Community discussions

 
jardenblack26
just joined
Topic Author
Posts: 1
Joined: Thu May 17, 2018 6:26 am

Nat Not Working !!!

Thu May 17, 2018 6:35 am

Hi, guys thanks for time and help i have mikrotik router and i want to performance a nat but in the log in don't see the nat is working test:

First test rule:
chain=srcnat action=src-nat to-addresses=192.168.176.44 out-interface=VLAN_906 log=yes log-prefix=""
Result
firewall,info srcnat: in:(none) out:VLAN_906, src-mac 00:1c:23:a4:b9:d5, proto TCP (SYN), 192.168.0.129:62455->192.168.188.50:443, len 52

Second test rule:
chain=srcnat action=src-nat to-addresses=192.168.176.44 src-address=0.0.0.0 out-interface=VLAN_906 log=yes log-prefix=""
Result
firewall,info srcnat: in:(none) out:VLAN_906, src-mac 00:1c:23:a4:b9:d5, proto TCP (SYN), 192.168.0.129:62455->192.168.188.50:443, len 52
 
ludvik
newbie
Posts: 48
Joined: Mon May 26, 2008 4:36 pm

Re: Nat Not Working !!!

Thu May 17, 2018 9:16 pm

Try logging in mangle/postrouting or in raw table.

ROS writes to the log when the packet has an original IP address. The change will take place in one of the last chain before leaving the kernel.

Look at packet flow diagram (mikrotik wiki will help)

ROS is linux. If in linux NAT not working, half of Internet go to hell :-)
 
sindy
Forum Guru
Forum Guru
Posts: 2406
Joined: Mon Dec 04, 2017 9:19 pm

Re: Nat Not Working !!!

Fri May 18, 2018 11:05 am

Look at packet flow diagram (mikrotik wiki will help)
One more point which is not clear from the diagram: only the initial packet of each connection (which in case of TCP is the SYN packet) is handled by the rules in the nat table; if one of those rules matches and the action is masquerade, src-nat, or dst-nat, the corresponding NAT handling is activated for that connection in the connection tracking module, so the subsequent packets are NATed (in both directions as needed) but do not pass the nat table any more.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: maximan and 59 guests