am

Re: How to Preserve Source Ip when Port Forwarding

Wed Aug 08, 2018 10:36 am

Dear Sob
I mean, is this regular router, does it have the public 1xx.1xx.1xx.1xx assigned to some WAN interface, LAN 192.168.1.x/24 to another, etc? Or is it part of some larger and strangely complex network?

yes i'm using this as a router to connect from a public Internet provider to my office lan pc, and also is using this a a medium to port forward some of our local website to be accessed from outside IP. I'm also using it as port forwarding medium for some of our client to connect to our local SFTP.
It takes those connections (and not only them, any tcp connection to 192.168.1.21 to any port) and makes them look as if they came from 1xx.1xx.1xx.1xx:8443. But why? What's the idea behind that?
i'm using this cause what this is what i learned from youtube, it said to have local website to be accessed by outside IP the setting should be like this

and also thanks for the reply and sorry to bother you this much
Top
 
pe1chl
Forum Guru
Forum Guru
Posts: 10216
Joined: Mon Jun 08, 2015 12:09 pm

Re: How to Preserve Source Ip when Port Forwarding

Wed Aug 08, 2018 11:45 am

i'm using this cause what this is what i learned from youtube
Let me tell you 1 thing: NEVER learn how to setup your router using videos from YouTube!!!!
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9120
Joined: Mon Apr 20, 2009 9:11 pm

Re: How to Preserve Source Ip when Port Forwarding

Thu Aug 09, 2018 1:11 am

Just try it, it's safe (*), disable all your srcnat rules (don't delete them yet, keep them as backup for now) and add mine instead. If it works, great. If not, you can put everything back in few clicks.

(*) As I wrote, I still don't understand, how internet access could have worked before, so there might be something missing.

Whether it will work or not, it might be good idea to post your whole config (scroll a little back and read sindy's signature for instructions), because pe1chl is mostly right, if you picked what you have from YouTube, there might be also other "interesting" things in your config.
Top
 
Hendy
just joined
Topic Author
Posts: 11
Joined: Thu Aug 02, 2018 5:59 am

Re: How to Preserve Source Ip when Port Forwarding

Thu Aug 09, 2018 6:38 am

Dear Sob

Ok and Thanks
Top
 
Hendy
just joined
Topic Author
Posts: 11
Joined: Thu Aug 02, 2018 5:59 am

Re: How to Preserve Source Ip when Port Forwarding

Fri Aug 10, 2018 9:51 am

Dear Sob

i've tried the setting for NAT that you have written

for the internet connection it works, but not for the purpose that im hoping for

what i meant by purpose is that
1. i have a computer with IP 192.168.1.23 that acts as a source for my clients to use as a SFTP. In this computer i install an application called bitvise
2. what i want is when my client use filezilla to connect to this computer, the bitvise application can get the source ip from my client example 2.2.2.2

will this be possible using mikrotik?

cause with the settings that i tried, the bitvise still get my local IP 192.168.1.1 that are trying to connect to computer 192.168.1.23

note i reset all of my configuration and followed the step from this site [Link](https://wiki.mikrotik.com/wiki/Manual:I ... figuration)
Top
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: How to Preserve Source Ip when Port Forwarding

Fri Aug 10, 2018 9:59 am

So post the export of the current configuration. It is enough to e.g. forget to restrict the action=masquerade rule in ip firewall nat to act only on WAN interface to get the result you describe.
Top
 
Hendy
just joined
Topic Author
Posts: 11
Joined: Thu Aug 02, 2018 5:59 am

Re: How to Preserve Source Ip when Port Forwarding

Mon Aug 13, 2018 2:08 pm

Dear Sindy
So post the export of the current configuration. It is enough to e.g. forget to restrict the action=masquerade rule in ip firewall nat to act only on WAN interface to get the result you describe.
This is the NAT Configuration that im using right now
Code: Select all
/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.1.0/24 src-address=\
    192.168.1.0/24
add action=src-nat chain=srcnat out-interface=ether1 to-addresses=\
    1xx.1xx.1xx.1xx
add action=dst-nat chain=dstnat comment=SVN dst-address=1xx.1xx.1xx.1xx \
    dst-port=8443 protocol=tcp to-addresses=192.168.1.21 to-ports=8443
add action=dst-nat chain=dstnat comment=CCTV dst-address=1xx.1xx.1xx.1xx \
    dst-port=8081 protocol=tcp to-addresses=192.168.1.21 to-ports=8081
add action=dst-nat chain=dstnat comment=SFTPA dst-address=1xx.1xx.1xx.1xx \
    dst-port=22 protocol=tcp to-addresses=192.168.1.23 to-ports=22
add action=dst-nat chain=dstnat comment=SFTPB dst-address=1xx.1xx.1xx.1xx \
    dst-port=1380 protocol=tcp to-addresses=192.168.1.23 to-ports=1380
add action=dst-nat chain=dstnat comment=SFTPC dst-address=1xx.1xx.1xx.1xx \
    dst-port=1378 protocol=tcp to-addresses=192.168.1.23 to-ports=1378

this is the setting that im using

but this setting still wont get me the result i want for my log activities in bitvise ssh control server panel

where the result i want to get is
example
2018-08-13 connection from 123.123.123.123:12313

but with this setting i get from bitvise is
example
2018-08-13 connection from 192.168.1.1:12313
Top
 
pe1chl
Forum Guru
Forum Guru
Posts: 10216
Joined: Mon Jun 08, 2015 12:09 pm

Re: How to Preserve Source Ip when Port Forwarding  [SOLVED]

Mon Aug 13, 2018 2:51 pm

You need to delete the first NAT rule. It should not be there.
Code: Select all
add action=masquerade chain=srcnat dst-address=192.168.1.0/24 src-address=\
    192.168.1.0/24
Top
 
Hendy
just joined
Topic Author
Posts: 11
Joined: Thu Aug 02, 2018 5:59 am

Re: How to Preserve Source Ip when Port Forwarding

Tue Aug 14, 2018 5:34 am

Dear pe1chl

Thanks for the reply
You need to delete the first NAT rule. It should not be there.
Code: Select all
add action=masquerade chain=srcnat dst-address=192.168.1.0/24 src-address=\
    192.168.1.0/24

After i tried to disable this NAT Rule
i can get the source IP from my client
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9120
Joined: Mon Apr 20, 2009 9:11 pm

Re: How to Preserve Source Ip when Port Forwarding

Thu Aug 16, 2018 8:06 pm

Hey, it was my hairpin NAT rule! :) And it had src-address=192.168.1.0/24, so it couldn't influence client source address, if if was a public one (or anything outside of 192.168.1.0/24). Or if there some typo I'm not seeing because of author's blindness?
Top
 
User avatar
raymondcidad
just joined
Posts: 8
Joined: Wed May 20, 2015 5:50 pm

Re: How to Preserve Source Ip when Port Forwarding

Tue Apr 07, 2020 2:17 am

if the question is,
"how to do port forwarding / destination nat, but track/see the public source IP from the client?"
the answer is simple.
is not on the destination nat that is the problem.

the problem is that you are using src nat + mascarate WITOUT the out interface.
it should go like
"chain=srcnat action=masquerade out-interface=ISP-interace"
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19322
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: How to Preserve Source Ip when Port Forwarding

Tue Apr 07, 2020 4:07 am

/export hide-sensitive file=anynameyouwish

post the full config
Top
Post Reply

Who is online

Users browsing this forum: chindo, GoogleOther [Bot], natxo, nl2024, scoobyn8, UkRainUa and 46 guests
  4. RouterOS
  5. General