Community discussions

MikroTik App
 
XTLMeth
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Mon Sep 07, 2009 7:10 am

Need some help with dst-nat issue.

Mon Sep 07, 2009 7:35 am

I need to know how to do dst-nat from multi-wan to servers behind the firewall. I have this working with generic linux but for some reason I can't get it to work in mikrotik.

The ips have been changed for this example but it gives you the idea.

example:

wan1 ips: 69.164.219.25/24
35.2.245.2/25
35.2.245.3/25
35.2.245.125/25

wan2 ip: 16.161.237.204/29

wan3 ip: 85.24.205.212/23

lan1 ip: 172.18.7.251/22

now I have couple servers behind the firewall

server1: 172.18.7.250 with services 80,443,990,8000-8003
server2: 172.18.7.252 with services 21,22,25,53,110


with my current firewall I can create a dst-nat rule for port 80 in each interface to be natted to server 1. If I go from a computer outside my network I can hit that web server from any of those 7 wan ips. The other services like 25 smtp are only dst natted using 2 of the wan interfaces.

currently I use 1 routing table for each of the 4 ISP's. I use policy routing and connection marking to accomplish this. I tried to setup a mikrotik with a very close representation to what I do on the linux box now but it does not work.

I can't seem to do this type of natting with mikrotik. I can setup not internet connections and do a dst-nat to one side but I can't get both wan interfaces to nat it and have the return traffic end up leaving the right interface. What happen is lets say I come in in internet connection 1 the traffic makes it to the back end server and the return traffic goes out the right interface internet connection 1 but if I try to come in internet connection 2 I see the nat happen and I see the traffic make it to the back end server but the return traffic trys to go out internet connection 1 instead when in it should be going out internet connection 2 because thats where the original connection was made from.

I don't know if this description was clear enough. I hope so. :-D
 
changeip
Forum Guru
Forum Guru
Posts: 3818
Joined: Fri May 28, 2004 5:22 pm

Re: Need some help with dst-nat issue.

Mon Sep 07, 2009 8:27 am

post your rules. you need to mark connections, mark packets, and then mark routing. You probably need to use prerouting and output chains for all the above too. then your routing tables need to be setup properly. again, export the rules to the forum so we can fix it.
Colo and Wholesale Bandwidth Available! Sales at SanDiegoBroadband dot com
 
XTLMeth
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Mon Sep 07, 2009 7:10 am

Re: Need some help with dst-nat issue.

Mon Sep 07, 2009 9:49 am

So here is what is configured at the moment. This is my initial attempt.

/ip address print detail
 0   address=172.16.7.254/22 network=172.16.4.0 broadcast=172.16.7.255 interface=br_internal
     actual-interface=br_internal

 1 D address=72.24.182.205/24 network=72.24.182.0 broadcast=72.24.182.255 interface=e1_wan_cable
     actual-interface=e1_wan_cable

 2   address=216.161.237.204/29 network=216.161.237.200 broadcast=216.161.237.207 interface=e2_wan_dsl
     actual-interface=e2_wan_dsl

/ip route print detail
 0 A S  dst-address=0.0.0.0/0 gateway=72.24.182.1,216.161.237.206 interface=e1_wan_cable,e2_wan_dsl
        gateway-state=reachable,reachable distance=1 scope=30 target-scope=10

 1 ADC  dst-address=72.24.182.0/24 pref-src=72.24.182.205 interface=e1_wan_cable distance=0 scope=10

 2 ADC  dst-address=172.16.4.0/22 pref-src=172.16.7.254 interface=br_internal distance=0 scope=10

 3 ADC  dst-address=216.161.237.200/29 pref-src=216.161.237.204 interface=e2_wan_dsl distance=0 scope=10


/ip firewall filter print detail
 0   chain=input action=accept connection-state=established

 1   chain=input action=accept connection-state=related

 2   chain=forward action=accept connection-state=established

 3   chain=forward action=accept connection-state=related

 4   chain=output action=accept connection-state=established

 5   chain=output action=accept connection-state=related

 6   chain=input action=accept connection-state=new protocol=icmp icmp-options=8:0-255

 7   chain=input action=accept connection-state=new protocol=tcp dst-port=22 limit=2/1m,0

 8   chain=input action=accept connection-state=new protocol=tcp dst-port=8291 limit=2/1m,0

 9   chain=forward action=accept src-address=172.16.4.0/22 in-interface=br_internal

