Community discussions

MikroTik App
 
LeonTheGreat
just joined
Topic Author
Posts: 2
Joined: Thu Mar 09, 2023 4:50 pm

Can't get source NAT to work

Fri Mar 10, 2023 3:46 pm

Hi all,
I am having trouble getting source NAT to work on my router. I was able to setup destination NAT and it's working, so now I have traffic from the internet being translated into the private IP address I have setup on my server. However the reverse isn't working - traffic originating at the server isn't being translated from the private server IP to a public IP before being sent out to the internet. I've read through the docs and I think I have everything setup correctly, but there's obviously something missing here. Here's my config:
# mar/10/2023 05:19:55 by RouterOS 7.8
# software id = RE0D-LFF9
#
# model = CCR2116-12G-4S+
# serial number = XXXXXXXXX67
/interface bridge
add name=loopback
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full \
    loop-protect=off speed=1Gbps
set [ find default-name=sfp-sfpplus2 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full speed=1Gbps
set [ find default-name=sfp-sfpplus3 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full speed=1Gbps
set [ find default-name=sfp-sfpplus4 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full speed=1Gbps
/interface ethernet switch
set 0 l3-hw-offloading=yes
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=XXXXXXXX
/port
set 0 name=serial0
/interface ethernet switch l3hw-settings
set ipv6-hw=yes
/interface detect-internet
set detect-interface-list=all
/ip address
add address=xxx.xxx.230.254/30 comment="xxx" interface=ether1 network=xxx.xxx.230.252
add address=206.80.238.152/24 comment="xxx" interface=sfp-sfpplus1 network=xxx.xxx.238.0
add address=xxx.xxx.131.121/30 comment="xxx" interface=ether9 network=xxx.xxx.131.120
add address=xxx.xxx.131.125/30 comment="xxx" interface=ether12 network=xxx.xxx.131.124
add address=xxx.xxx.131.101/30 comment="xxx" interface=ether11 network=xxx.xxx.131.100
add address=xxx.xxx.131.97/30 comment="xxx" interface=ether2 network=xxx.xxx.131.96
add address=xxx.xxx.131.105/30 comment="xxx" interface=ether10 network=xxx.xxx.131.104
add address=xxx.xxx.131.109/30 comment="xxx.com IP" interface=ether11 network=xxx.xxx.131.108
add address=xxx.xxx.131.113/30 comment="xxx.com IP" interface=ether11 network=xxx.xxx.131.112
add address=192.168.10.1/24 comment="xxx" interface=ether10 network=192.168.10.0
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall nat
add action=masquerade chain=srcnat comment="TRAFFIC OUT FROM SERVER" src-address=xxx.xxx.131.106
add action=src-nat chain=srcnat src-address=192.168.10.10 to-addresses=xxx.xxx.131.106
add action=masquerade chain=srcnat comment="TRAFFIC INTO SERVER" dst-address=192.168.10.10
add action=dst-nat chain=dstnat dst-address=xxx.xxx.131.106 to-addresses=192.168.10.10
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=xxx.xxx.230.253 pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=xxx.xxx.238.152/32 gateway=xxx.xxx.230.253 pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=xxx.xxx.131.107/32 gateway=ether12 pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=xxx.xxx.131.98/32 gateway=ether3 pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=xxx.xxx.131.97/32 gateway=ether2 pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=no dst-address=xxx.xxx.131.96/27 gateway=xxx.xxx.131.97 routing-table=main suppress-hw-offload=no
/ipv6 route
add blackhole disabled=no dst-address=xxxx:xxxx:a000::/48 gateway="" routing-table=main
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ipv6 address
add address=xxxx:xxxx:1:ecc::2/126 advertise=no interface=ether1
add address=xxxx:xxxx:a000::1/128 advertise=no interface=loopback
add address=xxxx:xxxx:91::152 advertise=no interface=sfp-sfpplus1
/ipv6 firewall address-list
add address=xxxx:xxxx:a000::/48 list=ASXXX931-V6
/ipv6 firewall filter
add action=accept chain=input dst-port=179 log=yes protocol=tcp
/routing bgp connection
add address-families=ip as=xxx931 connect=yes disabled=no input.filter="" listen=yes local.role=ebgp name=\
    XX_TRANSIT_IPv4 output.filter-chain=ASxxx931-V6 remote.address=xxx.xxx.230.253/32 .as=xx39 routing-table=main
add address-families=ipv6 as=xxx931 connect=yes disabled=no listen=yes local.address=xxxx:xxxx:1:ecc::2 .role=ebgp name=\
    XX_TRANSIT_IPv6 output.default-originate=never .filter-chain=ASxxx931-V6 .redistribute=connected,static,ospf,bgp \
    remote.address=xxxx:xxxx:1:ecc::1/128 .as=xx39 routing-table=main
add address-families=ipv6 as=xxx931 connect=yes disabled=no listen=yes local.address=xxxx:xxxx:91::152 .role=ebgp-rs \
    name=XXXX_RS1_IPv6 remote.address=xxxx:xxxx:91::253/128 .as=7034 routing-table=main
add address-families=ip as=xxx931 connect=yes disabled=no input.filter="" listen=yes local.address=xxx.xxx.238.152 .port=\
    0 .role=ebgp-rs name=XXXX_RS1_IPv4 output.redistribute=connected,static,bgp remote.address=xxx.xxx.238.253/32 \
    .allowed-as="" .as=xx34 routing-table=main
add address-families=ip as=xxx931 as-override=no connect=yes disabled=no listen=yes local.address=xxx.xxx.238.152 .port=0 \
    .role=ebgp-rs name=XXXX_RS2_IPv4 remote.address=xxx.xxx.238.254/32 .as=XX34 routing-table=main
add address-families=ipv6 as=XXX931 connect=yes disabled=no listen=yes local.address=xxxx:xxxx:91::152 .role=ebgp-rs \
    name=XXXX_RS2_IPv6 remote.address=xxxx:xxxx:91::254/128 .as=XX34 routing-table=main
/routing filter rule
add chain=ASxxx931-V6 disabled=no rule="if(dst in ASXXX931-V6){accept;}"
/system clock
set time-zone-name=America/Los_Angeles
/system clock manual
set dst-delta=+01:00 dst-end="nov/05/2023 02:00:00" dst-start="mar/12/2023 02:00:00"
/system logging
add topics=debug
add action=echo topics=firewall
/tool graphing interface
add
/tool traffic-monitor
add interface=ether1 name=tmon1
Any help would be greatly appreciated!
 
