Community discussions

 
Sob
Forum Guru
Forum Guru
Topic Author
Posts: 4640
Joined: Mon Apr 20, 2009 9:11 pm

Dstnat in output chain?

Wed Dec 28, 2016 5:06 am

I thought I knew RouterOS pretty well, but this got me. With Linux iptables, I can change destination for locally originated connections like this:
iptables -t nat -A OUTPUT --dst 192.168.80.1 -j DNAT --to-destination 192.168.84.2
But this does not seem possible in RouterOS. Did I just miss something, or is it known limitation?
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
Van9018
Long time Member
Long time Member
Posts: 505
Joined: Mon Jun 16, 2014 6:26 pm
Location: Canada - Abbotsford

Re: Dstnat in output chain?

Fri Dec 30, 2016 2:41 am

It doesn't appear RouterOS will accept a rule like that. Looks like Output rules can't jump to dstnat rules.

Closest you'll get is using just a dstnat rule with src ip of the router to make RouterOS apply it to packets originating locally.
Chain=dst-nat, src-ip=<IP OF ROUTEROS>, dst-ip= 192.168.80.1, to-destination=192.168.84.2
 
Sob
Forum Guru
Forum Guru
Topic Author
Posts: 4640
Joined: Mon Apr 20, 2009 9:11 pm

Re: Dstnat in output chain?

Fri Dec 30, 2016 5:51 am

It's not important where it is, but what it should do. Trying to use current dstnat chain does not work, it applies only to packets coming to router from elsewhere, not locally originated.

Existing mapping between iptables and RouterOS chains is like this:

"iptables -t nat -A PREROUTING" is "/ip firewall nat chain=dstnat"
"iptables -t nat -A POSTROUTING" is "/ip firewall nat chain=srcnat"

But it looks like "iptables -t nat -A OUTPUT" was skipped by MikroTik. I get it, it's not like it would be an essential functionality for many people. But sometimes it could be useful, e.g. for this guy.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
nescafe2002
Long time Member
Long time Member
Posts: 622
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: Dstnat in output chain?

Tue Jan 31, 2017 3:40 pm

I'd also vote for this option. It could be useful for:
- scoped DNS forwarders; by moving the L7 rules from dstnat chain to forward chain the local DNS server and cache can be used
- local traffic (e.g. netwatch) to netmapped subnet
 
Sob
Forum Guru
Forum Guru
Topic Author
Posts: 4640
Joined: Mon Apr 20, 2009 9:11 pm

Re: Dstnat in output chain?

Tue Jan 31, 2017 5:09 pm

If this was added, I'd also use it for per-domain DNS forwarding in few places, because it would help with at least some shortcomings of current L7 hack (bypassing cache and not working for router itself). But I really hope to live to see proper support for that in RouterOS DNS resolver.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
User avatar
bajodel
Long time Member
Long time Member
Posts: 545
Joined: Sun Nov 24, 2013 8:30 am
Location: Italy

Re: Dstnat in output chain?

Sun Feb 12, 2017 11:31 am

interesting feature +1
 
baragoon
Member Candidate
Member Candidate
Posts: 125
Joined: Thu Jan 05, 2017 10:38 am
Location: Kyiv, UA

Re: Dstnat in output chain?

Sun Feb 12, 2017 7:21 pm

+1


Отправлено с моего iPhone используя Tapatalk
 
User avatar
intelfx
just joined
Posts: 19
Joined: Sun Nov 06, 2016 10:30 am
Location: Moscow, Russia
Contact:

Re: Dstnat in output chain?

Sun Feb 19, 2017 3:55 am

I'd +1 this feature as well, need it for conditional DNS forwarding too.
 
forsakenzero
just joined
Posts: 1
Joined: Tue Aug 16, 2016 1:29 pm

Re: Dstnat in output chain?

Mon Jan 01, 2018 4:15 pm

hey there. happy new year with my first post!
i need this feature badly, isn't there any way to do this yet?
i can do it by using another RB to work as my first RB's firewall, but this isn't pleasant
 
User avatar
juliokato
Member Candidate
Member Candidate
Posts: 229
Joined: Mon Oct 26, 2015 4:27 pm
Location: Brazil

Re: Dstnat in output chain?

Thu Jan 04, 2018 2:35 pm

+1!
I apologize my grammatical errors, my english not so good, I am not a native speaker.
Wiki is maintained in English. I use Google translator. 8)
 
Sob
Forum Guru
Forum Guru
Topic Author
Posts: 4640
Joined: Mon Apr 20, 2009 9:11 pm

Re: Dstnat in output chain?