10   chain=forward action=accept connection-state=new protocol=tcp dst-address=172.16.5.253
     out-interface=br_internal dst-port=80

11   chain=input action=drop

12   chain=forward action=drop

13   chain=output action=drop


/ip firewall nat print detail
 0   chain=srcnat action=src-nat to-addresses=72.24.182.205 src-address=172.16.4.0/22
     out-interface=e1_wan_cable

 1   chain=srcnat action=src-nat to-addresses=216.161.237.204 src-address=172.16.4.0/22
     out-interface=e2_wan_dsl

 2   chain=dstnat action=dst-nat to-addresses=172.16.5.253 protocol=tcp dst-address=216.161.237.204
     dst-port=80

 3   chain=dstnat action=dst-nat to-addresses=172.16.5.253 protocol=tcp dst-address=72.24.182.205
     dst-port=80

So the goal is to be able to browse to

http://72.24.182.205
or
http://216.161.237.204

and be able to get to the webserver behind the firewall.
 
XTLMeth
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Mon Sep 07, 2009 7:10 am

Re: Need some help with dst-nat issue.

Mon Sep 07, 2009 10:04 am

this configuration below is very simaler to how my linux firewall is configured right now. It's the closest I could get for mikrotik.

/ip address print detail
 0   address=172.16.7.254/22 network=172.16.4.0 broadcast=172.16.7.255 interface=br_internal
     actual-interface=br_internal

 1 D address=72.24.182.205/24 network=72.24.182.0 broadcast=72.24.182.255 interface=e1_wan_cable
     actual-interface=e1_wan_cable

 2   address=216.161.237.204/29 network=216.161.237.200 broadcast=216.161.237.207 interface=e2_wan_dsl
     actual-interface=e2_wan_dsl


/ip route print detail
 0 A S  dst-address=0.0.0.0/0 gateway=72.24.182.1,216.161.237.206 interface=e1_wan_cable,e2_wan_dsl
        gateway-state=reachable,reachable distance=1 scope=30 target-scope=10

 1 A S  dst-address=0.0.0.0/0 gateway=216.161.237.206 interface=e2_wan_dsl gateway-state=reachable
        distance=1 scope=30 target-scope=10 routing-mark=table_dsl

 2 A S  dst-address=0.0.0.0/0 gateway=72.24.182.1 interface=e1_wan_cable gateway-state=reachable
        distance=1 scope=30 target-scope=10 routing-mark=table_cable

 3 ADC  dst-address=72.24.182.0/24 pref-src=72.24.182.205 interface=e1_wan_cable distance=0 scope=10

 4 A S  dst-address=72.24.182.0/24 gateway=e1_wan_cable interface=e1_wan_cable gateway-state=reachable
        distance=1 routing-mark=table_cable

 5 ADC  dst-address=172.16.4.0/22 pref-src=172.16.7.254 interface=br_internal distance=0 scope=10

 6 A S  dst-address=172.16.4.0/22 gateway=br_internal interface=br_internal gateway-state=reachable
        distance=1 routing-mark=table_cable

 7 A S  dst-address=172.16.4.0/22 gateway=br_internal interface=br_internal gateway-state=reachable
        distance=1 routing-mark=table_dsl

 8 ADC  dst-address=216.161.237.200/29 pref-src=216.161.237.204 interface=e2_wan_dsl distance=0 scope=10

 9 A S  dst-address=216.161.237.200/29 gateway=e2_wan_dsl interface=e2_wan_dsl gateway-state=reachable
        distance=1 routing-mark=table_dsl


/ip route rule print detail
 0   src-address=72.24.182.205/32 action=lookup table=table_cable

 1   src-address=216.161.237.204/32 action=lookup table=table_dsl

 2   action=lookup table=main

The firewall and nat are the same as above post. the only difference here is each ISP has a seperate routing table and ip rule marking.
 
XTLMeth
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Mon Sep 07, 2009 7:10 am

Re: Need some help with dst-nat issue.

Sat Sep 12, 2009 9:09 pm

I guess no one has an answer. :(
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8389
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Need some help with dst-nat issue.

Sun Sep 13, 2009 6:27 pm

you need to mark your incoming conections with different marks for each WAN, then route them back via the same WAN, as changeip said
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
XTLMeth
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Mon Sep 07, 2009 7:10 am

Re: Need some help with dst-nat issue.

