Hi!

Maybe it sounds weird, but I would like to run a mail server behind nat. This case the mail server will only receive mails from the router IP address because of the NAT. In case I create an SRC-NAT, I can set the source IP for these packages whatever I set in the SRC-NAT rule, but this is a static setting.
Now the question:
Is there a way to do it dynamicaly? If not, can you give me an idea how could I run a mail server locally with a public IP address? (VPN? EOIP? Bridging?)
The public IP addresses (there are 3 of them) are assigned to a cloud hosted mikrotik instance. I would like to use one of these addresses for the mail server.

Thanks!

You only need DST-NAT rule:
The problem would be if your SMTP server in your LAN has dynamic address. My stand is that servers should have static addresses (either set statically on the machine itself or through static DHCP lease which is set up on DHCP server).

Another thing is the way of binding the above DST-NAT rule to act only on incoming connections from internet. One way is to set it as in my example which implies setting proper members of interface list WAN. Another possibility would be directly set it to WAN interface (e.g. pppoe-out1 or ether1 or ...). Further possibility would be to bind it to public IP address of your RB if it is static. Then the above command would become .

You need to set firewall to allow incoming connections as well (use chain=forward not input).

This case the mail server will only receive mails from the router IP address because of the NAT.

It sounds like you main masquerade/srcnat rule is wrong, it should only affect outgoing traffic (out-interface=WAN).

Thanks for all the answers.
Acutally, what I was looking for is routing a public ip to a server on LAN. Now I have managed to "partially" solve it, by a pptp connection. This is the scenario:

Cloud hosted router
Available WAN IPs: 37.xxx.xxx.249, 78.xxx.xxx.230, 78.xxx.xxx.231
WAN IP in use: 37.xxx.xxx.249
L2TP server running

Home router
PPPoE connection to the internet (Dynamic IP)
L2TP connection to the Cloud hosted router (37.xxx.xxx.249) (local 192.168.181.5, remote 192.168.181.6) This connection is for management purposes only.

Server on home LAN:
Local address: 192.168.10.225
L2TP address: 78.xxx.xxx.231 (It's connecting to the Cloud hosted routers 37.xxx.xxx.249)

So it is working now, BUT it would be better for me, to be able to use tunneling instead of L2TP connection. Can you please help me on creating a tunnel for this? Which tunnel you recommend?

Thanks again!

it would be better for me, to be able to use tunneling instead of L2TP connection

I would rephrase it into "to be able to use another tunneling protocol than L2TP", as L2TP is a tunneling protocol itself.

But the question is whether you need this. If, on the public side of router A, you can receive packets for a public address b.b.b.b somehow, you can use a dst-nat rule to translate b.b.b.b to some private p.p.p.p which is then routed to another router B. On router B, you can dst-nat p.p.p.p back to b.b.b.b and connect a server to router B's LAN with b.b.b.b as its own IP address.

I understand that between your CHR (router A) and your home router (router B) to which the mailserver is connected there already is a tunnel. So you can reuse this existing tunnel also to route the packets using the scheme above, without need to build another tunnel in parallel or inside the existing one.

As the wise man said ^^^. If it's only for mail server, you can keep the public address where it is and just use NAT and forward some ports.

If you insist on having the public address directly on server, you can find some inspiration in Public IP over a tunnel thread.

As the wise man said ^^^. If it's only for mail server, you can keep the public address where it is and just use NAT and forward some ports.

If you insist on having the public address directly on server, you can find some inspiration in Public IP over a tunnel thread.

My problem with forwarding some ports is that, the mail server will see only the routers ip address as the sender ip.

This is the scenario with nat:
CHR
IP: 78.xxx.xxx.231
(l2tp connection from home router with dynamic ip with 192.168.181.5 remote and 192.168.181.6 local ip)
routed to 192.168.10.0/24 via 192.168.181.5
dst-nat 78.xxx.xxx.231 tcp 25 to 192.168.10.225 tcp 25

This case the mail server will see 192.168.181.5 as sender ip. This is why I wanted to assign the public ip directly to the server. (Or maybe I'm doing something wrong?)


But thanks for the hint, I will dig through that topic!

You must be doing something wrong, most likely you are using a src-nat rule where you shouldn't - namely, on the interface with 192.168.1.5. So instead of the actual address of the client, the server gets the 192.168.1.5.

