Community discussions

MikroTik App
  4. RouterOS
  5. Forwarding Protocols

Force outgoing traffic to specific public IP address

Locked
 
ipavlik
just joined
Topic Author
Posts: 21
Joined: Thu Dec 22, 2016 3:47 pm

Force outgoing traffic to specific public IP address

Fri Jan 20, 2017 1:30 pm

Hello,

I have more public IPs on one WAN interface and for outgoing traffic only the lowest public IP address for outgoing communication is used.
I need to use specific one for SMTP server, which is in DMZ.
I tried:
Code: Select all
/ip firewall nat add action=src-nat chain=srcnat src-address=<dmz_ip> to-addresses=<wan_ip>
even as a topmost NAT rule, but with no effect.

Thanks.
Top
 
gustavomam
Trainer
Trainer
Posts: 287
Joined: Tue Jul 23, 2013 6:29 pm
Location: Spain
Contact:
Contact gustavomam

Re: Force outgoing traffic to specific public IP address

Fri Jan 20, 2017 1:37 pm

Hi.

You need to use routing-mark to be able to get this.

http://wiki.mikrotik.com/wiki/Balanceo_ ... de_trafico

Regards.
Top
 
ipavlik
just joined
Topic Author
Posts: 21
Joined: Thu Dec 22, 2016 3:47 pm

Re: Force outgoing traffic to specific public IP address

Fri Jan 20, 2017 1:53 pm

Hi.

You need to use routing-mark to be able to get this.

http://wiki.mikrotik.com/wiki/Balanceo_ ... de_trafico

Regards.
Thank you for reply. However, I have only one WAN interface with one gateway with several IP addresses.
Top
 
gustavomam
Trainer
Trainer
Posts: 287
Joined: Tue Jul 23, 2013 6:29 pm
Location: Spain
Contact:
Contact gustavomam

Re: Force outgoing traffic to specific public IP address

Fri Jan 20, 2017 1:59 pm

Hi.

There is a trick i have done sometime.

You can use VRRP interface in order to have many WAN IP address of your ISP.

You can see my video here.

http://tiktube.com/video/JEiC3bHCeHplDE ... rqlmoCDmE=
Top
 
bennn
just joined
Posts: 12
Joined: Mon Oct 03, 2016 7:20 pm

Re: Force outgoing traffic to specific public IP address

Mon Jan 23, 2017 1:08 am

Code: Select all
/ip firewall nat add action=src-nat chain=srcnat src-address=<dmz_ip> to-addresses=<wan_ip>
Do this but also specify the out-interface.
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: Force outgoing traffic to specific public IP address

Mon Jan 23, 2017 2:15 am

That rule is ok even without out-interface. And if it's #1, then it must work, unless there's a typo in <dmz_ip> or <wan_ip>. What about rule counters, do they increase (i.e. does the rule match any traffic)?
Top
 
ipavlik
just joined
Topic Author
Posts: 21
Joined: Thu Dec 22, 2016 3:47 pm

Re: Force outgoing traffic to specific public IP address

Mon Jan 23, 2017 9:37 am

That rule is ok even without out-interface. And if it's #1, then it must work, unless there's a typo in <dmz_ip> or <wan_ip>. What about rule counters, do they increase (i.e. does the rule match any traffic)?
Tried with/without out interface. There are few packets in counters, but I didn't catch when it was. There's no typo in IP adresses. I have only one WAN interface which has all wan IP adresses set. Is it with this rule?
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: Force outgoing traffic to specific public IP address

Mon Jan 23, 2017 4:58 pm

Do some simple debugging. Enable logging for this rule (log=yes), initiate connection from <dmz_ip> to outside and see if the rule catches it. If it does, you can verify (using Tools->Torch on WAN interface or using logging rule in postrouting) that it really got the right address. If it doesn't catch anything, then inspect DMZ interface (Torch or logging rule in prerouting) what's up with outgoing packets. For easy debugging, you can e.g. telnet to random address or port, which won't succeed, but it's enough for testing srcnat, and you can easily filter in Torch or logging rules by this address/port.
Top
 
rllavona13
just joined
Posts: 7
Joined: Mon Nov 28, 2016 12:41 am

Re: Force outgoing traffic to specific public IP address

Mon Jan 23, 2017 7:22 pm

you have to mark the routing, something like this

/ip firewall mangle
add action=mark-routing chain=prerouting comment="TRAFFIC ROUTED VIA IP x.x.x.x" \
disabled=yes new-routing-mark=example_out passthrough=no src-address-list=routed_x.x.x.x

