Community discussions

MikroTik App
 
KostasCitystore
just joined
Topic Author
Posts: 5
Joined: Fri Feb 21, 2014 12:03 pm

Port Forward - Translate to local IP

Thu Jul 29, 2021 9:28 am

Hi, I have the following problem, I have a port foward which I would like to translate the source address to specific local network (192.168.10.0/24). I don't know how to do it! Can you point me out the direction what to read so I can achieve that?

Thanks
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Port Forward - Translate to local IP

Thu Jul 29, 2021 10:05 am

Port forwarding is a dst-nat operation, which is performed before the packet enters the routing process. Source address change (a src-nat operation) takes place after the packet has been routed. Hence you need a separate action=src-nat rule in chain=srcnat of /ip firewall nat.

Maybe you need the action=src-nat rule to selectively treat only connections previously handled by that particular action=dst-nat rule, but while passing through the srcnat chain, the initial packets of these connections cannot be distinguished any more from those that have not been redirected by that action=dst-nat rule. If this is the case, you have to assign a connection-mark using a rule in chain=prerouting of /ip firewall mangle with the same set of match conditions you used in the action=dst-nat rule, and let the action=dst-nat and action=src-nat rules match on that connection-mark value. In the prerouting chain, mangle is placed even before dstnat.
 
KostasCitystore
just joined
Topic Author
Posts: 5
Joined: Fri Feb 21, 2014 12:03 pm

Re: Port Forward - Translate to local IP

Thu Jul 29, 2021 2:16 pm

Port forwarding is a dst-nat operation, which is performed before the packet enters the routing process. Source address change (a src-nat operation) takes place after the packet has been routed. Hence you need a separate action=src-nat rule in chain=srcnat of /ip firewall nat.

Maybe you need the action=src-nat rule to selectively treat only connections previously handled by that particular action=dst-nat rule, but while passing through the srcnat chain, the initial packets of these connections cannot be distinguished any more from those that have not been redirected by that action=dst-nat rule. If this is the case, you have to assign a connection-mark using a rule in chain=prerouting of /ip firewall mangle with the same set of match conditions you used in the action=dst-nat rule, and let the action=dst-nat and action=src-nat rules match on that connection-mark value. In the prerouting chain, mangle is placed even before dstnat.
Thanks for your useful information! I will try and if I fail, I will came back with an example.
 
KostasCitystore
just joined
Topic Author
Posts: 5
Joined: Fri Feb 21, 2014 12:03 pm

Re: Port Forward - Translate to local IP

Thu Jul 29, 2021 3:13 pm

Hi, here is my example:
/ip firewall nat
chain=dstnat action=dst-nat to-addresses=192.168.50.48 to-ports=50003 protocol=tcp dst-address=1.2.3.4 connection-mark=PortFowardMark dst-port=50003 log=yes log-prefix=""
chain=srcnat action=src-nat to-addresses=192.168.10.0/24 to-ports=50003 protocol=tcp dst-address=192.168.50.48 connection-mark=PortFowardMark dst-port=50003 log=yes log-prefix=""
/ip firewall mangle
chain=prerouting action=mark-connection new-connection-mark=PortFowardMark passthrough=yes protocol=tcp dst-address=1.2.3.4 dst-port=50003 log=no log-prefix=""

- 1.2.3.4 is my WAN IP
- 192.168.50.48 -> is the target machine I would like to make the port forward
- 192.168.10.0/24 -> is the network must be the source address IP to have access to the 192.168.50.0/24, otherwise it will reject the request.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Port Forward - Translate to local IP

Thu Jul 29, 2021 3:46 pm

OK, and what do you expect from me now? To me this example seems to work, does it fail? It could be also simplified to reduce the CPU load.

Who is online

Users browsing this forum: Ahrefs [Bot], Bing [Bot], loloski and 75 guests