Community discussions

MikroTik App
 
jasonqhe
just joined
Topic Author
Posts: 8
Joined: Fri Mar 15, 2013 5:37 am

Help!!! NATmultiple IP addresses to inside multiple hosts

Fri Jun 14, 2013 5:53 pm

I just want setup multiple IP addresses NAT to my inside multiple hosts.
First, I singed the public IPs on a WAN interface. But only one IP (Pref. source) can be ping from outside. Do we have a way to turn on all of them?

Then, I setup the firewall NAT multiple public IP to my multiple LAN IP.

The result is only part of them work.

Thanks for help!!!



MMM MMM KKK TTTTTTTTTTT KKK
MMMM MMMM KKK TTTTTTTTTTT KKK
MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK
MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK
MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK
MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK

MikroTik RouterOS 6.0rc5 (c) 1999-2012 http://www.mikrotik.com/

[?] Gives the list of available commands
command [?] Gives help on the command and list of arguments

[Tab] Completes the command/word. If the input is ambigous,
a second [Tab] gives possible options

/ Move up to base level
.. Move up one level
/command Use command at the base level
[admin@MikroTik] > export
# jan/22/1970 19:37:18 by RouterOS 6.0rc5
# software id = S301-SWRC
#
/interface bridge
add name=bridge1
/interface ethernet
set 0 name=WAN1
set 1 name=WAN2 speed=1Gbps
set 2 auto-negotiation=no name=WAN3
set 4 disabled=yes
set 6 disabled=yes name=ether7
set 7 name=ether8 speed=1Gbps
set 8 name=ether9
set 9 name=ether10
set 10 name=ether11 speed=1Gbps
set 11 name=ether12
set 12 auto-negotiation=no
set 13 auto-negotiation=no
set 14 auto-negotiation=no
set 15 auto-negotiation=no


/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
/ip address
add address=192.168.88.1/24 comment="default configuration" disabled=yes \
interface=bridge1 network=192.168.88.0

add address=192.168.6.2/24 interface=ether11 network=192.168.6.0
add address=192.168.2.2/24 disabled=yes interface=ether7 network=192.168.2.0
add address=192.168.0.2/24 disabled=yes interface=ether5 network=192.168.0.0
add address=192.168.168.2/24 disabled=yes interface=ether12 network=\
192.168.168.0


add address=203.15.xxx.92/29 disabled=yes interface=WAN1 network=203.15.xxx.88
add address=203.15.xxx.93/29 disabled=yes interface=WAN1 network=203.15.xxx.88
add address=203.15.xxx.94/29 disabled=yes interface=WAN1 network=203.15.xxx.88


add address=192.168.3.2/24 interface=ether8 network=192.168.3.0

add address=208.202.xxx.68/24 interface=WAN2 network=208.202.xxx.0
add address=208.202.xxx.2/24 interface=WAN2 network=208.202.xxx.0

add address=192.168.3.254/24 interface=ether8 network=192.168.3.0

add address=208.202.xxx.70/24 interface=WAN2 network=208.202.xxx.0
add address=208.202.xxx.71/24 interface=WAN2 network=208.202.xxx.0
add address=208.202.xxx.208/24 interface=WAN2 network=208.202.xxx.0
add address=208.202.xxx.73/24 interface=WAN2 network=208.202.xxx.0
add address=208.202.xxx.74/24 interface=WAN2 network=208.202.xxx.0
add address=208.202.xxx.75/24 interface=WAN2 network=208.202.xxx.0
add address=208.202.xxx.76/24 interface=WAN2 network=208.202.xxx.0
add address=208.202.xxx.77/24 interface=WAN2 network=208.202.xxx.0
add address=208.202.xxx.78/24 interface=WAN2 network=208.202.xxx.0
add address=208.202.xxx.79/24 interface=WAN2 network=208.202.xxx.0
add address=208.202.xxx.80/24 interface=WAN2 network=208.202.xxx.0
add address=208.202.xxx.81/24 interface=WAN2 network=208.202.xxx.0

/ip dns
set allow-remote-requests=yes servers=202.11.2.65,202.11.3.65
/ip firewall address-list
add address=192.168.3.0/24 list="GL CM"
add address=192.168.168.0/24 list="GL Guest"
add address=192.168.2.0/24 list="GL TS"
add address=192.168.6.0/24 list="GL A"
add address=192.168.0.0/24 list="GL B"