Sun Sep 13, 2009 6:48 pm

OK I can try that out but is there a little example that someone could give me to get me on track. I have tried and failed for some reason. I only need an example for one wan and I can figure it out from there for the other internet connections.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8389
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Need some help with dst-nat issue.

Sun Sep 13, 2009 7:50 pm

try Example from http://wiki.mikrotik.com/wiki/PCC - then add your Dst-NAT rules
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
XTLMeth
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Mon Sep 07, 2009 7:10 am

Re: Need some help with dst-nat issue.

Mon Sep 14, 2009 3:42 am

I will give this a try. Thanks.
 
User avatar
thavinci
Member
Member
Posts: 334
Joined: Sat Aug 04, 2007 4:40 pm
Location: Johannessburg
Contact:

Re: Need some help with dst-nat issue.

Tue Nov 17, 2009 1:16 am

I am having the exact same problem and have infact been refered to same wiki entry with PCC example.


However am yet to resolve this issue.

Would be nice to know if anyone else has.

I ALWAYS have the result that traffic leaves incorrect interface when using the other WAN connections.
http://www.thavinci.za.net

echo "Demo license expired!"
echo "Please reinstall the router."
echo
kill -WINCH 1
exit
 
User avatar
thavinci
Member
Member
Posts: 334
Joined: Sat Aug 04, 2007 4:40 pm
Location: Johannessburg
Contact:

Re: Need some help with dst-nat issue.

Tue Nov 17, 2009 2:43 pm

Looks like even the official response is to hire a consultant!

Does seem pretty intense for a feature that the most basic of routers can acheive.

But ok im desperate. So the question is has anyone come rite with this?
And who can i speak to that can give me an actual WORKING example that i can use?

And how much will you charge for this?
http://www.thavinci.za.net

echo "Demo license expired!"
echo "Please reinstall the router."
echo
kill -WINCH 1
exit
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8389
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Need some help with dst-nat issue.

Tue Nov 17, 2009 2:56 pm

post your config
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
thavinci
Member
Member
Posts: 334
Joined: Sat Aug 04, 2007 4:40 pm
Location: Johannessburg
Contact:

Re: Need some help with dst-nat issue.

Tue Nov 17, 2009 3:23 pm

Ok this is a test box, that i can even give access too if needed.....
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; Mark Incomming Connections
     chain=input action=mark-connection new-connection-mark=Conn_Mark passthrough=yes in-interface=pppoe-out1 

 1 X chain=forward action=mark-connection new-connection-mark=Conn_Mark passthrough=yes in-interface=pppoe-out1 

 2 X chain=prerouting action=mark-routing new-routing-mark=Routing_Mark passthrough=yes connection-mark=Conn_Mark 

 3   ;;; Mark Outgoing Route
     chain=output action=mark-routing new-routing-mark=Routing_Mark passthrough=yes connection-mark=Conn_Mark 

 4   ;;; ??
     chain=prerouting action=accept dst-address=165.145.187.0/24 in-interface=LAN 

 5   chain=prerouting action=mark-connection new-connection-mark=Conn_Mark passthrough=yes dst-address-type=!local in-interface=LAN 

 6   chain=prerouting action=mark-routing new-routing-mark=Routing_Mark passthrough=yes in-interface=LAN connection-mark=Conn_Mark 

 7 X chain=forward action=log out-interface=LAN connection-mark=Conn_Mark log-prefix="" 
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; NAT All Outgoing Traffic
     chain=srcnat action=masquerade out-interface=pppoe-out1 

 1 X chain=srcnat action=masquerade out-interface=LAN 

 2 X chain=srcnat action=src-nat to-addresses=192.168.12.28 

 3   ;;; Port Forward
     chain=dstnat action=dst-nat to-addresses=192.168.12.1 in-interface=pppoe-out1 
[admin@P4-Intel-Server] /ip firewall nat> 

 #   ADDRESS            NETWORK         BROADCAST       INTERFACE                                                                   
 0 D 192.168.12.28/24   192.168.12.0    192.168.12.255  LAN                                                                         
 1 D 165.145.187.161/32 165.145.176.1   0.0.0.0         pppoe-out1                                                                  
[admin@P4-Intel-Server] /ip address> 