emunt6
Frequent Visitor
Frequent Visitor
Posts: 87
Joined: Fri Feb 02, 2018 7:00 pm

Re: Can't get source NAT to work

Sat Mar 18, 2023 2:25 am

Hi!
You configured the WAN addresses on multiple different ethernet interfaces, however your "WAN link" -probably- using only ONE interface.
You need to setup one WAN interface and add every IP addresses to that interface ( you can use bridge/vlan interface for that ).
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Can't get source NAT to work

Sat Mar 18, 2023 5:06 am

Regular Servers dont originate traffic..............So why does this one? --> Does it stream for example

YOu have to ensure traffic is routed out the appropriate WAN or ensure the WAN being used has source nat associated.
 
LeonTheGreat
just joined
Topic Author
Posts: 2
Joined: Thu Mar 09, 2023 4:50 pm

Re: Can't get source NAT to work

Sun Apr 02, 2023 2:57 pm

So I'm still having trouble with NAT. I made some changes, but source NAT still doesn't seem to want to work on one of my secondary routers (I have a few Cisco routers linked together that I'm using to study for the CCNA exam). The Mikrotik CCR2116 I have is serving as my core router, and it's the one with the NAT problem. Strange thing is, I got source NAT to work accidentally on one of my servers, but I can't figure out how to replicate it for my Cisco router. Here's my config:
# apr/02/2023 04:52:11 by RouterOS 7.8
# software id = RE0D-LFF9
#
# model = CCR2116-12G-4S+
# serial number = HCX087AVZ67
/interface bridge
add name=loopback
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full loop-protect=off speed=1Gbps
set [ find default-name=sfp-sfpplus2 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full speed=1Gbps
set [ find default-name=sfp-sfpplus3 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full speed=1Gbps
set [ find default-name=sfp-sfpplus4 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full speed=1Gbps
/interface ethernet switch
set 0 l3-hw-offloading=yes
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
/interface bridge port
add bridge=*14 interface=ether1
add bridge=*14 interface=ether2
add bridge=*14 interface=ether3
add bridge=*14 interface=ether4
add bridge=*14 interface=ether5
add bridge=*14 interface=ether6
add bridge=*14 interface=ether7
add bridge=*14 interface=ether8
add bridge=*14 interface=ether9
add bridge=*14 interface=ether10
add bridge=*14 interface=ether11
add bridge=*14 interface=ether12
add bridge=*14 disabled=yes interface=sfp-sfpplus1
add bridge=*14 interface=sfp-sfpplus2
add bridge=*14 interface=sfp-sfpplus3
add bridge=*14 interface=ether13
/interface ethernet switch l3hw-settings
set ipv6-hw=yes
/ip neighbor discovery-settings
set discover-interface-list=all
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add interface=ether11 list=LAN
add interface=ether12 list=LAN
add interface=sfp-sfpplus1 list=LAN
add interface=loopback list=LAN
/ip address
add address=216.218.230.254/30 comment="WAN Connection" interface=ether1 network=216.218.230.252
add address=206.80.238.152/24 comment="FCIX Connection" interface=sfp-sfpplus1 network=206.80.238.0
add address=216.218.131.121/30 comment="SMBOX IPMI" interface=ether9 network=216.218.131.120
add address=216.218.131.125/30 comment="2U-SMBOX IPMI" interface=ether12 network=216.218.131.124
add address=216.218.131.101/30 comment="2U-SMBOX server" interface=ether11 network=216.218.131.100
add address=216.218.131.97/30 comment="Cisco 2911" interface=ether2 network=216.218.131.96
add address=216.218.131.105/30 comment="SMBOX server" interface=ether10 network=216.218.131.104
add address=216.218.131.109/30 comment="trixelated.com IP" interface=ether11 network=216.218.131.108
add address=216.218.131.113/30 comment="lennyshort.com IP" interface=ether11 network=216.218.131.112
