Double destination NAT

hofi76 · Tue Apr 16, 2024 10:50 am

Firts of all, I am almost sure it is not possible to solve my issue, or not in this way.

We use industrial printers with IP of 192.168.1.1. As it is replaced by maintenenace all printers has a Mikrotik device with DST-NAT so they are always availabe on the right LAN IP (in 24/7 maintenance not set IP at all )

In one packiging machine we have two printers so it would be great to use one Mikrotik device for both printers. As both printers have the same IP addresses I did not not find a solution to create two DST nat rule as in the DNS-nat rule it is not possible to define the out going interface.

This is the current settings for a printer

/ip firewall nat
add action=dst-nat chain=dstnat dst-address=10.36.6.209 dst-port=20000 in-interface=1-WAN protocol=tcp to-addresses=192.168.1.1 to-ports=20000
add action=masquerade chain=srcnat dst-address=192.168.1.1 out-interface=2-printer protocol=tcp

As in dst-nat to set the outgoing interface not possible I assume I need a different approach if even there is a way to solve this with one router

/ip address
add address=10.36.6.209/23 interface=1-WAN network=10.36.6.0
add address=10.36.6.210/23 interface=1-WAN network=10.36.6.0
add address=192.168.1.254/24 interface=2-53mm network=192.168.1.0
add address=192.168.1.253/24 interface=3-128mm network=192.168.1.0

/ip firewall nat
add action=dst-nat chain=dstnat dst-address=10.36.6.209 dst-port=20000 in-interface=1-WAN protocol=tcp src-address=10.36.0.0/19 to-addresses=192.168.1.1 to-ports=20000
add action=dst-nat chain=dstnat dst-address=10.36.6.210 dst-port=20000 in-interface=1-WAN protocol=tcp src-address=10.36.0.0/19 to-addresses=192.168.1.1 to-ports=20000
add action=accept chain=srcnat dst-address=192.168.1.1 out-interface=2-53mm protocol=tcp
add action=accept chain=srcnat dst-address=192.168.1.1 out-interface=3-128mm protocol=tcp

thanks of all possible approach

mkx · Tue Apr 16, 2024 5:54 pm

It's doable, but slightly more complicate, it includes packet marking and using multiple routing tables (which helps ROS to select correct egress interface for each packet). Start by reading this topic.

hofi76 · Wed Apr 17, 2024 4:45 pm

Hi mkx,

Your vision seems fit to me
I have tested it with vnc in my office seems working like a charm.

/interface ethernet
set [ find default-name=ether1 ] name=1-WAN
set [ find default-name=ether2 ] name=2-53mm
set [ find default-name=ether3 ] name=3-128mm

/routing table
add disabled=no fib name=53mm
add disabled=no fib name=128mm
/ip address
add address=10.36.6.209/23 interface=1-WAN network=10.36.6.0
add address=10.36.6.210/23 interface=1-WAN network=10.36.6.0
add address=192.168.1.254/24 interface=2-53mm network=192.168.1.0
add address=192.168.1.253/24 interface=3-128mm network=192.168.1.0
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=10.36.6.209 dst-port=5900 new-routing-mark=53mm passthrough=no protocol=tcp
add action=mark-routing chain=prerouting dst-address=10.36.6.210 dst-port=5900 new-routing-mark=128mm passthrough=no protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.1.1 out-interface=2-53mm routing-mark=53mm
add action=masquerade chain=srcnat dst-address=192.168.1.1 out-interface=3-128mm routing-mark=128mm
add action=netmap chain=dstnat dst-address=10.36.6.209 dst-port=5900 protocol=tcp routing-mark=53mm to-addresses=192.168.1.1 to-ports=5900
add action=netmap chain=dstnat dst-address=10.36.6.210 dst-port=5900 protocol=tcp routing-mark=128mm to-addresses=192.168.1.1 to-ports=5900
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=10.36.7.254 routing-table=main suppress-hw-offload=no
add disabled=no distance=1 dst-address=192.168.1.0/24 gateway=2-53mm pref-src="" routing-table=53mm scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.1.0/24 gateway=3-128mm pref-src="" routing-table=128mm scope=30 suppress-hw-offload=no target-scope=10

Double destination NAT [SOLVED]

Double destination NAT

Re: Double destination NAT [SOLVED]

Re: Double destination NAT

Who is online