Following is only part of routing table as there are +- 1600 entries...
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  ;;; PBR-Default Route
        0.0.0.0/0                          pppoe-out1         1       
 1 ADS  0.0.0.0/0                          165.145.176.1      1       
 2 ADo  10.1.0.0/16                        192.168.12.1       110     
 3 ADo  10.10.10.0/24                      192.168.12.1       110     
 4 ADo  10.103.0.0/16                      192.168.12.4       110     
 5 ADo  10.103.120.2/32                    192.168.12.4       110     
 6 ADo  10.106.0.0/16                      192.168.12.4       110     
 7 ADo  10.107.128.1/32                    192.168.12.1       110     
                                           192.168.12.14     
 8 ADo  10.107.129.1/32                    192.168.12.4       110     
 9 ADo  17.255.248.0/23                    192.168.12.4       110     
10 ADo  32.106.152.0/24                    192.168.12.4       110     
11 ADo  32.106.153.0/24                    192.168.12.4       110     
12 ADo  32.107.9.0/24                      192.168.12.4       110     
13 ADo  32.238.152.0/24                    192.168.12.4       110     
14 ADo  32.238.153.0/24                    192.168.12.4       110     
15 ADo  32.239.182.0/24                    192.168.12.4       110     
16 ADo  41.0.0.0/16                        192.168.12.4       110     
17 ADo  41.0.13.0/24                       192.168.12.4       110     
18 ADo  41.0.16.0/21                       192.168.12.4       110     
19 ADo  41.0.24.0/24                       192.168.12.4       110     
20 ADo  41.0.30.0/24                       192.168.12.4       110     
21 ADo  41.0.72.0/21                       192.168.12.4       110     
22 ADo  41.0.168.0/21                      192.168.12.4       110     
23 ADo  41.0.196.0/24                      192.168.12.4       110     
24 ADo  41.0.198.0/24                      192.168.12.4       110     
25 ADo  41.0.208.0/20                      192.168.12.4       110     
26 ADo  41.0.212.0/22                      192.168.12.4       110     
27 ADo  41.0.236.0/24                      192.168.12.4       110     



PBR works for incomming connections to public ip.

Image


However breaks for dst-nat rules as what seems to be happening is the mikrotik prefers to use routes from the routing table for the reply and breaks comms.
ie doesnt listen to the PBR....

Image


Image



Let me know if you need any more info, my test is based on PCC example without PCC and used as much as i could.
Note the public ip is dynamic.....
http://www.thavinci.za.net

echo "Demo license expired!"
echo "Please reinstall the router."
echo
kill -WINCH 1
exit
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8389
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Need some help with dst-nat issue.

Tue Nov 17, 2009 4:49 pm

wait... what's difference between gw='165.145.176.1' and 'gw=pppoe-out1'?.. I don't understant your goal...
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
thavinci
Member
Member
Posts: 334
Joined: Sat Aug 04, 2007 4:40 pm
Location: Johannessburg
Contact:

Re: Need some help with dst-nat issue.

Tue Nov 17, 2009 5:19 pm

Image


Sorry the print function didn't actually show the Routing Mark of that route.


Obviously i had to specify interface rather than ip for that one as ip is dynamic.
http://www.thavinci.za.net

echo "Demo license expired!"
echo "Please reinstall the router."
echo
kill -WINCH 1
exit
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8389
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Need some help with dst-nat issue.

Tue Nov 17, 2009 6:34 pm

yeah, I saw that both routes are active, but... what's problem?..
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
thavinci
Member
Member
Posts: 334
Joined: Sat Aug 04, 2007 4:40 pm
Location: Johannessburg
Contact:

Re: Need some help with dst-nat issue.

Tue Nov 17, 2009 7:37 pm

It does not work!


If you do a dst-nat rule such as one in my conf the connection hits the MT which forwards it too internal server but the MT doesnt send response out same interface back to originating server. It instead uses it's routing table for the response and ends up sending traffic to another router instead of back out the interface it came in on.
http://www.thavinci.za.net

echo "Demo license expired!"
echo "Please reinstall the router."
echo
kill -WINCH 1
exit
 
davidfs
just joined
Posts: 18
Joined: Thu Aug 06, 2009 10:05 am
Location: Barcelona, Spain

Re: Need some help with dst-nat issue.

Wed Nov 18, 2009 10:29 am

HI. I've been facing the same problem,. I've a simple configuration with 2 wans.
Althought I've done this in linux without problems, Can't figure how to do in routeros.

See my post:http://forum.mikrotik.com/viewtopic.php?f=13&t=34628

I didn't had an answer on how to do that simple question.
and the example on wiki for policy routing, is...