/ip firewall filter
add action=drop chain=forward connection-state=invalid disabled=yes
add chain=forward connection-state=new disabled=yes in-bridge-port=WAN1 \
out-bridge-port=WAN1 src-address-list="G&S Guest"
add chain=forward connection-state=established disabled=yes in-bridge-port=WAN1 \
out-bridge-port=WAN1 src-address-list="G&S Guest"
add chain=forward connection-state=related disabled=yes in-bridge-port=WAN1 \
out-bridge-port=WAN1 src-address-list="G&S Guest"
add chain=forward connection-state=new disabled=yes in-bridge-port=WAN2 \
out-bridge-port=WAN2 src-address-list="G&S A"
add chain=forward connection-state=established disabled=yes in-bridge-port=WAN2 \
out-bridge-port=WAN2 src-address-list="G&S A"
add chain=forward connection-state=related disabled=yes in-bridge-port=WAN2 \
out-bridge-port=WAN2 src-address-list="G&S A"
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=208.202.xxx.68 protocol=tcp \
to-addresses=192.168.3.118 to-ports=0-65535
add action=dst-nat chain=dstnat dst-address=208.202.xxx.70 protocol=tcp \
to-addresses=192.168.3.96 to-ports=0-65535
add action=dst-nat chain=dstnat dst-address=208.202.xxx.71 protocol=tcp \
to-addresses=192.168.3.97 to-ports=0-65535
add action=dst-nat chain=dstnat dst-address=208.202.xxx.208 protocol=tcp \
to-addresses=192.168.3.214 to-ports=0-65535
add action=dst-nat chain=dstnat dst-address=208.202.xxx.73 protocol=tcp \
to-addresses=192.168.3.225 to-ports=0-65535
add action=dst-nat chain=dstnat dst-address=208.202.xxx.74 protocol=tcp \
to-addresses=192.168.3.95 to-ports=0-65535
add action=dst-nat chain=dstnat dst-address=208.202.xxx.75 protocol=tcp \
to-addresses=192.168.3.94 to-ports=0-65535
add action=dst-nat chain=dstnat dst-address=208.202.xxx.76 protocol=tcp \
to-addresses=192.168.3.98 to-ports=0-65535
add action=dst-nat chain=dstnat dst-address=208.202.xxx.77 protocol=tcp \
to-addresses=192.168.3.92 to-ports=0-65535
add action=dst-nat chain=dstnat dst-address=208.202.xxx.79 protocol=tcp \
to-addresses=192.168.3.90 to-ports=0-65535
add action=dst-nat chain=dstnat dst-address=208.202.xxx.80 protocol=tcp \
to-addresses=192.168.3.89 to-ports=0-65535
add action=dst-nat chain=dstnat dst-address=208.202.xxx.81 protocol=tcp \
to-addresses=192.168.3.93 to-ports=0-65535
add action=src-nat chain=srcnat protocol=tcp src-address=192.168.3.118 \
to-addresses=208.202.xxx.68 to-ports=0-65535
add action=src-nat chain=srcnat protocol=tcp src-address=192.168.3.96 \
to-addresses=208.202.xxx.70 to-ports=0-65535
add action=src-nat chain=srcnat protocol=tcp src-address=192.168.3.97 \
to-addresses=208.202.xxx.71 to-ports=0-65535
add action=src-nat chain=srcnat protocol=tcp src-address=192.168.3.97 \
to-addresses=208.202.xxx.71 to-ports=0-65535
add action=src-nat chain=srcnat protocol=tcp src-address=192.168.3.214 \
to-addresses=208.202.xxx.208 to-ports=0-65535
add action=src-nat chain=srcnat protocol=tcp src-address=192.168.3.225 \
to-addresses=208.202.xxx.73 to-ports=0-65535
add action=src-nat chain=srcnat protocol=tcp src-address=192.168.3.95 \
to-addresses=208.202.xxx.74 to-ports=0-65535
add action=src-nat chain=srcnat protocol=tcp src-address=192.168.3.94 \
to-addresses=208.202.xxx.75 to-ports=0-65535
add action=src-nat chain=srcnat protocol=tcp src-address=192.168.3.92 \
to-addresses=208.202.xxx.77 to-ports=0-65535
add action=src-nat chain=srcnat protocol=tcp src-address=192.168.3.91 \
to-addresses=208.202.xxx.78 to-ports=0-65535
add action=src-nat chain=srcnat protocol=tcp src-address=192.168.3.90 \
to-addresses=208.202.xxx.79 to-ports=0-65535
add action=src-nat chain=srcnat protocol=tcp src-address=192.168.3.89 \
to-addresses=208.202.xxx.80 to-ports=0-65535
add action=src-nat chain=srcnat protocol=tcp src-address=192.168.3.93 \
to-addresses=208.202.xxx.81 to-ports=0-65535

add action=masquerade chain=srcnat disabled=yes out-interface=WAN1
add action=src-nat chain=srcnat out-interface=WAN2 protocol=tcp src-address
192.168.3.0/24 to-addresses=208.202.xxx.2 to-ports=0-65535

/ip route
add distance=2 gateway=208.202.xxx.1

add disabled=yes distance=3 gateway=203.15.xxx.89

/system routerboard settings
set memory-frequency=1066DDR
[admin@MikroTik] >
 
neticted
Member Candidate
Member Candidate
Posts: 124
Joined: Wed Jan 04, 2012 10:36 am

Re: Help!!! NATmultiple IP addresses to inside multiple hos

Tue Jun 18, 2013 1:53 pm

You have to set routing so each outgoing connection goes to matching incoming IP.

