Community discussions

 
twinturbo
just joined
Topic Author
Posts: 11
Joined: Thu Jun 06, 2019 6:10 pm

DNAT where source is also translated.

Tue Nov 05, 2019 7:11 pm

Scratching my head over this one.

I have an external devices connection to and external IP on the TIK, this has to NAT to an internal IP of a server.

The internal server has no idea about this external subnet so can't route back to it.

So I need the TIK to change the SRC address that the packets appear to come from to the internal IP of the TIK...

So in essence all traffic appears to only come from the TIK and nothing else.

I can't work out how to do it in this device.

Rob
 
pe1chl
Forum Guru
Forum Guru
Posts: 5913
Joined: Mon Jun 08, 2015 12:09 pm

Re: DNAT where source is also translated.

Tue Nov 05, 2019 7:14 pm

You need to use both a DNAT and SNAT rule for the same traffic. It is not possible to combine this into one rule.
 
twinturbo
just joined
Topic Author
Posts: 11
Joined: Thu Jun 06, 2019 6:10 pm

Re: DNAT where source is also translated.

Tue Nov 05, 2019 7:28 pm

I have seen mention of that and tired it.

So does the SNAT get applied before the packet is forwarded out of the router to the server?

I have tried this and It does not seem to work. Followed a lot of examples etc.

Thanks
 
twinturbo
just joined
Topic Author
Posts: 11
Joined: Thu Jun 06, 2019 6:10 pm

Re: DNAT where source is also translated.

Tue Nov 05, 2019 7:39 pm

If I have a static route on my server to the external subnet, things work. But not if the route is removed. So I know the source is not being translated.
 
twinturbo
just joined
Topic Author
Posts: 11
Joined: Thu Jun 06, 2019 6:10 pm

Re: DNAT where source is also translated.

Tue Nov 05, 2019 7:46 pm

128.x.x.[50-70] are the external clients.
128.x.x.4 is the external interface IP
172.x.x.199 is the internal server
172.x.x.123 is the internal firewall address that traffic should go back to.

172.x.x.123 has no idea of the routes to 128.x.x.x

0 chain=dstnat action=dst-nat to-addresses=172.x.x.199 protocol=tcp dst-address=128.x.x.4 dst-port=5001
1 chain=srcnat action=src-nat to-addresses=128.x.x.4 src-address=172.x.x.199

Thanks
 
pe1chl
Forum Guru
Forum Guru
Posts: 5913
Joined: Mon Jun 08, 2015 12:09 pm

Re: DNAT where source is also translated.

Tue Nov 05, 2019 8:14 pm

Look here for the packet flow: https://wiki.mikrotik.com/wiki/Manual:Packet_Flow
Warning, it is complicated!

Try the src-nat with a match on the (replaced) dst-address instead of the src-address. That should work.
 
twinturbo
just joined
Topic Author
Posts: 11
Joined: Thu Jun 06, 2019 6:10 pm

Re: DNAT where source is also translated.

Tue Nov 05, 2019 8:22 pm

So...
1 chain=srcnat action=src-nat to-addresses=128.x.x.4 src-address=172.x.x.123
 
mkx
Forum Guru
Forum Guru
Posts: 3177
Joined: Thu Mar 03, 2016 10:23 pm

Re: DNAT where source is also translated.

Tue Nov 05, 2019 8:40 pm

The abbreviated packet flow is this:
  1. packet enters RB via WAN interface
  2. dst-nat gets executed
  3. firewall does the job
  4. src-nat gets executed
  5. packet leaves through LAN interface

So for particular IP address list, the steps would be these:
  1. packet has src-address=128.x.x.50 (example), dst-address=128.x.x.4
  2. add action=dst-nat chain=dstnat src-address=128.x.x.50 dst-address=128.x.x.4 <other settings> to-addresses=172.x.x.199
    At this point packet has src-address=128.x.x.50 and dst-address=172.x.x.199
  3. whatever firewall does, possibly allows this packet
  4. add action=src-nat chain=srcnat src-address=128.x.x.50 dst-address=172.x.x.199 <other settings> to-addresses=172.x.x.123
  5. at this point packet has src-address=172.x.x.123 and dst-address=172.x.x.199

You have to adjust the NAT rules to cover all needed WAN addresses (eitger using address range or address subnet mask) ...
Last edited by mkx on Tue Nov 05, 2019 8:44 pm, edited 1 time in total.
BR,
Metod
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1434
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: DNAT where source is also translated.

Tue Nov 05, 2019 8:41 pm

replace your 2nd rule with,
/ip firewall nat
add chain=srcnat action=src-nat in-interface=<YourWANInterface> dst-address=172.x.x.199 to-addresses=172.x.x.123
MTCNA, MTCTCE, MTCRE & MTCINE
 
twinturbo
just joined
Topic Author
Posts: 11
Joined: Thu Jun 06, 2019 6:10 pm

Re: DNAT where source is also translated.

