Page 1 of 1
Need some help with dst-nat issue.
Posted: Mon Sep 07, 2009 7:35 am
by XTLMeth
I need to know how to do dst-nat from multi-wan to servers behind the firewall. I have this working with generic linux but for some reason I can't get it to work in mikrotik.
The ips have been changed for this example but it gives you the idea.
example:
wan1 ips: 69.164.219.25/24
35.2.245.2/25
35.2.245.3/25
35.2.245.125/25
wan2 ip: 16.161.237.204/29
wan3 ip: 85.24.205.212/23
lan1 ip: 172.18.7.251/22
now I have couple servers behind the firewall
server1: 172.18.7.250 with services 80,443,990,8000-8003
server2: 172.18.7.252 with services 21,22,25,53,110
with my current firewall I can create a dst-nat rule for port 80 in each interface to be natted to server 1. If I go from a computer outside my network I can hit that web server from any of those 7 wan ips. The other services like 25 smtp are only dst natted using 2 of the wan interfaces.
currently I use 1 routing table for each of the 4 ISP's. I use policy routing and connection marking to accomplish this. I tried to setup a mikrotik with a very close representation to what I do on the linux box now but it does not work.
I can't seem to do this type of natting with mikrotik. I can setup not internet connections and do a dst-nat to one side but I can't get both wan interfaces to nat it and have the return traffic end up leaving the right interface. What happen is lets say I come in in internet connection 1 the traffic makes it to the back end server and the return traffic goes out the right interface internet connection 1 but if I try to come in internet connection 2 I see the nat happen and I see the traffic make it to the back end server but the return traffic trys to go out internet connection 1 instead when in it should be going out internet connection 2 because thats where the original connection was made from.
I don't know if this description was clear enough. I hope so.
Re: Need some help with dst-nat issue.
Posted: Mon Sep 07, 2009 8:27 am
by changeip
post your rules. you need to mark connections, mark packets, and then mark routing. You probably need to use prerouting and output chains for all the above too. then your routing tables need to be setup properly. again, export the rules to the forum so we can fix it.
Re: Need some help with dst-nat issue.
Posted: Mon Sep 07, 2009 9:49 am
by XTLMeth
So here is what is configured at the moment. This is my initial attempt.
/ip address print detail
0 address=172.16.7.254/22 network=172.16.4.0 broadcast=172.16.7.255 interface=br_internal
actual-interface=br_internal
1 D address=72.24.182.205/24 network=72.24.182.0 broadcast=72.24.182.255 interface=e1_wan_cable
actual-interface=e1_wan_cable
2 address=216.161.237.204/29 network=216.161.237.200 broadcast=216.161.237.207 interface=e2_wan_dsl
actual-interface=e2_wan_dsl
/ip route print detail
0 A S dst-address=0.0.0.0/0 gateway=72.24.182.1,216.161.237.206 interface=e1_wan_cable,e2_wan_dsl
gateway-state=reachable,reachable distance=1 scope=30 target-scope=10
1 ADC dst-address=72.24.182.0/24 pref-src=72.24.182.205 interface=e1_wan_cable distance=0 scope=10
2 ADC dst-address=172.16.4.0/22 pref-src=172.16.7.254 interface=br_internal distance=0 scope=10
3 ADC dst-address=216.161.237.200/29 pref-src=216.161.237.204 interface=e2_wan_dsl distance=0 scope=10
/ip firewall filter print detail
0 chain=input action=accept connection-state=established
1 chain=input action=accept connection-state=related
2 chain=forward action=accept connection-state=established
3 chain=forward action=accept connection-state=related
4 chain=output action=accept connection-state=established
5 chain=output action=accept connection-state=related
6 chain=input action=accept connection-state=new protocol=icmp icmp-options=8:0-255
7 chain=input action=accept connection-state=new protocol=tcp dst-port=22 limit=2/1m,0
8 chain=input action=accept connection-state=new protocol=tcp dst-port=8291 limit=2/1m,0
9 chain=forward action=accept src-address=172.16.4.0/22 in-interface=br_internal
10 chain=forward action=accept connection-state=new protocol=tcp dst-address=172.16.5.253
out-interface=br_internal dst-port=80
11 chain=input action=drop
12 chain=forward action=drop
13 chain=output action=drop
/ip firewall nat print detail
0 chain=srcnat action=src-nat to-addresses=72.24.182.205 src-address=172.16.4.0/22
out-interface=e1_wan_cable
1 chain=srcnat action=src-nat to-addresses=216.161.237.204 src-address=172.16.4.0/22
out-interface=e2_wan_dsl
2 chain=dstnat action=dst-nat to-addresses=172.16.5.253 protocol=tcp dst-address=216.161.237.204
dst-port=80
3 chain=dstnat action=dst-nat to-addresses=172.16.5.253 protocol=tcp dst-address=72.24.182.205
dst-port=80
So the goal is to be able to browse to
http://72.24.182.205
or
http://216.161.237.204
and be able to get to the webserver behind the firewall.
