Community discussions

MikroTik App
 
Viewer
just joined
Topic Author
Posts: 9
Joined: Mon Sep 09, 2024 2:07 pm

NAT cannot record real IP addresses

Fri Dec 20, 2024 4:39 am

add action=dst-nat chain=dstnat dst-port=3306 in-interface=Wan-ether1 protocol=tcp to-addresses=192.168.88.244 to-ports=80
add action=dst-nat chain=dstnat dst-address-list=a.com dst-port=80 in-interface=bridge protocol=tcp to-addresses=192.168.88.244 to-ports=80
add action=masquerade chain=srcnat dst-port=80 out-interface=bridge protocol=tcp src-address=192.168.88.0/24

I added the following rule on the NAT page and found that the IP recorded in nginx's logs is the IP of router 192.168.88.1
Is there any way to record the real IP addresses of the internal and external networks while ensuring performance
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12979
Joined: Thu Mar 03, 2016 10:23 pm

Re: NAT cannot record real IP addresses

Fri Dec 20, 2024 9:23 am

It's the last rule (masquerade) which messes src-address. In principle it's not needed unless you require "hairpin NAT" ... in which case thrte's no way around it.

Unless you create separate IP subnet fot the server.
 
Viewer
just joined
Topic Author
Posts: 9
Joined: Mon Sep 09, 2024 2:07 pm

Re: NAT cannot record real IP addresses

Fri Dec 20, 2024 9:36 am

It's the last rule (masquerade) which messes src-address. In principle it's not needed unless you require "hairpin NAT" ... in which case thrte's no way around it.

Unless you create separate IP subnet fot the server.
Do I only need to execute these two commands
then maintain null value for in-interface

add action=dst-nat chain=dstnat dst-port=80in-interface=Wan-ether1 protocol=tcp to-addresses=192.168.88.244 to-ports=80
add action=dst-nat chain=dstnat dst-address-list=a.com dst-port=80 in-interface=bridge protocol=tcp to-addresses=192.168.88.244 to-ports=80
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12979
Joined: Thu Mar 03, 2016 10:23 pm

Re: NAT cannot record real IP addresses

Fri Dec 20, 2024 10:18 am

The second rule hints at use of hairpin NAT because in-interface=bridge to-addresses=192.168.88.244 ... default config has 192.168.88.0/24 on LAN and bridge is the interface used by roouter to talk to LAN. And if that's how you need it, then you need the masquerade rule which obfuscates actual src-addresses.
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11115
Joined: Mon Dec 04, 2017 9:19 pm

Re: NAT cannot record real IP addresses

Fri Dec 20, 2024 5:28 pm

If for some reason you absolutely cannot set up separate subnets for the server and for the local clients, and thus you have to use hairpin NAT, @Sob has suggested a workaround the other day that allows you to learn the address of the local client based on what gets logged: to use action=netmap instead of action=masquerade to replace the prefix of the client's address with another one and keep the suffix unchanged. So e.g. if the client connects from 192.168.88.5, a netmap rule with to-addresses set to 10.168.88.0/24 will change that to 10.168.88.5 (or you can use any other private prefix that suits you better). In any case, the new source address (the "official" name is reply-dst-address) will be outside the own subnet of the server, so the server will have to use the Tik as a gateway to send its response, and you'll see an individual alias of the original address of the client in the logs.

This approach only doesn't work if the server doesn't have any routes.
 
Viewer
just joined
Topic Author
Posts: 9
Joined: Mon Sep 09, 2024 2:07 pm

Re: NAT cannot record real IP addresses

Sat Dec 21, 2024 2:01 pm

If for some reason you absolutely cannot set up separate subnets for the server and for the local clients, and thus you have to use hairpin NAT, @Sob has suggested a workaround the other day that allows you to learn the address of the local client based on what gets logged: to use action=netmap instead of action=masquerade to replace the prefix of the client's address with another one and keep the suffix unchanged. So e.g. if the client connects from 192.168.88.5, a netmap rule with to-addresses set to 10.168.88.0/24 will change that to 10.168.88.5 (or you can use any other private prefix that suits you better). In any case, the new source address (the "official" name is reply-dst-address) will be outside the own subnet of the server, so the server will have to use the Tik as a gateway to send its response, and you'll see an individual alias of the original address of the client in the logs.

This approach only doesn't work if the server doesn't have any routes.
Thanks, but what I need is the ability to record every real internal or external IP address
 
Viewer
just joined
Topic Author
Posts: 9
Joined: Mon Sep 09, 2024 2:07 pm

Re: NAT cannot record real IP addresses

Sat Dec 21, 2024 2:03 pm

The second rule hints at use of hairpin NAT because in-interface=bridge to-addresses=192.168.88.244 ... default config has 192.168.88.0/24 on LAN and bridge is the interface used by roouter to talk to LAN. And if that's how you need it, then you need the masquerade rule which obfuscates actual src-addresses.
If I only keep first rule , it will cause the intranet to be inaccessible
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11115
Joined: Mon Dec 04, 2017 9:19 pm

Re: NAT cannot record real IP addresses

Sat Dec 21, 2024 2:04 pm

Thanks, but what I need is the ability to record every real internal or external IP address
You can make the srcnat rule only act if the source address is from server's own subnet, as the server will send responses to requests coming from any other subnet via the router anyway. You only need the srcnat rule to prevent the server from taking a shortcut when responding to an incoming request from its own subnet.

But there is no way to have the srcnat rule for same-subnet clients and let the server see their real addresses.
 
Viewer
just joined
Topic Author
Posts: 9
Joined: Mon Sep 09, 2024 2:07 pm

Re: NAT cannot record real IP addresses

Sat Dec 21, 2024 2:13 pm

Thanks, but what I need is the ability to record every real internal or external IP address
You can make the srcnat rule only act if the source address is from server's own subnet, as the server will send responses to requests coming from any other subnet via the router anyway. You only need the srcnat rule to prevent the server from taking a shortcut when responding to an incoming request from its own subnet.

But there is no way to have the srcnat rule for same-subnet clients and let the server see their real addresses.
Thanks. Understood
I need to add a non 192.168.88 network segment to the server in order to obtain an accurate IP address for the internal network
How to add rules for the external network
Can you give me an example

Who is online

Users browsing this forum: akakua, CGGXANNX, Extrems, fredgr, tornadoro and 27 guests