Wed Nov 06, 2019 12:04 pm

replace your 2nd rule with,
/ip firewall nat
add chain=srcnat action=src-nat in-interface=<YourWANInterface> dst-address=172.x.x.199 to-addresses=172.x.x.123
"failure: incomming interface match not possible in output postrouting chains"

Cheers
...
 
twinturbo
just joined
Topic Author
Posts: 11
Joined: Thu Jun 06, 2019 6:10 pm

Re: DNAT where source is also translated.

Wed Nov 06, 2019 12:08 pm

The abbreviated packet flow is this:
  1. packet enters RB via WAN interface
  2. dst-nat gets executed
  3. firewall does the job
  4. src-nat gets executed
  5. packet leaves through LAN interface

So for particular IP address list, the steps would be these:
  1. packet has src-address=128.x.x.50 (example), dst-address=128.x.x.4
  2. add action=dst-nat chain=dstnat src-address=128.x.x.50 dst-address=128.x.x.4 <other settings> to-addresses=172.x.x.199
    At this point packet has src-address=128.x.x.50 and dst-address=172.x.x.199
  3. whatever firewall does, possibly allows this packet
  4. add action=src-nat chain=srcnat src-address=128.x.x.50 dst-address=172.x.x.199 <other settings> to-addresses=172.x.x.123
  5. at this point packet has src-address=172.x.x.123 and dst-address=172.x.x.199

You have to adjust the NAT rules to cover all needed WAN addresses (eitger using address range or address subnet mask) ...
How would this work if you did not know the source address?



Cheers
 
pe1chl
Forum Guru
Forum Guru
Posts: 5913
Joined: Mon Jun 08, 2015 12:09 pm

Re: DNAT where source is also translated.

Wed Nov 06, 2019 12:28 pm

You do not need to match on src-address. It is sufficient to match on protocol, port and dst-address.
So you do the dst-nat based on the protocol and port and with dst-address equal to the local address of the router, translating the dst-addr to the address of the device you want to access.
Then, also have a src-nat that sets the source address equal to the router address for such traffic towards the dst-addr of the device (and the protocol and port).

Do not apply a too-wide match (e.g. omitting the protocol and port) because you may lock yourself out of the router!
 
twinturbo
just joined
Topic Author
Posts: 11
Joined: Thu Jun 06, 2019 6:10 pm

Re: DNAT where source is also translated.

Wed Nov 06, 2019 12:56 pm

You do not need to match on src-address. It is sufficient to match on protocol, port and dst-address.
So you do the dst-nat based on the protocol and port and with dst-address equal to the local address of the router, translating the dst-addr to the address of the device you want to access.
Then, also have a src-nat that sets the source address equal to the router address for such traffic towards the dst-addr of the device (and the protocol and port).

Do not apply a too-wide match (e.g. omitting the protocol and port) because you may lock yourself out of the router!
The DNAT is already configured with just "DST, Port, Proto,Translated address"
 
twinturbo
just joined
Topic Author
Posts: 11
Joined: Thu Jun 06, 2019 6:10 pm

Re: DNAT where source is also translated.

Wed Nov 06, 2019 1:09 pm

Ok, think I have it sorted..

Post by "mkx » Tue Nov 05, 2019 6:40 pm" probably gave the hints..

I ran tcpdump on the server to see what address was being forwarded and then adjusted the paramaters in the rules until I saw the src-natted address..

Server has no routing, no concept of a subnet other than 172.x.x.x/24

source = any
wan = 128.x.x.4
ehter2 = 172.x.x.123
server = 172.x.x.199


chain=dstnat action=dst-nat to-address=172.x.x.199 protocol=tcp dst-address=128.x.x.4 dst-port=5001
chain=srcnat action=src-nat to-address=172.x.x.123 dst-address=172.x.x.199


Don't understand the logic, but if that's how it is then fine..

Thanks

Rob
 
pe1chl
Forum Guru
Forum Guru
Posts: 5913
Joined: Mon Jun 08, 2015 12:09 pm

Re: DNAT where source is also translated.

Wed Nov 06, 2019 1:39 pm

Ok but note that due to the way you wrote the src-nat, ALL traffic towards that address will be src-natted not only the traffic you dst-natted to that server.
This probably does not matter when your server has no routes at all, but when it would have routes to other local subnets it would cause problems.
In that case you should put the "protocol=tcp dst-port=5001" in the src-nat rule as well.

I use this method all the time to recover devices at remote sites that have fallen back to default settings.
E.g. on a radio link between MikroTik routers made using Ubiquiti WiFi radios that sometimes revert to their factory default IP of 192.168.1.20 with no routes.
Temporarily add 192.168.1.1/24 on the port it is connected to, add those two rules for tcp/443 and I can connect the device and reconfigure it.
Very handy!
 
mkx
Forum Guru
Forum Guru
Posts: 3177
Joined: Thu Mar 03, 2016 10:23 pm

Re: DNAT where source is also translated.

Wed Nov 06, 2019 2:08 pm

How would this work if you did not know the source address?

