Community discussions

MikroTik App
 
robins
just joined
Topic Author
Posts: 2
Joined: Fri Jan 07, 2022 8:51 am

dst-nat on block

Sun Jan 23, 2022 9:27 am

Hello,
I have a public /29 block on my WAN interface and I am attempting to dst-nat an address in that block to an internal host. I've been successful with src-nat but can't pass any traffic on dst-nat. I've pasted what I think are the relevant lines below.

External Interface: x.x.x.2/29
Dst-nat IP: x.x.x.3/29
Internal Interface: 10.100.100.1
Internal Host: 10.100.100.100
/ip address
add address=x.x.x.2/29 interface=ether1 network=x.x.x.0
add address=10.100.100.1/24 interface=ether2 network=10.100.100.0
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="accept new dst-nat" connection-nat-state=dstnat connection-state=new in-interface=ether1
add action=accept chain=forward comment="accept new src-nat" connection-nat-state=srcnat connection-state=new in-interface=ether2
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=x.x.x.3 in-interface=ether1 to-addresses=10.100.100.100
add action=src-nat chain=srcnat out-interface=ether1 src-address=10.100.100.100 to-addresses=x.x.x.3
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=x.x.x.1 routing-table=main suppress-hw-offload=no

I'd appreciate any help
:)
 
robins
just joined
Topic Author
Posts: 2
Joined: Fri Jan 07, 2022 8:51 am

Re: dst-nat on block  [SOLVED]

Sun Jan 23, 2022 2:08 pm

What I am thinking is that the x.x.x.3 destination address must be advertised (arp) on the external interface. Once I added x.x.x.3 as a secondary address on the external interface, dst-nat worked.
 
Sob
Forum Guru
Forum Guru
Posts: 8214
Joined: Mon Apr 20, 2009 9:11 pm

Re: dst-nat on block

Sun Jan 23, 2022 9:13 pm

Correct. It you have non-routed subnet where ISP keeps address from same subnet for its router as your gateway, all addresses must respond to arp requests. So you can either assign them to WAN interface and use NAT, or if you'd want to give them to some internal devices directly, you'd need proxy arp.
Come on people, do you really have to quote full posts? It's annoying and in most cases useless.

Who is online

Users browsing this forum: Ahrefs [Bot], Google [Bot] and 44 guests