add address=192.168.10.1/24 comment="SMBOX server" interface=ether10 network=192.168.10.0
add address=10.1.1.2/24 comment="Cisco 2911" interface=ether2 network=10.1.1.0
/ip dhcp-client
add disabled=yes interface=sfp-sfpplus1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=LAN
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment="TRAFFIC INTO CISCO 2911" dst-address=216.218.131.98 to-addresses=10.1.1.1
add action=src-nat chain=srcnat comment="TRAFFIC OUT FROM CISCO 2911" src-address=10.1.1.1 to-addresses=216.218.131.98
add action=dst-nat chain=dstnat comment="TRAFFIC INTO SERVER SMBOX" dst-address=216.218.131.106 to-addresses=192.168.10.10
add action=src-nat chain=srcnat comment="TRAFFIC OUT FROM SERVER SMBOX" src-address=192.168.10.10 to-addresses=216.218.131.106
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=216.218.230.253 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=206.80.238.152/32 gateway=216.218.230.253 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ipv6 route
add blackhole disabled=no dst-address=2620:af:a000::/48 gateway="" routing-table=main
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=both strong-crypto=yes
/ip traffic-flow ipfix
set nat-events=yes
/ipv6 address
add address=2001:470:1:ecc::2/126 advertise=no interface=ether1
add address=2620:af:a000::1/128 advertise=no interface=loopback
add address=2001:504:91::152 advertise=no interface=sfp-sfpplus1
/ipv6 firewall address-list
add address=2620:af:a000::/48 list=AS398931-V6
/ipv6 firewall filter
add action=accept chain=input dst-port=179 log=yes protocol=tcp
/routing bgp connection
add address-families=ip as=398931 connect=yes disabled=no input.filter="" listen=yes local.role=ebgp name=HE_TRANSIT_IPv4 output.filter-chain=AS398931-V6 remote.address=216.218.230.253/32 \
    .as=6939 routing-table=main
add address-families=ipv6 as=398931 connect=yes disabled=no listen=yes local.address=2001:470:1:ecc::2 .role=ebgp name=HE_TRANSIT_IPv6 output.default-originate=never .filter-chain=AS398931-V6 \
    .redistribute=connected,static,ospf,bgp remote.address=2001:470:1:ecc::1/128 .as=6939 routing-table=main
add address-families=ipv6 as=398931 connect=yes disabled=no listen=yes local.address=2001:504:91::152 .role=ebgp-rs name=FCIX_RS1_IPv6 remote.address=2001:504:91::253/128 .as=7034 \
    routing-table=main
add address-families=ip as=398931 connect=yes disabled=no input.filter="" listen=yes local.address=206.80.238.152 .port=0 .role=ebgp-rs name=FCIX_RS1_IPv4 output.redistribute=\
    connected,static,bgp remote.address=206.80.238.253/32 .allowed-as="" .as=7034 routing-table=main
add address-families=ip as=398931 as-override=no connect=yes disabled=no listen=yes local.address=206.80.238.152 .port=0 .role=ebgp-rs name=FCIX_RS2_IPv4 remote.address=206.80.238.254/32 .as=\
    7034 routing-table=main
add address-families=ipv6 as=398931 connect=yes disabled=no listen=yes local.address=2001:504:91::152 .role=ebgp-rs name=FCIX_RS2_IPv6 remote.address=2001:504:91::254/128 .as=7034 \
    routing-table=main
/routing filter rule
add chain=AS398931-V6 disabled=no rule="if(dst in AS398931-V6){accept;}"
/system clock
set time-zone-name=America/Los_Angeles
/system clock manual
set dst-delta=+01:00 dst-end="nov/05/2023 02:00:00" dst-start="mar/12/2023 02:00:00"
/system logging
add disabled=yes topics=debug
add action=echo topics=firewall
/tool graphing interface
add
/tool traffic-monitor
add interface=ether1 name=tmon1
The SMBOX server has working source NAT, but I don't know how I did it! The Cisco 2911 is the one with the NAT problem. I'm trying to translate traffic originating at 10.1.1.1 to 216.218.131.98 for outgoing traffic on my Cisco router. I need this in order to do updates, run traceroutes, etc. Can anyone give me any pointers?

Who is online

Users browsing this forum: cdblue and 40 guests