Hi to all!!
I need to do a port forwarding to an internal server but I don't know how to do it (RouterOS 7.4)
This server is in other routing table (not in main table, due to VRF Lite configuration)

When I try to add a dst-nat to this server (in firewall->nat) I see "routing mark" and "connection mark" parameters but doesn't work.
(I already have routing and mangle rules for masquerade and internet access where I use connection mark and then specific the new-routing-mark and it works well)

Have I add mangle rules first and then dst-nat with routing mark parameter? Or is it not necessary? How I can do these rules?
Is there anything else to do afterwards?

Thanks and regards,

Hi!
It works when I add this routing rule: scr-address 0.0.0.0/0 dst-address 192.168.10.0/24 lookup vrf10
but this rule can accept connections from everywhere and I only want connections from internet (and not from other networks of other vrf's)
how can do more specific??

Thanks!!

Place
src-address=10.0.0.0/8 dst-address=192.168.10.0/24 action=drop
src-address=172.16.0.0/12 dst-address=192.168.10.0/24 action=drop
src-address=192.168.0.0/16 dst-address=192.168.10.0/24 action=drop
before your rule.

What do you mean by "VRF lite"? Manually configured routing marks and routing tables?

VRF lite is cisco terminology for VRF setups without MPLS.

Place
src-address=10.0.0.0/8 dst-address=192.168.10.0/24 action=drop
src-address=172.16.0.0/12 dst-address=192.168.10.0/24 action=drop
src-address=192.168.0.0/16 dst-address=192.168.10.0/24 action=drop
before your rule.

What do you mean by "VRF lite"? Manually configured routing marks and routing tables?

thank you, it's true.. it's as simple as drop all local networks before accept the rest..
I'm going to try it tomorrow

Yes, I mean VRF Lite as VRF configuration without MPLS.

Regards!