Community discussions

just joined
Topic Author
Posts: 12
Joined: Sat Jun 29, 2019 7:10 pm

scrnat rule configuration

Mon Sep 16, 2019 5:51 pm

Hello all,

This is probably super basic, I went through the documentation, I spent hours on this and I simply dont get it.

I have two IPsec tunnels, one is coming from AWS to my firewall, and the second one is from my firewall to the customer.
I need to deliver the traffic from AWS to the customer -> AWS is sending the traffic to the customer IP.
I want to NAT the source IP address from AWS.

So I added NAT rules:

add chain=srcnat src-address= dst-address= action=src-nat to-address=

the traffic does not fall in this rule, because it does not come from the inside I guess. So I try to add before that one:

add chain=dstnat src-address= dst-address= action=accept

the traffic does fall in that rule, but once accepted that is. It does not go to my srcnat. .

I tried to passthrough, or jump to, I also did dsnat translation to the same destination IP, I really dont know how to configure this.

What am I missing?

Thank you very much.
User avatar
Forum Guru
Forum Guru
Posts: 1790
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: scrnat rule configuration

Wed Sep 18, 2019 12:00 am


Src-nat and dst-nat are locate in different chains and are executed at different times, dst-nat before routing & src-nat after routing. One can't interfere with the other.

List your full firewall config if you need further assistance (/export hide-sensitive)
just joined
Topic Author
Posts: 12
Joined: Sat Jun 29, 2019 7:10 pm

Re: scrnat rule configuration

Tue Oct 01, 2019 12:26 am

I found a config that works for my scenario but I get the feeling I could do this better.

I got the Mikrotik tunneling with IPsec from my AWS to an external endpoint that I dont control.

What I want is traffic from AWS to the endpoint, and the deliverty must appear from
My idea was a NAT rule that will grab this traffic and change the source IP address, simply as that.

But since I could not come with a the rule that would do the trick, I did the following:
I send the traffic from AWS to (which is my Mikrotik)
I dstNAT this traffic to the destination I want
0 chain=dstnat action=dst-nat to-addresses= src-address= dst-address= log=yes log-prefix=""
then I do the scrnat
1 chain=srcnat action=src-nat to-addresses= src-address= dst-address= log=yes log-prefix=""

This is working, but I dont like it, since I could send the traffic from AWS to the to the right destination in the first time. But when I tried that, my accept dstNAT rule was hit and it never entered the scrNAT one.
How could I have done this better, any idea?

Thank you very much.

Who is online

Users browsing this forum: No registered users and 105 guests