Community discussions

 
midsizewisp
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Tue Dec 08, 2009 10:34 pm

NAT forwarding when not default gateway

Wed May 08, 2013 1:42 am

I never seem to be able to get the following to work. If the Mtik is the device's default gateway,
it works fine. But when it isn't, it doesn't. Any ideas appreciated.

Public IP -> Mtik -> Device -> Default Gateway on another network

Public IP of Mtik: 1.1.1.1
Private IP of Mtik: 10.0.0.254
Private Device IP: 10.0.0.2
Private Device GW: 10.0.0.1
/ip address
add address=1.1..1.1/24 interface=Public network=1.1.1.0
add address=10.0.0.254/24 interface=Private network=10.0.0.0
/ip firewall nat
add action=dst-nat chain=dstnat disabled=no dst-address=1.1.1.1 dst-port=\
    443 protocol=tcp to-addresses=10.0.0.2 to-ports=443
Looking at the packet sniffer, nothing is responding from 10.0.0.2 but I can telnet to port 443
just fine from the Mtik.

Any ideas?
 
User avatar
nickshore
Member
Member
Posts: 473
Joined: Thu Mar 03, 2005 4:14 pm
Location: Suffolk, UK.
Contact:

Re: NAT forwarding when not default gateway

Wed May 08, 2013 11:43 am

The default gateway is used to send packets where the destination address is not in the subnet of the interface.

In your example a request packet comes in from outside, lets say 212.212.212.212, and gets sent to 10.0.0.2

It replies to 212.212.212.212 using the only route it has for that address, its default gateway, so the return packet gets sent to 10.0.0.1 which I guess does some NAT, and you end up with the return packet with a different src IP and so somewhere it gets dropped.

When you telnet form the mikrotik, you are within the subnet, eg 10.0.0.254 going to 10.0.0.2 so the reply comes straight back and it works.

There are a few of ways you can fix this, either add a route for the original request which goes via the mikrotik
/ip route add dst-address=212.212.212.0/24 gateway=10.0.0.254
or you could src nat the inbound traffic so that it appears as if it is coming form the MikroTik
something like this - you need to choose how to match and translate the traffic, eg.
/ip firewall nat add chain=srcnat protocol=tcp dst-port=443 out-interface=laninterface action=masquerade
or you could make the device have a default route of the mikrotik and then make the mikrotik route via the old default gateway (10.0.0.1) for most traffic and by its own default gateway for returning packets for those port 443 connections (hint use mangle rules to mark connections)

Hope that helps

Nick.
Nick Shore MTCNA MTCWE MTCRE MTCINE MTCTCE
LinITX.com - MultiThread Consultants
Get your MikroTik RBs and Training: http://linitx.com/brand/mikrotik
Official UK MikroTik Distributor
IRC chan: #routerboard on irc.z.je (IPv4 and IPv6)
 
midsizewisp
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Tue Dec 08, 2009 10:34 pm

Re: NAT forwarding when not default gateway

Wed May 08, 2013 2:53 pm

The srcnat rule worked like a charm. Thanks.

Who is online

Users browsing this forum: No registered users and 77 guests