Re: Need some help with dst-nat issue.
Posted: Mon Sep 07, 2009 10:04 am
by XTLMeth
this configuration below is very simaler to how my linux firewall is configured right now. It's the closest I could get for mikrotik.
/ip address print detail
0 address=172.16.7.254/22 network=172.16.4.0 broadcast=172.16.7.255 interface=br_internal
actual-interface=br_internal
1 D address=72.24.182.205/24 network=72.24.182.0 broadcast=72.24.182.255 interface=e1_wan_cable
actual-interface=e1_wan_cable
2 address=216.161.237.204/29 network=216.161.237.200 broadcast=216.161.237.207 interface=e2_wan_dsl
actual-interface=e2_wan_dsl
/ip route print detail
0 A S dst-address=0.0.0.0/0 gateway=72.24.182.1,216.161.237.206 interface=e1_wan_cable,e2_wan_dsl
gateway-state=reachable,reachable distance=1 scope=30 target-scope=10
1 A S dst-address=0.0.0.0/0 gateway=216.161.237.206 interface=e2_wan_dsl gateway-state=reachable
distance=1 scope=30 target-scope=10 routing-mark=table_dsl
2 A S dst-address=0.0.0.0/0 gateway=72.24.182.1 interface=e1_wan_cable gateway-state=reachable
distance=1 scope=30 target-scope=10 routing-mark=table_cable
3 ADC dst-address=72.24.182.0/24 pref-src=72.24.182.205 interface=e1_wan_cable distance=0 scope=10
4 A S dst-address=72.24.182.0/24 gateway=e1_wan_cable interface=e1_wan_cable gateway-state=reachable
distance=1 routing-mark=table_cable
5 ADC dst-address=172.16.4.0/22 pref-src=172.16.7.254 interface=br_internal distance=0 scope=10
6 A S dst-address=172.16.4.0/22 gateway=br_internal interface=br_internal gateway-state=reachable
distance=1 routing-mark=table_cable
7 A S dst-address=172.16.4.0/22 gateway=br_internal interface=br_internal gateway-state=reachable
distance=1 routing-mark=table_dsl
8 ADC dst-address=216.161.237.200/29 pref-src=216.161.237.204 interface=e2_wan_dsl distance=0 scope=10
9 A S dst-address=216.161.237.200/29 gateway=e2_wan_dsl interface=e2_wan_dsl gateway-state=reachable
distance=1 routing-mark=table_dsl
/ip route rule print detail
0 src-address=72.24.182.205/32 action=lookup table=table_cable
1 src-address=216.161.237.204/32 action=lookup table=table_dsl
2 action=lookup table=main
The firewall and nat are the same as above post. the only difference here is each ISP has a seperate routing table and ip rule marking.
Re: Need some help with dst-nat issue.
Posted: Sat Sep 12, 2009 9:09 pm
by XTLMeth
I guess no one has an answer.
Re: Need some help with dst-nat issue.
Posted: Sun Sep 13, 2009 6:27 pm
by Chupaka
you need to mark your incoming conections with different marks for each WAN, then route them back via the same WAN, as changeip said
Re: Need some help with dst-nat issue.
Posted: Sun Sep 13, 2009 6:48 pm
by XTLMeth
OK I can try that out but is there a little example that someone could give me to get me on track. I have tried and failed for some reason. I only need an example for one wan and I can figure it out from there for the other internet connections.
Re: Need some help with dst-nat issue.
Posted: Sun Sep 13, 2009 7:50 pm
by Chupaka
try Example from
http://wiki.mikrotik.com/wiki/PCC - then add your Dst-NAT rules
Re: Need some help with dst-nat issue.
Posted: Mon Sep 14, 2009 3:42 am
by XTLMeth
I will give this a try. Thanks.
Re: Need some help with dst-nat issue.
Posted: Tue Nov 17, 2009 1:16 am
by thavinci
I am having the exact same problem and have infact been refered to same wiki entry with PCC example.
However am yet to resolve this issue.
Would be nice to know if anyone else has.
I ALWAYS have the result that traffic leaves incorrect interface when using the other WAN connections.
Re: Need some help with dst-nat issue.
Posted: Tue Nov 17, 2009 2:43 pm
by thavinci
Looks like even the official response is to hire a consultant!
Does seem pretty intense for a feature that the most basic of routers can acheive.
