How to correctly redirect a TCP port in MikroTik to LAN with different gateways?

G

Grigory Shchetintsev2017-05-14 14:00:10

Mikrotik

Grigory Shchetintsev, 2017-05-14 14:00:10

Good day everyone!
Faced a small problem. Apparently there is not enough knowledge on port forwarding in RouterOS
Basic information:
Two routers on RouterOS (6.39.1), on one static IP (31.21.45.22), on the other speaker.
Between them, raise the OpenVPN tunnel and raise the EoIP tunnel on top.
The EoIP tunnel is included in the LAN-Bridge network bridge and the subnet 192.168.88.0/24

is set for it . Each router has its own DHCP, respectively, the clients have different gateways.
The address pools are demarcated.
Router-1:
IP - 192.168.88.1
Pool - 192.168.88.5-192.168.88.29
Router-2:
IP - 192.168.88.2
Pool - 192.168.88.30-192.168.88.59
In the Bridge filters of the interfaces of two routers, DHCP packets between routers are blocked (forward UDP 67-68 drop)
Netbios works fine, Dude server works fine, Plex works fine.
In general, between routers on different providers, all packets go fine.
Problem:
As far as we know, redirection in MikroTik is carried out by a simple rule
. For example, access via WinBox to another router on the network.

/ip firewall nat add chain=dst-nat in-interface=WAN protocol=tcp
dst-port=8292 action=netmap to-address=192.168.88.2 to-ports=8291

Well, this rule doesn't work.
I looked at Torch on different interfaces of both routers, I didn’t get anything intelligible,
the packet is successfully broadcast and on the second router the incoming IP is not local 192.168.88. the broadcast goes directly, as if we are knocking directly on the WAN interface of the second router. Accordingly, Router-2 responds to its WAN interface instead of sending the packet back to the LAN.

Question:
How to correctly build a redirect in such a subnet design and force packets to go to the desired address or interface? For example, access to the second router via WinBox through a router with statics.
PS.
If LAN-Bridge is set to masquerading, then redirection works, but then the torrent (and not only) starts using the tunnel as an external interface and loads the tunnel channel.

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

G

Grigory Shchetintsev, 2017-05-14
@Narakot

I made it myself by marking through Mangle
Add rules to Mangle on Router-1:

/ip firewall mangle
add chain=prerouting action=mark-connection new-connection-mark=winbox-conn passthrough=yes 
connection-state=new protocol=tcp in-interface=WAN dst-port=8292 log=no
add chain=prerouting action=mark-packet new-packet-mark=winbox-pack passthrough=yes 
connection-mark=winbox-conn log=no

Add redirection and masquerading:

/ip firewall nat
add chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=8291 protocol=tcp 
dst-address=31.21.45.22 in-interface=WAN packet-mark=winbox-pack dst-port=8292 log=no
add chain=srcnat action=masquerade out-interface=LAN-Bridge packet-mark=winbox-pack log=no

That's right, Router-2 does not need to be configured additionally.
User l0ser140:
Replaced netmap with dst-nat

L

l0ser140, 2017-05-16
@l0ser140

Use dst-nat. Netmap is intended for another.