Community discussions

MikroTik App
  4. RouterOS
  5. General

nat question / issue on CCR1009-8G01S01S+ v6.27 (resolved)

Post Reply
 
dw5304
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Tue Apr 12, 2011 9:36 pm

nat question / issue on CCR1009-8G01S01S+ v6.27 (resolved)

Wed Mar 25, 2015 9:56 pm

i seem to have having an issue with a ccr1009 sending the router ip's address instead of the wan address of the customer for a dst nat.

i have a RB1100AHx2 that is makeing use of the same dst nat on version 6.9 and its sending the wan address of the customer to the server..

is their a known issue or something i can look at on the ccr1009 to give me the same functionality?

ccr1009
# mar/25/2015 19:49:37 by RouterOS 6.27
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=wanip dst-port=80 protocol=tcp to-addresses=serverip to-ports=80
add action=dst-nat chain=dstnat dst-address=wanip dst-port=443 protocol=tcp to-addresses=serverip to-ports=443
add action=masquerade chain=srcnat

RB1100AHx2

# mar/26/2015 03:33:57 by RouterOS 6.9
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=WANIP dst-address-type="" dst-port=80 protocol=tcp to-addresses=LANIP to-ports=80
add action=dst-nat chain=dstnat dst-address=WANIP dst-address-type="" dst-port=443 protocol=tcp to-addresses=LANIP to-ports=443
add action=masquerade chain=srcnat out-interface=ether11

any help would be appreciated.
Last edited by dw5304 on Wed Mar 25, 2015 10:29 pm, edited 1 time in total.
Top
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: nat question / issue on CCR1009-8G01S01S+ v6.27

Wed Mar 25, 2015 10:12 pm

ccr1009
# mar/25/2015 19:49:37 by RouterOS 6.27
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=wanip dst-port=80 protocol=tcp to-addresses=serverip to-ports=80
add action=dst-nat chain=dstnat dst-address=wanip dst-port=443 protocol=tcp to-addresses=serverip to-ports=443
add action=masquerade chain=srcnat <----- this rule is the problem

RB1100AHx2

# mar/26/2015 03:33:57 by RouterOS 6.9
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=WANIP dst-address-type="" dst-port=80 protocol=tcp to-addresses=LANIP to-ports=80
add action=dst-nat chain=dstnat dst-address=WANIP dst-address-type="" dst-port=443 protocol=tcp to-addresses=LANIP to-ports=443
add action=masquerade chain=srcnat out-interface=ether11

any help would be appreciated.
the masquerade rule on the CCR will masquerade both inbound and outbound.
The 1100AHx2 has a condition that limits this rule for packets going out ether11 (assuming that's the WAN interface)
Top
 
dw5304
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Tue Apr 12, 2011 9:36 pm

Re: nat question / issue on CCR1009-8G01S01S+ v6.27

Wed Mar 25, 2015 10:28 pm

thank you.
not sure how i missed that.
Top
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: nat question / issue on CCR1009-8G01S01S+ v6.27

Wed Mar 25, 2015 10:34 pm

thank you.
not sure how i missed that.
NP - you may also want to include a masquerade rule on the inside that catches hairpin requests
e.g. action=masquerade src-address=192.168.10.0/24 out-interface=LAN

This way, if they don't have "inside DNS" that gives the private IP, their server will still work.
Top
Post Reply

Who is online

Users browsing this forum: Bing [Bot], clinttt and 153 guests
  4. RouterOS
  5. General