Community discussions

 
sawesa
just joined
Topic Author
Posts: 12
Joined: Sat Jun 29, 2019 7:10 pm

scrnat rule configuration

Mon Sep 16, 2019 5:51 pm

Hello all,

This is probably super basic, I went through the documentation, I spent hours on this and I simply dont get it.

I have two IPsec tunnels, one is coming from AWS to my firewall, and the second one is from my firewall to the customer.
I need to deliver the traffic from AWS to the customer -> AWS is sending the traffic to the customer IP.
I want to NAT the source IP address from AWS.

So I added NAT rules:

add chain=srcnat src-address=10.93.0.0/16 dst-address= 10.15.1.1 action=src-nat to-address=10.2.200.9

the traffic does not fall in this rule, because it does not come from the inside I guess. So I try to add before that one:

add chain=dstnat src-address=10.93.0.0/16 dst-address= 10.15.1.1 action=accept

the traffic does fall in that rule, but once accepted that is. It does not go to my srcnat. .

I tried to passthrough, or jump to, I also did dsnat translation to the same destination IP, I really dont know how to configure this.

What am I missing?


Thank you very much.
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1790
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: scrnat rule configuration

Wed Sep 18, 2019 12:00 am

Hi

Src-nat and dst-nat are locate in different chains and are executed at different times, dst-nat before routing & src-nat after routing. One can't interfere with the other.

List your full firewall config if you need further assistance (/export hide-sensitive)
 
sawesa
just joined
Topic Author
Posts: 12
Joined: Sat Jun 29, 2019 7:10 pm

Re: scrnat rule configuration

Tue Oct 01, 2019 12:26 am

I found a config that works for my scenario but I get the feeling I could do this better.

I got the Mikrotik tunneling with IPsec from my AWS to an external endpoint that I dont control.

What I want is traffic from AWS 10.93.0.0/22 to the endpoint 10.15.1.1, and the deliverty must appear from 10.2.200.8/29
My idea was a NAT rule that will grab this traffic and change the source IP address, simply as that.

But since I could not come with a the rule that would do the trick, I did the following:
I send the traffic from AWS to 10.1.200.2 (which is my Mikrotik)
I dstNAT this traffic to the destination I want 10.15.1.1
0 chain=dstnat action=dst-nat to-addresses=10.15.1.1 src-address=10.93.0.0/22 dst-address=10.1.200.2 log=yes log-prefix=""
then I do the scrnat
1 chain=srcnat action=src-nat to-addresses=10.2.200.8/29 src-address=10.93.0.0/22 dst-address=10.15.1.1 log=yes log-prefix=""

This is working, but I dont like it, since I could send the traffic from AWS to the to the right destination in the first time. But when I tried that, my accept dstNAT rule was hit and it never entered the scrNAT one.
How could I have done this better, any idea?

Thank you very much.

Who is online

Users browsing this forum: No registered users and 105 guests