Wed Apr 18, 2018 1:54 am

After reading sindy's Multiple Road Warrior L2TP/IPsec clients behind NAT - solved thread, and after my brain stopped hurting, I thought "hey, this loop trick could also work for other stuff". The idea is to let traffic from router go out, then let it come back to router and then it's possible to do dstnat. Following example shows how to redirect router's own DNS queries to another port, but you can use it for anything. First mark routing for output traffic you need to dstnat, and then you can match it with in-interface=ipip-loop2 in dstnat chain.
/interface bridge
add name=loopback protocol-mode=none
/ip address
add address=127.0.0.2/32 interface=loopback
/interface ipip
add local-address=127.0.0.1 name=ipip-loop1 remote-address=127.0.0.2
add local-address=127.0.0.2 name=ipip-loop2 remote-address=127.0.0.1
/ip route
add distance=1 gateway=ipip-loop1 routing-mark=loophack
add distance=1 dst-address=10.10.10.10/32 gateway=ipip-loop2
/ip dns
set allow-remote-requests=yes servers=208.67.222.222,208.67.220.220
/ip firewall mangle
add action=mark-routing chain=output dst-port=53 new-routing-mark=loophack passthrough=no protocol=udp
add action=mark-routing chain=output dst-port=53 new-routing-mark=loophack passthrough=no protocol=tcp
/ip firewall nat
add action=src-nat chain=srcnat out-interface=ipip-loop1 to-addresses=10.10.10.10
add action=dst-nat chain=dstnat dst-port=53 in-interface=ipip-loop2 protocol=udp to-ports=5353
add action=dst-nat chain=dstnat dst-port=53 in-interface=ipip-loop2 protocol=tcp to-ports=5353
add action=masquerade chain=srcnat out-interface=<WAN>
(10.10.10.10 is some random address you don't use anywhere else)

It works, but now my brain hurts again.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
aoakeley
newbie
Posts: 30
Joined: Mon May 21, 2012 11:45 am

Re: Dstnat in output chain?

Tue Aug 21, 2018 5:23 pm

After reading sindy's Multiple Road Warrior L2TP/IPsec clients behind NAT - solved thread, and after my brain stopped hurting, .........
It works, but now my brain hurts again.

You sir, are a deadset legend.

I used this to solve an issue with The Dude running on a router, and needing to change the remote winbox port for some sites (which The Dude does not support). I had been beating my head against not being able to dst-nat in the outbound chain for a few hours. I was almost there and this got me the rest of the way.
 
Sob
Forum Guru
Forum Guru
Topic Author
Posts: 4640
Joined: Mon Apr 20, 2009 9:11 pm

Re: Dstnat in output chain?

Thu Aug 23, 2018 3:27 am

Thank @sindy for this one, I'd never come up with such crazy idea myself. :)
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
Florian
Frequent Visitor
Frequent Visitor
Posts: 67
Joined: Sun Mar 13, 2016 9:45 am
Location: France

Re: Dstnat in output chain?

Thu Apr 18, 2019 3:09 pm

If this was added, I'd also use it for per-domain DNS forwarding in few places, because it would help with at least some shortcomings of current L7 hack (bypassing cache and not working for router itself). But I really hope to live to see proper support for that in RouterOS DNS resolver.
+1, for the same reason, about conditional DNS forwarding.

The loop trick is cool, but honestly I want a simpler solution :D Maybe RoS7 and a new kernel...
- Sorry for my english -
 
Sob
Forum Guru
Forum Guru
Topic Author
Posts: 4640
Joined: Mon Apr 20, 2009 9:11 pm

Re: Dstnat in output chain?

Thu Apr 18, 2019 10:31 pm

Actually, the loop trick is really dirty trick, but if you're really desperate, it could be used. Simpler solution would be to make dstnat in output available in RouterOS. It shouldn't need new kernel, I found it mentioned in articles about Linux 2.4 and RouterOS has some 3.x, if I remember correctly. So it's most likely there already and they probably just didn't think that anyone would need it, so they didn't expose it.

If you really need it, you can try sending official feature request to support. But if you want it for DNS, then better ask for what you really need and that's Feature Request: Conditional DNS Forwarding. Dstnat in output would be only a workaround, slighly better than what we have now, but still not very good.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.

Who is online

Users browsing this forum: MSN [Bot] and 100 guests