But ok im desperate. So the question is has anyone come rite with this?
And who can i speak to that can give me an actual WORKING example that i can use?
And how much will you charge for this?
Re: Need some help with dst-nat issue.
Posted: Tue Nov 17, 2009 2:56 pm
by Chupaka
post your config
Re: Need some help with dst-nat issue.
Posted: Tue Nov 17, 2009 3:23 pm
by thavinci
Ok this is a test box, that i can even give access too if needed.....
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Mark Incomming Connections
chain=input action=mark-connection new-connection-mark=Conn_Mark passthrough=yes in-interface=pppoe-out1
1 X chain=forward action=mark-connection new-connection-mark=Conn_Mark passthrough=yes in-interface=pppoe-out1
2 X chain=prerouting action=mark-routing new-routing-mark=Routing_Mark passthrough=yes connection-mark=Conn_Mark
3 ;;; Mark Outgoing Route
chain=output action=mark-routing new-routing-mark=Routing_Mark passthrough=yes connection-mark=Conn_Mark
4 ;;; ??
chain=prerouting action=accept dst-address=165.145.187.0/24 in-interface=LAN
5 chain=prerouting action=mark-connection new-connection-mark=Conn_Mark passthrough=yes dst-address-type=!local in-interface=LAN
6 chain=prerouting action=mark-routing new-routing-mark=Routing_Mark passthrough=yes in-interface=LAN connection-mark=Conn_Mark
7 X chain=forward action=log out-interface=LAN connection-mark=Conn_Mark log-prefix=""
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; NAT All Outgoing Traffic
chain=srcnat action=masquerade out-interface=pppoe-out1
1 X chain=srcnat action=masquerade out-interface=LAN
2 X chain=srcnat action=src-nat to-addresses=192.168.12.28
3 ;;; Port Forward
chain=dstnat action=dst-nat to-addresses=192.168.12.1 in-interface=pppoe-out1
[admin@P4-Intel-Server] /ip firewall nat>
# ADDRESS NETWORK BROADCAST INTERFACE
0 D 192.168.12.28/24 192.168.12.0 192.168.12.255 LAN
1 D 165.145.187.161/32 165.145.176.1 0.0.0.0 pppoe-out1
[admin@P4-Intel-Server] /ip address>
Following is only part of routing table as there are +- 1600 entries...
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S ;;; PBR-Default Route
0.0.0.0/0 pppoe-out1 1
1 ADS 0.0.0.0/0 165.145.176.1 1
2 ADo 10.1.0.0/16 192.168.12.1 110
3 ADo 10.10.10.0/24 192.168.12.1 110
4 ADo 10.103.0.0/16 192.168.12.4 110
5 ADo 10.103.120.2/32 192.168.12.4 110
6 ADo 10.106.0.0/16 192.168.12.4 110
7 ADo 10.107.128.1/32 192.168.12.1 110
192.168.12.14
8 ADo 10.107.129.1/32 192.168.12.4 110
9 ADo 17.255.248.0/23 192.168.12.4 110
10 ADo 32.106.152.0/24 192.168.12.4 110
11 ADo 32.106.153.0/24 192.168.12.4 110
12 ADo 32.107.9.0/24 192.168.12.4 110
13 ADo 32.238.152.0/24 192.168.12.4 110
14 ADo 32.238.153.0/24 192.168.12.4 110
15 ADo 32.239.182.0/24 192.168.12.4 110
16 ADo 41.0.0.0/16 192.168.12.4 110
17 ADo 41.0.13.0/24 192.168.12.4 110
18 ADo 41.0.16.0/21 192.168.12.4 110
19 ADo 41.0.24.0/24 192.168.12.4 110
20 ADo 41.0.30.0/24 192.168.12.4 110
21 ADo 41.0.72.0/21 192.168.12.4 110
22 ADo 41.0.168.0/21 192.168.12.4 110
23 ADo 41.0.196.0/24 192.168.12.4 110
24 ADo 41.0.198.0/24 192.168.12.4 110
25 ADo 41.0.208.0/20 192.168.12.4 110
26 ADo 41.0.212.0/22 192.168.12.4 110
27 ADo 41.0.236.0/24 192.168.12.4 110
PBR works for incomming connections to public ip.
However breaks for dst-nat rules as what seems to be happening is the mikrotik prefers to use routes from the routing table for the reply and breaks comms.
ie doesnt listen to the PBR....
Let me know if you need any more info, my test is based on PCC example without PCC and used as much as i could.
Note the public ip is dynamic.....
Re: Need some help with dst-nat issue.
Posted: Tue Nov 17, 2009 4:49 pm
by Chupaka
wait... what's difference between gw='165.145.176.1' and 'gw=pppoe-out1'?.. I don't understant your goal...
