Community discussions

MikroTik App
 
WiesiDeluxe
just joined
Topic Author
Posts: 6
Joined: Wed Jan 15, 2014 9:04 pm
Location: Austria

NAT Problems

Mon Jan 04, 2016 11:01 am

Have a small problem with my NAT Port forwarding and hope someone can help me...

Have a port forwarded to my internal Server, everything is working fine BUT the Problem is on the internal Server log every Client have the same IP (the local IP from my Firewall) and not the real external IP, is there a way that i Can see the real ip in the internal Server log (as before with dd-wrt)?

Here is my NAT rule
/ip firewall nat
add action=dst-nat chain=dstnat dst-address="WAN-IP" dst-port=58000 in-interface=ether5-gateway protocol=tcp to-addresses="LAN-IP-SERVER" to-ports=58000
thank you in advance
 
User avatar
Caci99
Forum Guru
Forum Guru
Posts: 1076
Joined: Wed Feb 21, 2007 2:26 pm
Location: Tirane
Contact:

Re: NAT Problems

Mon Jan 04, 2016 1:59 pm

What is your masquerade rule?
Try to set the masquerade rule with out-interface=WAN only, if it isn't already like that.
 
WiesiDeluxe
just joined
Topic Author
Posts: 6
Joined: Wed Jan 15, 2014 9:04 pm
Location: Austria

Re: NAT Problems

Mon Jan 04, 2016 9:33 pm

here´s my rule...but it is like you said with out-Interface...
/ip Firewall nat
add action=masquerade chain=srcnat comment="NAT Loopback" dst-address-list=LocalLAN out-interface=ether2-master-local
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether5-gateway
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: NAT Problems

Mon Jan 04, 2016 9:49 pm

here´s my rule...but it is like you said with out-Interface...
/ip Firewall nat
add action=masquerade chain=srcnat comment="NAT Loopback" dst-address-list=LocalLAN out-interface=ether2-master-local
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether5-gateway
Ok - it looks like you have hairpin nat enabled. (comment says NAT Loopback)

The logic of this rule was wrong - change dst-address-list=LocalLAN to be src-address-list=LocalLAN

The way you had it configured will always masquerade because the destination of packets going out the lan interface will always be an address from your lan addresses (otherwise, the router would be sending them out some other interface).

So the source was always getting masqueraded.

You only want this to happen when a hairpin nat is taking place (when a LAN host is trying to reach a LAN server, but by using its public IP instead of its LAN ip).

So changing the rule to only apply whenever the source address of the packet is in you LAN addresses list, this rule won't match incoming requests from the Internet, so your logs will show the correct source IP address. Of course, when a LAN user hits the server, it's still going to show the Mikrotik's IP as the source, but there's no way around this because you have to do this for hairpin NAT.
 
WiesiDeluxe
just joined
Topic Author
Posts: 6
Joined: Wed Jan 15, 2014 9:04 pm
Location: Austria

Re: NAT Problems

Mon Jan 04, 2016 10:25 pm

The logic of this rule was wrong - change dst-address-list=LocalLAN to be src-address-list=LocalLAN
Woohoo - thank you very very much - it works and i learned some more about hairpin NAT!

Big Thanks!

---Close---

Who is online

Users browsing this forum: AshuGite, etm7469, garyjduk, sindy, vingjfg and 21 guests