MikroTik

Community discussions
https://forum.mikrotik.com/

Public IP Forward for Internal/Lan Subnet

https://forum.mikrotik.com/viewtopic.php?t=145796

Page 1 of 1

Public IP Forward for Internal/Lan Subnet

Posted: Tue Feb 26, 2019 11:39 am
by georgios
Hello,

before sending, I have read this tutorial https://wiki.mikrotik.com/wiki/Hairpin_NAT but I could not work with.

I have multiple LAN Subnet and 1 Wan Interface with multiple Public IP.

Currently, for my LAN Subnet (dmz, lan..) is going out to internet with SRCNAT / SRCNAT and then I choose the SrcNat Action which Public Address I choose to go out for internet.

My LAN subnets are (on different interface):
  • 172.10.10.0/24
  • 192.168.1.0/24
  • 192.168.2.0/24
My Wan Interface got 10 public IP assigned:
  • 100.100.100.1
  • 100.100.100.2
  • 100.100.100.2
  • 100.100.100.2

Port Forwarding is working fine outside of Mikrotik Network:
  • Chain DstNat Dest Addrr 1.1.1.2 Protocol TCP Dest Port 80 Int. interface: Wan - Action Dsnat To local IP 172.10.10.20 To Ports 80
When I am on my Lan Subnet 192.168.1.0/24 and I go to 1.1.1.2 (tcp http 80) -> Webpage loading is mikrotik login page.

I try the Hairpin_NAT with going out by the add chain=srcnat out-interface=WAN action=masquerade

Then I did:
/ip firewall nat
add chain=srcnat src-address=192.168.1.0/24 \
dst-address=172.10.10.20 protocol=tcp dst-port=80 \
out-interface=LAN action=masquerade

But each time I want access to 1.1.1.2, it is loading the mikrotik page -> it should be the 172.10.10.20 port 80 web page.

many thanks for your help

Re: Public IP Forward for Internal/Lan Subnet

Posted: Tue Feb 26, 2019 1:18 pm
by heribertos
In your dst-nat rule you have input-interface WAN, here you must add your LAN Interface also, because you want dst-nat in both cases, otherwise traffic goes to input chain and router web-page appears!

The ip firewall nat rule is needless, exepct in cases where from a subnet you want to access the server within same subnet. Then traffic goes from server direct to host and dstnat is not reversed. To force traffic through router you need srNat on itself.

/ip firewall nat
add chain=srcnat src-address=172.10.10.20 \
dst-address=172.10.10.20 protocol=tcp dst-port=80 \
out-interface=LAN action=masquerade

This looks strange but is rquired.

Re: Public IP Forward for Internal/Lan Subnet

Posted: Tue Feb 26, 2019 1:47 pm
by georgios
Thank you.

So I have to create two DSNAT ?
/ip firewall nat
add chain=dstnat dst-address=1.1.1.2 Int. interface=Wan protocol=tcp dst-port=80 \
action=dst-nat to-address=172.10.10.20 To-ports=80

add chain=dstnat dst-address=1.1.1.2 Int. interface=Lan protocol=tcp dst-port=80 \
action=dst-nat to-address=172.10.10.20 To-ports=80

add chain=srcnat out-interface=WAN action=masquerade

This is working :)

so I dont have to do any Srcnat as writen in the tutorial ?!

thanks

Re: Public IP Forward for Internal/Lan Subnet

Posted: Tue Feb 26, 2019 2:03 pm
by heribertos
I wrote the same time. See my update. srcnat is needed if host and server are in the same subnet.

Re: Public IP Forward for Internal/Lan Subnet

Posted: Tue Feb 26, 2019 3:30 pm
by georgios
:)
thank you

good afternoon

Re: Public IP Forward for Internal/Lan Subnet

Posted: Tue Feb 26, 2019 3:36 pm
by heribertos
you are welcome
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/