Community discussions

MikroTik App
 
kxalek
just joined
Topic Author
Posts: 4
Joined: Tue Nov 14, 2017 1:45 pm

NAT doesn't work when IP ranges are specified

Tue Nov 14, 2017 2:12 pm

I have a couple or so devices which I connect to the MT router, it's always only one device at a time via ethernet. I sometimes need to connect to them from the outside and I have the following rules:
[admin@MikroTik] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface=ether1

 1    chain=dstnat action=netmap to-addresses=192.168.88.238 to-ports=22 protocol=tcp in-interface=ether1 dst-port=22 log=no

 2    chain=dstnat action=dst-nat to-addresses=192.168.88.238 to-ports=80 protocol=tcp dst-address=1.1.1.1 dst-port=80 log=no

 3    chain=dstnat action=dst-nat to-addresses=192.168.88.238 to-ports=443 protocol=tcp dst-address=1.1.1.1 dst-port=443 log=no
[admin@MikroTik] >
Those work alright as it is, however if I specify "to-addresses" as
chain=dstnat action=netmap to-addresses=192.168.88.0/24 to-ports=22 protocol=tcp in-interface=ether1 dst-port=22 log=no
or
chain=dstnat action=netmap to-addresses=192.168.88.238-192.168.88.250 to-ports=22 protocol=tcp in-interface=ether1 dst-port=22 log=no

it doesn't work, the connections time out and I can't figure out why.

Product code RB951Ui-2nD
Version: 6.37.2
Last edited by kxalek on Tue Nov 14, 2017 2:52 pm, edited 2 times in total.
 
User avatar
Anumrak
Forum Guru
Forum Guru
Posts: 1174
Joined: Fri Jul 28, 2017 2:53 pm

Re: NAT doesn't work when IP ranges are specified

Tue Nov 14, 2017 2:18 pm

Very interesting question :) Let the support answer.
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1189
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: NAT doesn't work when IP ranges are specified

Tue Nov 14, 2017 5:00 pm

I was always under the impression you can only forward the packets through NAT to 1 host. This seems to be backed up by it not allowing you to put in a range or subnet. Can't you give your individual devices different IP's then assign varying port numbers so you can access all of them?
 
User avatar
pietroscherer
Trainer
Trainer
Posts: 170
Joined: Thu Mar 05, 2015 3:05 pm
Location: RS, Brazil
Contact:

Re: NAT doesn't work when IP ranges are specified

Tue Nov 14, 2017 6:29 pm

I was always under the impression you can only forward the packets through NAT to 1 host. This seems to be backed up by it not allowing you to put in a range or subnet. Can't you give your individual devices different IP's then assign varying port numbers so you can access all of them?
I thought the same. Is there an example that we can use an IP range in field "to-address" or it's valid for one address only?
 
kxalek
just joined
Topic Author
Posts: 4
Joined: Tue Nov 14, 2017 1:45 pm

Re: NAT doesn't work when IP ranges are specified

Tue Nov 14, 2017 6:51 pm

Steve, it does allow me to put a range or subnet, it doesn't reject it as misconfiguration. I'm not entirely sure how to achieve assigning individual IPs, I'd assume it's from IP > DHCP Server > Leases.
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1189
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: NAT doesn't work when IP ranges are specified

Wed Nov 15, 2017 11:08 am

You are doing port forwarding correct? You can only forward the port to 1 device not multiple or a range. To put this into a "real world" response. If you "could" forward the port to the range if you SSH'd and the router forwarded this to multiple devices then you'd have multiple devices try to respond to you simultaneously, see how that doesn't work?

OP how many devices do you have that need to be forwarded to?
 
User avatar
Anumrak
Forum Guru
Forum Guru
Posts: 1174
Joined: Fri Jul 28, 2017 2:53 pm

Re: NAT doesn't work when IP ranges are specified

Wed Nov 15, 2017 11:31 am

You are doing port forwarding correct? You can only forward the port to 1 device not multiple or a range. To put this into a "real world" response. If you "could" forward the port to the range if you SSH'd and the router forwarded this to multiple devices then you'd have multiple devices try to respond to you simultaneously, see how that doesn't work?

OP how many devices do you have that need to be forwarded to?
Because of this illogicalness, devs had to disable the permissibility of this rule to setup in filter.
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1189
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: NAT doesn't work when IP ranges are specified

Wed Nov 15, 2017 12:52 pm

Randomly just tried this and yeah it did accept it with no fuss, took a /24 no problems. OK so yeah not too understanding why it is doing that. I wouldn't have thought there would ever be a need for that.
 
