Community discussions

MikroTik App
  4. RouterOS
  5. General

How to force NATed machines to communicate with each other using their WAN ip addresses?

Post Reply
 
zx128k
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Wed Oct 16, 2013 12:24 pm

How to force NATed machines to communicate with each other using their WAN ip addresses?

Mon Mar 06, 2023 11:35 am

Guys, another pazzle....
Screenshot 2023-03-06 131654.png
I have services inside LAN acceptable using NAT, including mail servers. They work as normal from outside world, but the time has come when I need them to communicate with each other. Unfortunately it's not enough to just use Mikrotik's own DNS service to indicate their LAN ip address, there must be also MX records etc. So it is required that one mail server to access another mail server using WAN ip address instead. How to do this?

Right now, I'm differentiating traffic by incoming WAN ip address and interface, like:
Code: Select all
add action=dst-nat chain=dstnat comment="Email service to Server 1" dst-address=10.10.10.10 \
    dst-port=25,110,993,995,143,587,465 in-interface=ether2 protocol=tcp \
    to-addresses=192.168.10.10

add action=dst-nat chain=dstnat comment="Email service to Server 2" dst-address=20.20.20.10 \
    dst-port=25,110,993,995,143,587,465 in-interface=ether2 protocol=tcp \
    to-addresses=192.168.20.10
How to tell Mikrotik to accept packets from one mail server to another like it was outside LAN?

besides mail services they also act as a web servers. So they also can't reach each other through WAN ip addresses, I have to exclusively set LAN ip address in the DNS server for individual web site I want to access from either machine, for example 192.168.10.10 IN A websitedomain.com, etc....


Thanks!!
You do not have the required permissions to view the files attached to this post.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19323
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: How to force NATed machines to communicate with each other using their WAN ip addresses?

Mon Mar 06, 2023 2:43 pm

Put them both on a zerotier network
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11593
Joined: Thu Mar 03, 2016 10:23 pm

Re: How to force NATed machines to communicate with each other using their WAN ip addresses?

Mon Mar 06, 2023 3:04 pm

The dst-nat rules you already have, are almost fine. With exception: the "in-interface=ether2" stands in the way. So you can omit the "in-interface" property (but might cause some other problem, depends on the rest of NAT rules you have), or simply add similar pair of rules, but use src-address property instead of in-interface (to limit the NAT rule to act only on connections between both servers). Performance-wise it probably doesn't much if you use single pair of dst-nat rules, slightly overloaded, or if you use additional pair of dst-nat rules.

Next you'll probably need also src-nat rules ... I'm assuming your src-nat rule also limits NAT to packets sent through ether2 interface. And you probably want the connection party to think it was connected from the other mail server using its public IP address as well. So construct a src-nat rule pair, smilar to this one:
Code: Select all
add chain=srcnat action=src-nat src-address=192.168.10.10 dst-address=20.20.20.10 protocol=tcp dst-port=25 to-addresses=10.10.10.10
(remember that src-nat is done as one of last steps in packet handling, way later than dst-nat (which is one of first steps) ... so src-nat rule will see public IP address of destination)
Top
 
zx128k
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Wed Oct 16, 2013 12:24 pm

Re: How to force NATed machines to communicate with each other using their WAN ip addresses?

Tue Mar 07, 2023 7:42 pm

I made a copy as you said, removing interface directive and adding source list LAN but it gaves this error:

dstnat: in:ether4 out:(unknown 0), src-mac, proto TCP (SYN), 192.168.10.10:51894->20.20.20.10:3389, len 52
Last edited by BartoszP on Tue Mar 07, 2023 11:51 pm, edited 1 time in total.
Reason: removed excessive quotting of preceding post; be wise, quote smart, save network traffic
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11593
Joined: Thu Mar 03, 2016 10:23 pm

Re: How to force NATed machines to communicate with each other using their WAN ip addresses?

Tue Mar 07, 2023 7:49 pm

dstnat: in:ether4 out:(unknown 0), src-mac, proto TCP (SYN), 192.168.10.10:51894->20.20.20.10:3389, len 52

I guess you see this in log ... is it verbose copy of whole log message? And what is now exact dst-nat rule?
Top
 
zx128k
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Wed Oct 16, 2013 12:24 pm

Re: How to force NATed machines to communicate with each other using their WAN ip addresses?

Tue Mar 07, 2023 9:32 pm

dstnat: in:ether4 out:(unknown 0), src-mac, proto TCP (SYN), 192.168.10.10:51894->20.20.20.10:3389, len 52

I guess you see this in log ... is it verbose copy of whole log message? And what is now exact dst-nat rule?
yep...
Code: Select all
chain=dstnat action=dst-nat to-addresses=192.168.20.10 protocol=tcp dst-address=20.20.20.10 src-address-list=LAN dst-port=25,110,993,995,143,587,465 log=no log-prefix=""
pretty much look like destination machine is sending response packets to the moon
Top
 
zx128k
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Wed Oct 16, 2013 12:24 pm

Re: How to force NATed machines to communicate with each other using their WAN ip addresses?

Tue Mar 07, 2023 10:27 pm

omg,

it caused by my previous config from this thread:

viewtopic.php?t=193790


Code: Select all
/ip route rules print
0 src-address=192.168.100.0/24 routing-mark=WAN1_traffic action=lookup-only-in-table table=ISP1 
1 src-address=192.168.5.0/24 routing-mark=WAN2_traffic action=lookup-only-in-table table=ISP2 
 
/ip firewall mangle print

 0    chain=prerouting action=mark-connection new-connection-mark=WAN1 passthrough=yes connection-state=new connection-mark=no-mark in-interface=ether1 log=no log-prefix="" 
 1    chain=prerouting action=mark-connection new-connection-mark=WAN2 passthrough=yes connection-state=new connection-mark=no-mark in-interface=ether2 log=no log-prefix="" 
 2    chain=prerouting action=mark-connection new-connection-mark=WAN1 src-address-type="" dst-address-type="" dst-address-list=!LAN connection-mark=no-mark in-interface=ether3 log=no 
      log-prefix="" 
 3    chain=prerouting action=mark-connection new-connection-mark=WAN2 dst-address-list=!LAN connection-mark=no-mark in-interface=ether4 log=no log-prefix="" 
 4    chain=prerouting action=mark-routing new-routing-mark=WAN1_traffic connection-mark=WAN1 log=no log-prefix="" 
 5    chain=prerouting action=mark-routing new-routing-mark=WAN2_traffic connection-mark=WAN2 log=no log-prefix=""


I have excluded LAN traffic in these rules because otherwise they were losing conectivity. Now it is becoming really very interesting!!!
Top
Post Reply

Who is online

Users browsing this forum: Bing [Bot], K0NCTANT1N, triss and 75 guests
  4. RouterOS
  5. General