Hello,

I'm looking for some help on setting up a corporate DMZ type setting. I come from the Cisco world in using the older ASA Firewall and setting up a DMZ on there. The device uses NAT when going from a low security interface to a higher security interface. Low security being the WAN port and high security being the DMZ and the LAN ports. I'm trying to mimic that type of setup with a mikrotik. It's easy to nat something using dstnat from the outside to the inside using netmap. Now I'm trying to nat something from the DMZ "network" into the lan using the same concept and there is no communication.

The concept here is that it would be a corporate environment where all the internal servers are on the lan and the public facing self-hosted servers are in the DMZ. If a box in the dmz gets compromised then there is no access from that machine into the lan other than on the ports that are specifically allowed through nat.

Lan devices can access any dmz device using masquerading as well as the internet out on the WAN.

So for testing I have a mail gateway sitting in the DMZ on 172.16.21.1/24 and I have an internal mail server sitting on 192.168.7.3/24. The 172.16.21.0/24 network is the DMZ and the 192.168.7.0/24 network is the lan.

I'm aware I can just use filter rules to allow traffic into the LAN network but I want to figure out how to use NAT to netmap port 25 into the lan from the DMZ.

I have tried adding a specific NAT ip on the lan interface and using that as dstnat destination and netmapping that to 192.168.7.3 but there is no communication.

How would you do this?

Thanks,
Rcih