/ip firewall nat
add action=src-nat chain=srcnat out-interface="ether1 Gateway-2-Metro" \
src-address=10.0.1.55 to-addresses=172.15.0.5
add action=dst-nat chain=dstnat dst-address=172.15.0.5 in-interface=\
"ether1 Gateway-2-Metro" to-addresses=10.0.1.55
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat dst-address=162.211.33.206 dst-port=80 \
protocol=tcp src-address=10.0.1.0/24
For the Hairpin NAT you need the rules in Bold {b}... I corrected the last rule, you need the LAN IP there, because it has been NATed earlier from the previous rule...It doesn't seem to work with either a single port and protocol or everything. I would also like to just forward everything, and not have to do it port by port.
Code: Select all/ip firewall nat add action=src-nat chain=srcnat out-interface="ether1 Gateway-2-Metro" \ src-address=10.0.1.55 to-addresses=172.15.0.5 [b]add action=dst-nat chain=dstnat dst-address=172.15.0.5 Gateway-2-Metro" to-addresses=10.0.1.55[/b] [i]add action=masquerade chain=srcnat out-interface-list=WAN[/i] [b]add action=masquerade chain=srcnat dst-address=HERE YOU SHOUDL PUT THE LAN IP dst-port=80 \ out-interface=YOUR LAN protocol=tcp src-address=10.0.1.0/24[/b]
/ip firewall nat
add action=netmap chain=srcnat out-interface="ether1 Gateway-2-Metro" \
src-address=10.0.1.55 to-addresses=172.16.0.5
add action=netmap chain=dstnat dst-address=172.16.0.5 in-interface=\
"ether1 Gateway-2-Metro" to-addresses=10.0.1.55
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat dst-address=10.0.1.55 dst-port=80 \
out-interface=bridge1 protocol=tcp src-address=10.0.1.0/24
Okay, I removed the WAN from the in-interface, and things still work the same at that point, so that is good. I don't quite understand what you are saying to put on the address list. Also, should I be putting the address list in both the incoming and outgoing rule?Main problem is dstnat rule, you can't have in-interface="ether1 Gateway-2-Metro" (which I assume is WAN interface), because all connections from LAN will be coming from - no surprise - LAN. Using in-interface for dstnat rule is just a quick hack when you don't have static address, otherwise it's not needed.
The only thing changed by NAT 1:1 is that you need dstnat rule that will take both addresses:
- Private one on WAN interface to which ISP forward traffic from internet, that will be used by connections from outside.
- Real public address (which is otherwise on ISP's router), that will be used by connections from LAN.
Just put them both in address list and then use dst-address-list=<list>.
/ip firewall nat
add chain=srcnat out-interface=<WAN> action=srcnat to-addresses=<public address>
/ip firewall nat
add chain=srcnat out-interface=<WAN> action=masquerade
/ip firewall nat
add chain=dstnat dst-address=<public address> protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.88.10
/ip firewall nat
add chain=srcnat src-address=192.168.88.0/24 dst-address=192.168.88.0/24 action=masquerade
/ip firewall nat
add chain=dstnat dst-address=10.20.30.40 protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.88.10
/ip firewall nat
add chain=dstnat dst-address=<public address> protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.88.10
/ip firewall address-list
add list=WAN_IP address=<public address>
add list=WAN_IP address=10.20.30.40
/ip firewall nat
add chain=dstnat dst-address-list=WAN_IP protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.88.10
/ip firewall nat
add action=netmap chain=dstnat dst-address=172.16.0.5 to-addresses=10.0.1.55
add action=netmap chain=srcnat src-address=10.0.1.55 to-addresses=172.16.0.5
add action=masquerade chain=srcnat out-interface-list=WAN
add chain=dstnat dst-address=10.20.30.40 protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.88.10
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=172.16.0.5 to-addresses=10.0.1.55
add action=src-nat chain=srcnat src-address=10.0.1.55 to-addresses=172.16.0.5
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=172.16.0.5 dst-port=80 protocol=tcp to-addresses=10.0.1.55
add action=dst-nat chain=dstnat dst-address=172.16.0.5 dst-port=80 protocol=tcp to-addresses=10.0.1.55
add action=dst-nat chain=dstnat dst-address=Public IP protocol=tcp dst-port-80 to-addresses=LAN IP OF THE DEVICE
add action=masquerade chain=srcnat dst-address=LAN IP OF THE DEVICE dst-port=80 \
out-interface=YOUR LAN protocol=tcp src-address=LAN SUBNET
/ip address
add interface=<WAN interface> address=<public address 1>/27
...
add interface=<WAN interface> address=<public address 5>/27
/ip route
add dst-address=0.0.0.0/0 gateway=<another address from same /27>
That is already how it is configured. How do I then route the traffic to the devices themselves? I couldn't figure it out without the router being the gateway, which is why I had to use the 1:1 NAT.Ok, so directly on your router you have the following?
If that's so, you can probably make it work even without NAT.Code: Select all/ip address add interface=<WAN interface> address=<public address 1>/27 ... add interface=<WAN interface> address=<public address 5>/27 /ip route add dst-address=0.0.0.0/0 gateway=<another address from same /27>
For your PBX you must port forward the appropriate ports...I am still having some audio issues with this setup for some reason, so those other options might actually be better.
This is exactly my case. My ISP have a few public IP, and one of them NATing 1:1 to my private WAN IP address (all 65k ports to my 192.168.100.119). From outside connection is all right, i send public IP with port and it is, but if i send public IP from my home network (behind my MTIK) have no connection. How i make it? Harpin NAT?There's definitely some misundestanding. When you wrote that you have 1:1 NAT, I thought that ISP is doing that, but now it looks like you're the one who's doing it?
What I was describing is:
- ISP's router (which you don't have any access to) has public IP address, e.g. 2.2.2.2
- Your router's WAN interface has some private address (10.20.30.40 in my example)
- LAN behind your router is 192.168.88.0/24 in my example
- ISP is doing 1:1 NAT, which means that:
-- any packet to 2.2.2.2 gets new destination address 10.20.30.40
-- any packet from 10.20.30.40 gets new source address 2.2.2.2
Is this what you have, or is it something else?
/ip firewall address-list
add list=nat_addrs address=2.2.2.2
add list=nat_addrs address=10.20.30.40
/ip firewall nat
add chain=dstnat dst-address-list=nat_addrs protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.88.100
add chain=srcnat src-address=192.168.88.0/24 dst-address=192.168.88.0/24 action=masquerade