DNAT on the wAP 60Gx3 AP

gb70 · Fri Feb 18, 2022 8:40 pm

Hello, I am trying to make a destination NAT rule work on the wAP 60Gx3 AP. I think I have followed the instructions on DNAT in the wiki, but I cannot get it working.
First, I have added a public IP 192.168.100.10/32 to the bridge in the wAP

/ip address add address=192.168.100.10/32 interface=bridge

then I added the following rule

/ip firewall nat add chain=dstnat action=dst-nat dst-address=192.168.100.10 dst-port=30010 to-addresses=192.168.0.144 to-port=30010 protocol=tcp

This should map port 30010 of the public IP 192.168.100.10 to the same port of the private LAN host 192.168.0.144. However, a simple

telnet 192.168.100.10 30010

issued from host 192.168.0.144 never connects. Any help/suggestion appreciated.

Sob · Mon Feb 21, 2022 4:14 am

Dstnat rule is fine, aside from 192.168.100.10 being badly chosen example, because it's not public. Is this wAP router or just transparent bridge? It won't work like this with the latter.

gb70 · Mon Feb 21, 2022 3:30 pm

Hi, yes, 192.168.100.10 is not a good example of public IP address

Indeed, the settings were applied to the wAP operating as a transparent bridge, thus at least I know why it does not work.
Now I have simplified the NAT rule to let all types of traffic through, and this is the configuration:

/interface bridge
add name=bridge
/interface w60g
set [ find ] disabled=no frequency=60480 isolate-stations=no name=wlan60-1 put-stations-in-bridge=bridge ssid=XXXXXXXX
/interface w60g station
add mac-address=48:8F:5A:C9:24:72 name=wlan60-station-1 parent=wlan60-1 remote-address=08:55:31:96:DF:0A
add mac-address=48:8F:5A:C9:24:72 name=wlan60-station-2 parent=wlan60-1 remote-address=04:D6:AA:C1:38:46
add mac-address=48:8F:5A:C9:24:72 name=wlan60-station-3 parent=wlan60-1 remote-address=04:D6:AA:C1:38:52
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip address
add address=192.168.0.81/24 interface=ether1 network=192.168.0.0
add address=192.168.100.10/24 interface=bridge network=192.168.100.0
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=192.168.100.10 to-addresses=192.168.0.144
/ip route
add distance=1 gateway=192.168.0.1
/system identity
set name=mikrotik1

From the terminal of a connected wAP 60G station (04:D6:AA:C1:38:52, with IP address 192.168.100.82), this is what happens when I ping 192.168.100.10

[admin@mikrotik2] > ping 192.168.100.10
  SEQ HOST                                     SIZE TTL TIME  STATUS
    0 192.168.100.10                                          timeout
    1 192.168.100.10                                          timeout
    2 192.168.100.10                                          timeout
    3 192.168.100.10                                          timeout
...

However, the NAT rule partially works, since if I dump the TCP traffic on 192.168.0.144 I read:

...
14:11:17.848733 IP 192.168.100.82 > 192.168.0.144: ICMP echo request, id 55562, seq 20483, length 36
14:11:17.848779 IP 192.168.0.144 > 192.168.100.82: ICMP echo reply, id 55562, seq 20483, length 36
14:11:18.851418 IP 192.168.100.82 > 192.168.0.144: ICMP echo request, id 55562, seq 20739, length 36
14:11:18.851465 IP 192.168.0.144 > 192.168.100.82: ICMP echo reply, id 55562, seq 20739, length 36
...

Basically, the final destination host 192.168.0.144 sees the ping coming from 192.168.100.82 instead of from 192.168.100.10 (I know it shall be configured to answer to the 192.168.100.0 subnet).

Sob · Tue Feb 22, 2022 4:52 am

So 192.168.100.10 is now gateway for 192.168.100.82? And 192.168.0.144 does have route to 192.168.100.82 via 192.168.0.81?

gb70 · Wed Feb 23, 2022 9:16 pm

Yes, I added a rule to route the two subnets, but it did not work either.
A partially working configuration was that to DNAT directly one of the virtual interfaces wlan60-station-*(the connected one). In the end, however, I have resorted to a different scheme by exploiting a second Ethernet port I have on the PC, and avoid NAT completely on the wAP (for the moment).
I will try again to work on this and post a solution in case I find one.

DNAT on the wAP 60Gx3 AP

DNAT on the wAP 60Gx3 AP

Re: DNAT on the wAP 60Gx3 AP

Re: DNAT on the wAP 60Gx3 AP

Re: DNAT on the wAP 60Gx3 AP

Re: DNAT on the wAP 60Gx3 AP

Who is online