Community discussions

MikroTik App
 
abubin
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Fri Aug 03, 2012 12:47 pm

dst-nat and src-nat on same connection

Thu Sep 23, 2021 12:58 pm

I have a connection coming from outside (WAN) that I need to route it into another network that is connected internally.

user (30.1.1.1) ----> mikrotik master (WAN 1.2.3.4 LAN 192.168.1.1) --> mikrotik second (LAN 192.168.1.2 LAN2 10.1.1.2) --> 3com router (10.1.1.1) --> leasedline --> customer (172.1.1.1 port 8888)

The catch is, customer have very specified connection requirement. It has to be connecting from our given IP&port to their IP&port. Anything else, their firewall will reject.

So user will connect using WAN IP (1.2.3.4 port 5678) to mikrotik master. In mikrotik master, I have set all traffic with WAN IP 1.2.3.4 to forward to mikrotik second.

So upon traffic arrive in mikrotik second, I need to apply dst-nat and src-nat in order to transform the IP&port correctly so it can connect to customer.

user (WAN 30.1.1.1) ----> 1.2.3.4 port 5678 --> mikrotik master ---> mikrotik second.

In mikrotik second,
1    ;;; dstnat
      chain=dstnat action=dst-nat to-addresses=10.1.1.2 to-ports=5678 
      protocol=tcp src-address=30.1.1.1 dst-port=5678 log=no 
      log-prefix="" 

 2    ;;; srcnat
      chain=srcnat action=src-nat to-addresses=172.1.1.1 to-ports=8888 
      protocol=tcp src-address=10.1.1.2  src-port=5678 log=yes log-prefix=""
Traffic seems to be stuck in between rules 1 and 2. I can see user ip incoming to mikrotik second but rules 2 is not picking up the routing to continue pushing the network to customer.

Am I missing MANGLE rules?
 
abubin
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Fri Aug 03, 2012 12:47 pm

Re: dst-nat and src-nat on same connection

Thu Sep 23, 2021 1:07 pm

To sum it up;

user 1.2.3.4 5678 ---> our network (src 10.1.1.2 5678) ---> leasedline ---> customer 172.1.1.1 8888

Apologize if my posting is not clear enough. Please do not hesitate to ask any questions. Appreciate any input no matter helpful or not.
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: dst-nat and src-nat on same connection

Thu Sep 23, 2021 2:02 pm

dstnat occurs in prerouting and changes the destination address, srcnat occurs in postrouting and changes the source address. specifying src-address=10.1.1.2 in the srcnat rule doesn't match anything as the source address is still 30.1.1.1
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: dst-nat and src-nat on same connection

Thu Sep 23, 2021 2:55 pm

To better understand what @tdw wrote, have a look at packet flow description.

And: all properties of SRC-NAT and DST-NAT conmmands, except to-addresses and to-ports, are "matching" properties. Which means that they are used to selectively pick packets which will get changed. The two mentioned properties set values to which appropriate fields are changed.

dst-nat changes dst-address and dst-port to values of to-addresses and to-ports
src-nat changes src-address and src-port to values of to-addresses and to-ports

If one of settings (to-addresses or to-ports) is omitted, then the value will remain unchanged (if possible).

So after dst-nat does its job, src-address is unchanged (src-port as well).

Basically you need these two rules on router2:
/ip firewall nat
add action=dst-nat to-addresses=172.1.1.1 to-ports=8888 chain=dstnat dst-port=5678 src-address=30.1.1.1 protocol=tcp 
add action=src-nat to-addresses=10.1.1.2 chain=srcnat dst-address=172.1.1.1 dst-port=8888 protocol=tcp 

I've explicitly written properties of NAT rules in such order that it's a bit easier to understand what they do.
 