User avatar
blajah
Member Candidate
Member Candidate
Posts: 222
Joined: Fri Jun 12, 2015 8:58 pm
Location: Belgrade, Serbia
Contact:

Re: NAT doesn't work when IP ranges are specified

Wed Nov 15, 2017 12:58 pm

Acutally i do not agree. There is no logic in this request if we are talking about unicast. In Anycast it would make sense. Like, @Steveocee explained, in common scenarios it is useless to have such option, but a lot of routers are used in more complex environment, and still we all have the same feature-set, right?
 
kxalek
just joined
Topic Author
Posts: 4
Joined: Tue Nov 14, 2017 1:45 pm

Re: NAT doesn't work when IP ranges are specified

Wed Nov 15, 2017 4:52 pm

Yeah, I understand why it doesn't look logical but in my case I only connect one device at a time and I have to go through the minor inconvenience of changing the rules for the different IPs that they're assigned, I have only 2 or 3 between which I swap the cable every now and then.
 
jphconstantin
Frequent Visitor
Frequent Visitor
Posts: 90
Joined: Fri Sep 22, 2017 7:17 pm
Location: Switzerland

Re: NAT doesn't work when IP ranges are specified

Thu Nov 16, 2017 1:59 pm

Illogical ?
Forward the Voip traffic to a group of phones: how do you make that ?
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1189
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: NAT doesn't work when IP ranges are specified

Thu Nov 16, 2017 2:09 pm

Yeah, I understand why it doesn't look logical but in my case I only connect one device at a time and I have to go through the minor inconvenience of changing the rules for the different IPs that they're assigned, I have only 2 or 3 between which I swap the cable every now and then.
If you are only connecting 1 device at a time then you can leave it forwarding to 1 IP, each device uses the same IP when it connects and you only have 1 device connected. No problems.
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1189
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: NAT doesn't work when IP ranges are specified

Thu Nov 16, 2017 2:10 pm

Illogical ?
Forward the Voip traffic to a group of phones: how do you make that ?
Why would you do that?
VOIP phones register and make their own connection, they do not need un-needed VOIP traffic sending to them.
 
User avatar
blajah
Member Candidate
Member Candidate
Posts: 222
Joined: Fri Jun 12, 2015 8:58 pm
Location: Belgrade, Serbia
Contact:

Re: NAT doesn't work when IP ranges are specified

Fri Nov 17, 2017 9:35 pm

Illogical ?
Forward the Voip traffic to a group of phones: how do you make that ?
Why would you do that?
VOIP phones register and make their own connection, they do not need un-needed VOIP traffic sending to them.
Whoa, i was questioning myself this same question, but actually you wrote it. I thought a bit about this, but pretty much couldn't get to any common scenario.
Also, just thinkig loud, how would connection tracker record multiple NAT translations using same port?
 
kxalek
just joined
Topic Author
Posts: 4
Joined: Tue Nov 14, 2017 1:45 pm

Re: NAT doesn't work when IP ranges are specified

Thu Dec 21, 2017 12:35 pm

If you are only connecting 1 device at a time then you can leave it forwarding to 1 IP, each device uses the same IP when it connects and you only have 1 device connected. No problems.
I can't seem to make it work, I mean I set two different static IPs for two devices: 192.168.88.235 and 192.168.88.236, then I set up two NAT rules from Firewall menu, but unless I disable one of the rules it doesn't work.

In other words, what I'm wondering is, is it possible to make the router give the same IP address to different MAC addresses!? Again, we're talking about a situation when only one device is plugged at a time.
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1189
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: NAT doesn't work when IP ranges are specified

Thu Dec 21, 2017 3:30 pm

If you are only connecting 1 device at a time then you can leave it forwarding to 1 IP, each device uses the same IP when it connects and you only have 1 device connected. No problems.
I can't seem to make it work, I mean I set two different static IPs for two devices: 192.168.88.235 and 192.168.88.236, then I set up two NAT rules from Firewall menu, but unless I disable one of the rules it doesn't work.

In other words, what I'm wondering is, is it possible to make the router give the same IP address to different MAC addresses!? Again, we're talking about a situation when only one device is plugged at a time.
On it's own segregated network, short lease times and very restricted amount of available IP's (ie 1 in this case) yes you can do that.
 
skuykend
Member Candidate
Member Candidate
Posts: 274
Joined: Tue Oct 06, 2015 7:28 am

Re: NAT doesn't work when IP ranges are specified

Fri Dec 22, 2017 3:45 am

One option may be to put in both addresses as separate rules, and then use "nth=2,1" on the first one of the series.

At most it would take two attempts to connect to the 'up' server.

Who is online

Users browsing this forum: No registered users and 10 guests