Re: Need some help with dst-nat issue.
Posted: Tue Nov 17, 2009 5:19 pm
by thavinci
Sorry the print function didn't actually show the Routing Mark of that route.
Obviously i had to specify interface rather than ip for that one as ip is dynamic.
Re: Need some help with dst-nat issue.
Posted: Tue Nov 17, 2009 6:34 pm
by Chupaka
yeah, I saw that both routes are active, but... what's problem?..
Re: Need some help with dst-nat issue.
Posted: Tue Nov 17, 2009 7:37 pm
by thavinci
It does not work!
If you do a dst-nat rule such as one in my conf the connection hits the MT which forwards it too internal server but the MT doesnt send response out same interface back to originating server. It instead uses it's routing table for the response and ends up sending traffic to another router instead of back out the interface it came in on.
Re: Need some help with dst-nat issue.
Posted: Wed Nov 18, 2009 10:29 am
by davidfs
HI. I've been facing the same problem,. I've a simple configuration with 2 wans.
Althought I've done this in linux without problems, Can't figure how to do in routeros.
See my post:
http://forum.mikrotik.com/viewtopic.php?f=13&t=34628
I didn't had an answer on how to do that simple question.
and the example on wiki for policy routing, is...
I've tested this with vmware, and seems that packets returns with correct src-ip but wrong interface.
Let me know if you find a solution...
Re: Need some help with dst-nat issue.
Posted: Wed Nov 18, 2009 6:21 pm
by Chupaka
If you do a dst-nat rule such as one in my conf the connection hits the MT which forwards it too internal server but the MT doesnt send response out same interface back to originating server. It instead uses it's routing table for the response and ends up sending traffic to another router instead of back out the interface it came in on.
are you talking about some route to 165.145.187.0/24 via different router?..
if yes - then enable rule 1 and copy rule 6 above 4 - then check...
Re: Need some help with dst-nat issue.
Posted: Wed Nov 18, 2009 9:58 pm
by changeip
you need to mark connections, and then mark packets. if you only mark connections, you are only going to route the SYN packets probably. mark packets, and then mark routing based on packets (not connections).
see this working example - its setup for DSL and a T1 and should work for what you are trying to accomplish without too many changes (interface instead of IP for gateway maybe):
http://forum.mikrotik.com/viewtopic.php ... t1#p147368
Also pay attention to my routing note, you have to recreate all your static / connected routes in each table.
Sam
Re: Need some help with dst-nat issue.
Posted: Wed Nov 18, 2009 11:52 pm
by changeip
send me an email to
support@changeip.com with your routers login info. I will get it working. $100 via paypal once it works as you wish?
Thx,
Sam
Re: Need some help with dst-nat issue.
Posted: Thu Nov 19, 2009 7:59 am
by XTLMeth
Hey don't let that guy charge you from the above message unless you want it really really bad.
I did figure this out with help from this forum in another post and I would be will to help you get it working or send you my config and you may be able to work from that?
Re: Need some help with dst-nat issue.
Posted: Thu Nov 19, 2009 8:07 am
by XTLMeth
http://forum.mikrotik.com/viewtopic.php ... 32&start=0 <--- this was my post where I got it working. The issue for me was I was using PCC to load balance internet from the lan out to the internet and when I was dst-natting from the internet in the routing mark was fine but when the server responded back it would send the packet back out the wrong interface because PCC was remarking it when it shouldn't have. The trick for me was to change my PCC rules on the mangle table to only mark on connection with no mark aka connections comming from the lan that hadn't already been marked. This simple change told the router to leave the existing marks alone so when the returning packets from the server comming in the connection tracking table would associate the return packet with the existing connection and mark for that connection which caused it to go out the proper interface over the internet.
Re: Need some help with dst-nat issue.
Posted: Thu Nov 19, 2009 8:33 am
by hilton
Hey don't let that guy charge you from the above message unless you want it really really bad. :-D
That's a bit harsh!
It's not like changeip/Sam was forcing himself on thavinci. In fact thavinci actually asked for paid help.
I think Sam deserves an apology.
Re: Need some help with dst-nat issue.
Posted: Thu Nov 19, 2009 8:57 am
by changeip
hehe. i even offered to get paid after i made it work. it could take 2 weeks of back and forth thru the forums whereas 5 mins on the router and i could make it work. it's always the 'oh yeah i entered that rule in there to bypass this ...' or something that doesnt seem like anything but is.
Re: Need some help with dst-nat issue.
Posted: Fri Nov 20, 2009 12:06 am
by XTLMeth
You're right I didn't read it all. I jumped the gun on that one guys. Sorry.