I took source addresses from your post #5 above ... and used those as illustration how to make NAT rules as speciffic as possible not to affect the rest of traffic.

With NAT rules there are two kinds of parameters:
  1. selection criteria, which define which packets will be affected by particular rule.
    Almost all parameters fall into this category, but most used are src-address, dst-address, src-address-list, dst-address-list, protocol, src-port, dst-port, in-interface, out-interface. Not all of these parameters have to be set, but one has to be careful to set selection parameters so that the rule is not "too greedy".
  2. action parameters, which define what needs to be changed on packets.
    These are the following two parameters: to-addresses and to-ports and define the resulting value. With src-nat the corresponding src-* values get overwritten and with dst-nat the corresponding dst-* values get overwritten. If one of the two parameters is not set (most frequently to-ports is not set), then the corresponding src-* or dst-* value is not changed.

It is perfectly fine to use e.g. src-address as selection criterion in src-nat with to-addresses set ... just keep in mind that first selection rules are ran against original packet[*] and action is done on matching packets.
[*] I used "original" meaning the packet which is being matched ... which might got changed already before this NAT rule is being evaluated.
BR,
Metod
 
anav
Forum Guru
Forum Guru
Posts: 3100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: DNAT where source is also translated.

Wed Nov 06, 2019 4:11 pm

Can someone add some diagrams of the connectivity of these devices for this poor fella trying to follow this thread........
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
mkx
Forum Guru
Forum Guru
Posts: 3177
Joined: Thu Mar 03, 2016 10:23 pm

Re: DNAT where source is also translated.

Wed Nov 06, 2019 4:17 pm

Think of LAN (172.x.x.0/24) and WAN (the rest). And devices in LAN don't have any route defined ... hence they can only communicate with devices within same L2 domain (same subnet).

Nothing complicated to picture in one's mind :wink:
BR,
Metod
 
twinturbo
just joined
Topic Author
Posts: 11
Joined: Thu Jun 06, 2019 6:10 pm

Re: DNAT where source is also translated.

Thu Nov 07, 2019 11:26 am

Just less easy to put down in rules for a relative Tik Newbie...

I guess it's similar to the operation of Linux IPTABLES, but I have not had to touch that in 10 years.

Cheers

Rob
 
sindy
Forum Guru
Forum Guru
Posts: 3898
Joined: Mon Dec 04, 2017 9:19 pm

Re: DNAT where source is also translated.

Thu Nov 07, 2019 10:53 pm

I guess it's similar to the operation of Linux IPTABLES, but I have not had to touch that in 10 years.
The executive engine below is the very same netfilter module. The Mikrotik's configuration front-end is slightly different from iptables but the structure of the rules (chains, tables) is exactly the same.
As compared to iptables:
  • you have the interface lists and address lists (which are extensions to the basic netfilter),
  • you cannot change the default handling for the chain (it is always "accept", so if you want to change this to "drop", you have to add a "drop" rule as the last one in the chain).
  • you cannot configure dst-nat in output chain (grrr).
The fact that srcnat chain cannot refer to in-interface (and dst-nat cannot refer to out-interface) is just a feature of netfilter so no front-end cannot do anything about it. You can work this around by assigning a connection-mark to the connection in prerouting chain of mangle table (where the in-interface can be referred to) and then refer to that connection-mark in src-nat rule in the srcnat chain of the nat table.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
anav
Forum Guru
Forum Guru
Posts: 3100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: DNAT where source is also translated.

Fri Nov 08, 2019 5:53 pm

Can i Frame in Bronze this tidbit of excellence.......
"The fact that srcnat chain cannot refer to in-interface (and dst-nat cannot refer to out-interface) is just a feature of netfilter so no front-end cannot do anything about it. You can work this around by assigning a connection-mark to the connection in prerouting chain of mangle table (where the in-interface can be referred to) and then refer to that connection-mark in src-nat rule in the srcnat chain of the nat table."

Now I have to figure out why would want to do such a thing.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
sindy
Forum Guru
Forum Guru
Posts: 3898
Joined: Mon Dec 04, 2017 9:19 pm

Re: DNAT where source is also translated.

Fri Nov 08, 2019 6:58 pm

Now I have to figure out why would want to do such a thing.
Because you may e.g. feel an urgent need to the src-nat connections coming in via one in-interface to one src-address (pool) and connections coming in via another in-interface to another src-address (pool). But I agree that such need is rare.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Sob
Forum Guru
Forum Guru
Posts: 4784
Joined: Mon Apr 20, 2009 9:11 pm

Re: DNAT where source is also translated.

Fri Nov 08, 2019 7:08 pm

I never understood this limitation. If I'd want to use out-interface in prerouting/dstnat, it's obviously not possible, because it's not yet decided where packet will go. But in-interface in postrouting/srcnat, why not? Did connection tracking already forgot where packet came from? It knew it just a moment before in forward chain.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.

Who is online

Users browsing this forum: MSN [Bot] and 113 guests