/ip firewall address-list
add address=172.16.103.0/24 comment="LAN1" list=routed_x.x.x.x

/ip route
add distance=1 dst-address=0.0.0.0/0 gateway=x.x.x.x distance=2 routing-mark=example_out
Top
 
ipavlik
just joined
Topic Author
Posts: 21
Joined: Thu Dec 22, 2016 3:47 pm

Re: Force outgoing traffic to specific public IP address

Tue Jan 24, 2017 9:02 am

you have to mark the routing, something like this

/ip firewall mangle
add action=mark-routing chain=prerouting comment="TRAFFIC ROUTED VIA IP x.x.x.x" \
disabled=yes new-routing-mark=example_out passthrough=no src-address-list=routed_x.x.x.x

/ip firewall address-list
add address=172.16.103.0/24 comment="LAN1" list=routed_x.x.x.x

/ip route
add distance=1 dst-address=0.0.0.0/0 gateway=x.x.x.x distance=2 routing-mark=example_out
Thank you for your answer. So if I have my DMZ IP 10.1.1.15 and public IP 1.2.3.4, I should have following rules:
Code: Select all

/ip firewall mangle
add action=mark-routing chain=prerouting comment="TRAFFIC ROUTED VIA IP 1.2.3.4" \
    disabled=no new-routing-mark=example_out passthrough=no src-address=10.1.1.15

/ip route
add distance=1 dst-address=0.0.0.0/0  gateway=1.2.3.4 distance=2 routing-mark=example_out
Correct? It's single IP address, so I omitted address list. Do I need my srcnat rule then?

Thanks.
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: Force outgoing traffic to specific public IP address

Tue Jan 24, 2017 10:33 pm

You need to mark routing if you have more than one WAN, it won't help you if you have only one.
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: Force outgoing traffic to specific public IP address

Tue Jan 24, 2017 11:00 pm

As I wrote before, test what exactly happens. Add these logging rules and put them on top before all others:
Code: Select all
/ip firewall filter
add action=log chain=forward connection-state=new dst-port=56789 log-prefix=step2 protocol=tcp
/ip firewall mangle
add action=log chain=prerouting connection-state=new dst-port=56789 log-prefix=step1 protocol=tcp
add action=log chain=postrouting connection-state=new dst-port=56789 log-prefix=step3 protocol=tcp
/ip firewall nat
add action=src-nat chain=srcnat dst-port=56789 log=yes log-prefix=step4 protocol=tcp to-addresses=<wan_ip>

Then on SMTP server run this (it's any random outside address and exact port you have in above rules):
Code: Select all
telnet 1.2.3.4 56789

And this is what you should see in log:
Code: Select all
21:51:43 firewall,info step1 prerouting: in:<lan> out:(none), src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), <dmz_ip>:<random_port>->1.2.3.4:56789, len 52 
21:51:43 firewall,info step2 forward: in:<lan> out:<wan>, src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), <dmz_ip>:<random_port>->1.2.3.4:56789, len 52 
21:51:43 firewall,info step3 postrouting: in:(none) out:<wan>, src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), <dmz_ip>:<random_port>->1.2.3.4:56789, len 52 
21:51:43 firewall,info step4 srcnat: in:(none) out:<wan>, src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), <dmz_ip>:<random_port>->1.2.3.4:56789, len 52 
21:51:46 firewall,info step1 prerouting: in:<lan> out:(none), src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), <dmz_ip>:<random_port>->1.2.3.4:56789, NAT (<dmz_ip>:<random_port>-><wan_ip>:<random_port>)->1.2.3.4:56789, len 52 
21:51:46 firewall,info step2 forward: in:<lan> out:<wan>, src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), <dmz_ip>:<random_port>->1.2.3.4:56789, NAT (<dmz_ip>:<random_port>-><wan_ip>:<random_port>)->1.2.3.4:56789, len 52 
21:51:46 firewall,info step3 postrouting: in:(none) out:<wan>, src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), <dmz_ip>:<random_port>->1.2.3.4:56789, NAT (<dmz_ip>:<random_port>-><wan_ip>:<random_port>)->1.2.3.4:56789, len 52
Check what's different in your case and you should find the problem.
Top
Locked
  4. RouterOS
  5. Forwarding Protocols