If you do not to that, all outgoing connections are going to default gateway.
 
jasonqhe
just joined
Topic Author
Posts: 8
Joined: Fri Mar 15, 2013 5:37 am

Re: Help!!! NATmultiple IP addresses to inside multiple hos

Wed Jun 19, 2013 6:39 pm

You have to set routing so each outgoing connection goes to matching incoming IP.

If you do not to that, all outgoing connections are going to default gateway.
Yes, I did that. please see below:


add action=src-nat chain=srcnat protocol=tcp src-address=192.168.3.118 \
to-addresses=208.202.xxx.68 to-ports=0-65535
add action=src-nat chain=srcnat protocol=tcp src-address=192.168.3.96 \
to-addresses=208.202.xxx.70 to-ports=0-65535
add action=src-nat chain=srcnat protocol=tcp src-address=192.168.3.97 \
to-addresses=208.202.xxx.71 to-ports=0-65535
add action=src-nat chain=srcnat protocol=tcp src-address=192.168.3.97 \
to-addresses=208.202.xxx.71 to-ports=0-65535
add action=src-nat chain=srcnat protocol=tcp src-address=192.168.3.214 \
to-addresses=208.202.xxx.208 to-ports=0-65535
add action=src-nat chain=srcnat protocol=tcp src-address=192.168.3.225 \
to-addresses=208.202.xxx.73 to-ports=0-65535
add action=src-nat chain=srcnat protocol=tcp src-address=192.168.3.95 \
to-addresses=208.202.xxx.74 to-ports=0-65535
add action=src-nat chain=srcnat protocol=tcp src-address=192.168.3.94 \
to-addresses=208.202.xxx.75 to-ports=0-65535
add action=src-nat chain=srcnat protocol=tcp src-address=192.168.3.92 \
to-addresses=208.202.xxx.77 to-ports=0-65535
add action=src-nat chain=srcnat protocol=tcp src-address=192.168.3.91 \
to-addresses=208.202.xxx.78 to-ports=0-65535
add action=src-nat chain=srcnat protocol=tcp src-address=192.168.3.90 \
to-addresses=208.202.xxx.79 to-ports=0-65535
add action=src-nat chain=srcnat protocol=tcp src-address=192.168.3.89 \
to-addresses=208.202.xxx.80 to-ports=0-65535
add action=src-nat chain=srcnat protocol=tcp src-address=192.168.3.93 \
to-addresses=208.202.xxx.81 to-ports=0-65535
 
jasonqhe
just joined
Topic Author
Posts: 8
Joined: Fri Mar 15, 2013 5:37 am

Re: Help!!! NATmultiple IP addresses to inside multiple hos

Wed Jun 19, 2013 6:51 pm

You have to set routing so each outgoing connection goes to matching incoming IP.

If you do not to that, all outgoing connections are going to default gateway.
default gateway? you mean the pref.source in route list?

now, the problem is some of them working, I can ping or trace them, but some of them not work!
 
Jorbu
just joined
Posts: 23
Joined: Sun Apr 01, 2012 4:23 am

Re: Help!!! NATmultiple IP addresses to inside multiple hos

Sat Jun 22, 2013 12:02 am

I believe the issues is that your rules qualify on TCP and ports:
add action=src-nat chain=srcnat [b]protocol=tcp[/b] src-address=192.168.3.89 \
to-addresses=208.202.xxx.80 [b]to-ports=0-65535[/b]
Try removing these filters, something like this should be enough:
add action=src-nat chain=srcnat  src-address=192.168.3.89 to-addresses=208.202.xxx.80
Since you are using ping requests to test, these are ICMP packets, so they are not being flagged by these rules. Let me know how this goes.
 
jasonqhe
just joined
Topic Author
Posts: 8
Joined: Fri Mar 15, 2013 5:37 am

Re: Help!!! NATmultiple IP addresses to inside multiple hos

Wed Jun 26, 2013 6:03 am

I believe the issues is that your rules qualify on TCP and ports:
add action=src-nat chain=srcnat [b]protocol=tcp[/b] src-address=192.168.3.89 \
to-addresses=208.202.xxx.80 [b]to-ports=0-65535[/b]
Try removing these filters, something like this should be enough:
add action=src-nat chain=srcnat  src-address=192.168.3.89 to-addresses=208.202.xxx.80
Since you are using ping requests to test, these are ICMP packets, so they are not being flagged by these rules. Let me know how this goes.

Thanks for help, but still not working.

my question :
1. I setup 13 IP addresses, for example 102.2.1.60;.61;...;.72. only the 102.2.1.63; 102.2.1.65; 102.2.1.70 not working, other 10 working good.
2. in other system like CISCO, if you sign some ip address on one WAN interface, you can ping test all of them. in Mikrotik you only test ping one ip address, in winbox ruote list call it pref. source. can we make all ip address to be pref. source?

Thanks

Who is online

Users browsing this forum: No registered users and 67 guests