User avatar
SiB
Forum Guru
Forum Guru
Posts: 1888
Joined: Sun Jan 06, 2013 11:19 pm
Location: Poland

Re: dst-nat and src-nat on same connection

Thu Sep 23, 2021 4:29 pm

...
Sorry for OT... @mkx, please check viewtopic.php?f=2&t=178670&p=881840#p881840.
 
abubin
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Fri Aug 03, 2012 12:47 pm

Re: dst-nat and src-nat on same connection

Thu Sep 23, 2021 5:53 pm

To better understand what @tdw wrote, have a look at packet flow description.

And: all properties of SRC-NAT and DST-NAT conmmands, except to-addresses and to-ports, are "matching" properties. Which means that they are used to selectively pick packets which will get changed. The two mentioned properties set values to which appropriate fields are changed.

dst-nat changes dst-address and dst-port to values of to-addresses and to-ports
src-nat changes src-address and src-port to values of to-addresses and to-ports

If one of settings (to-addresses or to-ports) is omitted, then the value will remain unchanged (if possible).

So after dst-nat does its job, src-address is unchanged (src-port as well).

Basically you need these two rules on router2:
/ip firewall nat
add action=dst-nat to-addresses=172.1.1.1 to-ports=8888 chain=dstnat dst-port=5678 src-address=30.1.1.1 protocol=tcp 
add action=src-nat to-addresses=10.1.1.2 chain=srcnat dst-address=172.1.1.1 dst-port=8888 protocol=tcp 

I've explicitly written properties of NAT rules in such order that it's a bit easier to understand what they do.


I have added the rules as above and it still does not work. However, I am seeing this as "info" in the logs.
dstnat: in:ether1-WAN switch out:(unknown 0), src-mac 00:0c:42:fd:11:22, proto TCP (SYN), 30.1.1.1:54928->192.168.1.2:5678, len 60


I have already added the route for 172.1.1.1
 4 A S  ;;; to customer zone
        172.1.1.0/24                   10.1.1.1              1


Is it cause the dstnat to-address is an IP outside of the mikrotik's known IP range?

Anything I can do to further trace the problem?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: dst-nat and src-nat on same connection

Thu Sep 23, 2021 9:34 pm

You should trace (use sniffer tool) packets to see what happens with them on "mikrotik second" ... the info seems to indicate that packets do arrive at "mikrotik second" ... but what does hapen to them? Do you have other NAT rules active? Rules get matched from top to bottom, in principle only first matching rule gets executed. Which means the more specific rules have to be higher on the rule list.
 
abubin
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Fri Aug 03, 2012 12:47 pm

Re: dst-nat and src-nat on same connection

Fri Sep 24, 2021 6:14 am

There are no other NAT rules and firewall rules (besides the fasttrack dummy rules that I can't remove) in there.

Did packet sniffing from the mikrotik. I do see the dst-nat doing it's work changing the dst IP&port. However, I do not see src-nat matching packets.
Sorry I didn't get a chance to screen cap it. After running the packet sniffing for few rounds, the sniffer went crazy. All I see now is the below packets running non-stop. Could this be some sort of loopback caused by something I did?


mikrotik-dns2.jpg
You do not have the required permissions to view the files attached to this post.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: dst-nat and src-nat on same connection

Fri Sep 24, 2021 2:50 pm

I don't think I can help you any more without seeing complete configuration of "mikrotik second" ... I don't have clear picture of what's configured and I can't imagine how 192.168.1.2 ended up in DST-NAT output you showed in one of previous posts. Unless that was from "mikrotik master" ... but that one is not supposed to perform NAT, or is it?
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: dst-nat and src-nat on same connection

Fri Sep 24, 2021 3:18 pm

Given there are two Mikrotiks, rather than the vague I have set all traffic with WAN IP 1.2.3.4 to forward to mikrotik second (how?) on the first Mikrotik and attempting both NAT on the second Mikrotik I would use a dstnat rule on the first Mikrotik and a srcnat rule on the second.

Who is online

Users browsing this forum: No registered users and 87 guests