There is only one scenario where you have to do that, which is when you want a client in a subnet to access a server in the same subnet via a public alias of the server's IP. It is called hairpin NAT and it definitely doesn't match your case.

Or, better to say, you have to force the response packets from the mailserver to the client via the CHR using some other means than src-nat of the requests

If 192.168.181.5 is on CHR, then that's where you need to look for wrong srcnat/masquerade rule.

If 192.168.181.5 is on CHR, then that's where you need to look for wrong srcnat/masquerade rule.

You are right! There is a masquared for out-interface l2tp (this where the home router connects to.). But if I disable this, I won't be able to dst-nat to my home lan network. Or shoud I do it step by step? (From public ip to l2tp remote ip, then on the home router from the local lt2tp ip to my lan ip.)

Thanks it looks like I can see some light now.

Basically (i.e. in most cases) there is no need to do NAT anywhere else than on the border between public and private network. So whatever from your home network goes to the internet via the CHR, and whatever from the CHR what goes to your home network, does not need to be NATed on the path between the two. You only have to configure routing properly. So on your home router, what goes out via the local WAN should be src-nated, but what goes out via the tunnel interface representing the tunnel to CHR should not, as it will be scr-nated by the CHR as leaving through its own WAN. And vice versa in the opposite direction, there is no need to NAT anything that goes from CHR to home router via the tunnel, but the home router must note down that a request came in via the tunnel and route the response out via the tunnel too; look at connection-mark and routing-mark use for policy routing. Use of src-nat on CHR side provides the same functonality in a simpler to set up way but the penalty you pay is the loss of information about the actual IP address of the client.

Thanks for the hints! I had a mistake in my routing.
Now I can ping my local lan from the CHR. (It is routing through the l2tp connection.)

My CHR config: I can ping to 192.168.93.218 from the CHR.
BUT!
DST-NAT not working. I have torched the traffic on my home router:
I have created a firewall rule on my home MT and logged the traffic: So it works one way at least.
What am I missing here? Should I create some connection marking?

What am I missing here? Should I create some connection marking?

That's hard to answer given that we don't know the current routing configuration of the home router.

Assuming that the normal routing on the home router sends packets to the internet via the local WAN, you need to make sure, one way or another, that the responses from the mailserver will be routed out the L2TP tunnel to CHR instead of the local WAN. There are several possible ways to achieve this:

• route anything with src-address=192.168.93.218 protocol=tcp src-port 25 via the l2tp tunnel to the CHR. To do that, you need to add a default route with routing-mark=via-chr and a mangle rule in chain=prerouting assigning that routing-mark to the packets matching the above conditions
• simplify the above into sending anything from 192.168.93.218 via the l2tp tunnel (ignoring protocol and port). To do that, you still need to add the default route with routing-mark=via-chr, but you can assign that routing-mark using /ip route rule add src-address=192.168.93.218 action=lookup-only-in-table table=via-chr
• create a generic handling for any connection which got established via the l2tp tunnel - in this case, one mangle rule in chain=prerouting would assign a connection-mark via-chr to all packets with in-interface=l2tp-out1, and another mangle rule in the same chain would assign a routing-mark via-chr to all packets with in-interface=LAN connection-mark=via-chr; the route as above is necessary too

I owe you a beer at least!
1st of all, thank you for being so helpful!

The problem was, that I was trying the dst-nat rule from local network, going out through the home router WAN interface (so the source ip was the ip of the WAN of the home router). Now it resulted, that all the packages like ACK was not routed through the l2tp, but was "shorted" to the home routers WAN.

As soon as I tried it from somewhere else (outside of local network) it worked like charm!

Thanks again all for being so responsive and helpful!

Zsolt

It would be great to solve it by the way, to work from local also... But I will try to dig through on the routes.

Thanks again!

Zsolt

You can:
a) Close the shotcut for response packets and force them to go back via l2tp link. But overriding local destination is hard, router always prefers it. The only way is to use action=route in prerouting.
b) Make a shortcut for outgoing packets, simply add dstnat rule on local router and don't let the traffic to <public address> go out, but instead send it to local server. You'll need to combine this with hairpin NAT.

I'd choose b).