I've tested this with vmware, and seems that packets returns with correct src-ip but wrong interface.

Let me know if you find a solution...
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8389
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Need some help with dst-nat issue.

Wed Nov 18, 2009 6:21 pm

If you do a dst-nat rule such as one in my conf the connection hits the MT which forwards it too internal server but the MT doesnt send response out same interface back to originating server. It instead uses it's routing table for the response and ends up sending traffic to another router instead of back out the interface it came in on.
are you talking about some route to 165.145.187.0/24 via different router?..

if yes - then enable rule 1 and copy rule 6 above 4 - then check...
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
changeip
Forum Guru
Forum Guru
Posts: 3818
Joined: Fri May 28, 2004 5:22 pm

Re: Need some help with dst-nat issue.

Wed Nov 18, 2009 9:58 pm

you need to mark connections, and then mark packets. if you only mark connections, you are only going to route the SYN packets probably. mark packets, and then mark routing based on packets (not connections).

see this working example - its setup for DSL and a T1 and should work for what you are trying to accomplish without too many changes (interface instead of IP for gateway maybe):

http://forum.mikrotik.com/viewtopic.php ... t1#p147368

Also pay attention to my routing note, you have to recreate all your static / connected routes in each table.

Sam
Colo and Wholesale Bandwidth Available! Sales at SanDiegoBroadband dot com
 
changeip
Forum Guru
Forum Guru
Posts: 3818
Joined: Fri May 28, 2004 5:22 pm

Re: Need some help with dst-nat issue.

Wed Nov 18, 2009 11:52 pm

send me an email to support@changeip.com with your routers login info. I will get it working. $100 via paypal once it works as you wish?

Thx,
Sam
Colo and Wholesale Bandwidth Available! Sales at SanDiegoBroadband dot com
 
XTLMeth
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Mon Sep 07, 2009 7:10 am

Re: Need some help with dst-nat issue.

Thu Nov 19, 2009 7:59 am

Hey don't let that guy charge you from the above message unless you want it really really bad. :-D I did figure this out with help from this forum in another post and I would be will to help you get it working or send you my config and you may be able to work from that?
 
XTLMeth
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Mon Sep 07, 2009 7:10 am

Re: Need some help with dst-nat issue.

Thu Nov 19, 2009 8:07 am

http://forum.mikrotik.com/viewtopic.php ... 32&start=0 <--- this was my post where I got it working. The issue for me was I was using PCC to load balance internet from the lan out to the internet and when I was dst-natting from the internet in the routing mark was fine but when the server responded back it would send the packet back out the wrong interface because PCC was remarking it when it shouldn't have. The trick for me was to change my PCC rules on the mangle table to only mark on connection with no mark aka connections comming from the lan that hadn't already been marked. This simple change told the router to leave the existing marks alone so when the returning packets from the server comming in the connection tracking table would associate the return packet with the existing connection and mark for that connection which caused it to go out the proper interface over the internet.
 
User avatar
hilton
Long time Member
Long time Member
Posts: 635
Joined: Thu Sep 07, 2006 5:12 pm
Location: Jozi (aka Johannesburg), South Africa

Re: Need some help with dst-nat issue.

Thu Nov 19, 2009 8:33 am

Hey don't let that guy charge you from the above message unless you want it really really bad. :-D
That's a bit harsh!

It's not like changeip/Sam was forcing himself on thavinci. In fact thavinci actually asked for paid help.

I think Sam deserves an apology.
Regards
Hilton
 
changeip
Forum Guru
Forum Guru
Posts: 3818
Joined: Fri May 28, 2004 5:22 pm

Re: Need some help with dst-nat issue.

Thu Nov 19, 2009 8:57 am

hehe. i even offered to get paid after i made it work. it could take 2 weeks of back and forth thru the forums whereas 5 mins on the router and i could make it work. it's always the 'oh yeah i entered that rule in there to bypass this ...' or something that doesnt seem like anything but is.
Colo and Wholesale Bandwidth Available! Sales at SanDiegoBroadband dot com
 
XTLMeth
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Mon Sep 07, 2009 7:10 am

Re: Need some help with dst-nat issue.

Fri Nov 20, 2009 12:06 am

You're right I didn't read it all. I jumped the gun on that one guys. Sorry.

Who is online

Users browsing this forum: rakhsibneha, yoliveras and 62 guests