Community discussions

MikroTik App
 
engageinfra
just joined
Topic Author
Posts: 2
Joined: Fri Sep 10, 2021 4:49 am

Is it possible to NAT/PAT this traffic?

Fri Sep 10, 2021 5:09 am

Hi there, I have a rather interesting use case for NAT I am trying to work out and am hoping some Gurus here might be able to come up with a way to do it if it is possible.

Topology is like this:

Mikrotik Router=
Private network of 192.168.1.0/24
WAN Network of 10.1.1.2/30
Default route pointing to 10.1.1.1

WAN network connects to another router that has IP 10.1.1.1 which has routes to 10.20.20.0/24 (where a database server lives and is listening on port 1525)
This router does not have a route for 192.168.1.0/24
This router DOES have a route for 10.1.1.2
This router can be considered out of scope and not accessible for the purpose of this question.

I have SRC-NAT Masquerade rule which works for all traffic
chain=srcnat action=masquerade src-address=192.168.1.0/24 out-interface-list=WAN log=yes log-prefix="GENERAL-MASQ"

So far just a standard private NAT Masquerade setup right?

But what I NEED to do is SRC-NAT Masquerade some traffic from 192.168.1.0/24 AND change the destination port

So for example I have a client on 192.168.1.20 trying to connect to a database that lives on server 10.20.20.7 but where the database server is listening on port 1525
However the client is trying to connect using port 31525

So I need to change the destination port that the client is trying to connect to AND also change the source address as it leaves the Mikrotik router so that the database server will see a connection attempt from 10.1.1.2:(random source port)

Is this possible?
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Is it possible to NAT/PAT this traffic?

Fri Sep 10, 2021 4:07 pm

This router DOES have a route for 10.1.1.2
No such route is needed...
Directly connected Routers know each other...
However the client is trying to connect using port 31525
What has that to do with your Router ?
Configure your client to use the correct port...

You need to source NAT that connection (you can change the src-port by using the to-ports field):
/ip firewall nat add chain=srcnat src-address=192.168.1.20 dst-address=10.20.20.7 action=src-nat to-addresses=10.1.1.2 place-before=0 
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Is it possible to NAT/PAT this traffic?

Fri Sep 10, 2021 4:34 pm

You can dst-nat any connection, NAT machinery doesn't care about administrator's perception of what is LAN and what is WAN. It does its magic as long as packets in both directions pass router's CPU.

Something like this:

/ip firewall nat
add chain=dstnat action=dst-nat dst-address=10.20.20.7 dst-port=31525 protocol=tcp to-ports=1525

I'm assuming client-server connection is over TCP, if it's over UDP adjust the rule above accordingly. Since DST-NAT gets executed early in the routing procedure (earlier than SRC-NAT), you can drop in some additional selector properties, such as src-address=192.168.1.20 to make rule as selective as possible.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Is it possible to NAT/PAT this traffic?

Fri Sep 10, 2021 4:39 pm

You need to source NAT that connection

Per OP's initial post, there's already a masquerade rule which should take care of source NAT of that particular connection as well. So no need to add a specific one.
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Is it possible to NAT/PAT this traffic?

Fri Sep 10, 2021 4:43 pm

You need to source NAT that connection

Per OP's initial post, there's already a masquerade rule which should take care of source NAT of that particular connection as well. So no need to add a specific one.
If that is his WAN connection yes ...
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Is it possible to NAT/PAT this traffic?

Fri Sep 10, 2021 4:48 pm




Per OP's initial post, there's already a masquerade rule which should take care of source NAT of that particular connection as well. So no need to add a specific one.
If that is his WAN connection yes ...
He said his WAN network was 10.1.1.2/30 ...
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Is it possible to NAT/PAT this traffic?

Fri Sep 10, 2021 4:53 pm

Right...
What i don't understand is, if the clients uses a wrong port to connect to the database, why not correct that at the first place...
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Is it possible to NAT/PAT this traffic?

Fri Sep 10, 2021 8:43 pm

Right...
What i don't understand is, if the clients uses a wrong port to connect to the database, why not correct that at the first place...

That would certainly be correct approach ... but in certain circumstances it might not be possible. E.g. if the application in question is a legacy binary executable with hard-coded connection settings.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Is it possible to NAT/PAT this traffic?

Fri Sep 10, 2021 9:23 pm

So I need to change the destination port that the client is trying to connect to AND also change the source address as it leaves the Mikrotik router so that the database server will see a connection attempt from 10.1.1.2:(random source port)
I can't see anything complex in this task if we talk about traffic forwarded by the router (i.e. not originated by the router itself). You just dst-nat the port as the connection from the client enters the router, and src-nat the address as the connection leaves the router.
 
engageinfra
just joined
Topic Author
Posts: 2
Joined: Fri Sep 10, 2021 4:49 am

Re: Is it possible to NAT/PAT this traffic?

Mon Sep 13, 2021 9:11 am

Right...
What i don't understand is, if the clients uses a wrong port to connect to the database, why not correct that at the first place...
The reason for not fixing the port is because this is a sandbox restore environment. Meaning Production VMs will be restored and tested in an isolated environment. However unfortunately there is a Database cluster than cannot be restored into the sandbox so the purpose of redirecting the port is so that after a manual VM restore someone needs to change the DB port to connect to the dev/prod DB. It is a failsafe to stop someone restoring a production VM backup and accidentally writing Prod data.

So back to the original question, I worked out what I needed to do after I stopped trying to do it in a single rule and looked at the Mikrotik processing order

So now I have a DST-NAT rule to transform the port and a SRC-NAT rule to masquerade the traffic.

One problem I did face is that I needed to have a firewall rule to allow the translated port of 1525 before the SRC-NAT rule would work, and therefore I was opening up 1525 from my LAN to WAN which is what needed NOT to do in the first place to stop sandbox restore accidents.

So to fix this I added a mangle rule in pre-routing to catch TCP port 31525 with destination of 10.20.20.0/24 traffic and mark the connection as "DBTRAFFIC"
Then I created an allow firewall rule from LAN to WAN for TCP 1525 with destination of 10.20.20.0/24 ONLY if the connection mark was "DBTRAFFIC"

This seems to work well, anyway connection attempts directly to 1525 fail
Connection attempts to 31525 first get DST-NAT translated to 1525 then allowed through the firewall then SRC-NAT Masqueraded to the outbound WAN interface.

Unless anyone else has any ideas on how I could have simplified this, am I correct?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Is it possible to NAT/PAT this traffic?

Mon Sep 13, 2021 9:43 am

The connection tracking also provides an attribute called connection-nat-state, so instead of assigning a dedicated connection-mark value using an extra rule in mangle, you can let the filter rule match on connection-nat-state=dstnat. It seems to be less selective than the connection-mark approach as you assign the connection-mark only to connections initiated towards port 31525, but if you don't redirect any other port to 1525, the selectivity is actually equal.

Who is online

Users browsing this forum: coffee1978 and 51 guests