Answer the question
In order to leave comments, you need to log in
How to make port forwarding in Mikrotik when accessing from LAN?
Hello!
The configuration is quite standard:
ether1 (WAN) - a static IP from the provider is specified, let's say 1.2.3.4
ether2 (LAN) - uplink goes to the switch, subnet 192.168.0.0/24
In the IP->Firewall->NAT rules:
# Default masquerading
Chain: src-nat
Out-interface: ether1
Action: masquerade
# Port forwarding
Chain: dst-nat
Protocol: 6 (tcp)
Dst. Port: 87
In. Interface: ether1
Action: netmap
To adrr: 192.168.0.2
To ports: 87
The problem is the following. From within the network, such forwarding does not work. And it is necessary that when accessing from within the network to the external address 1.2.3.4 and port 87, such a redirection still occurs.
PS: The problem is not In. Interface, I tried to specify different ones there.
192.168.0.100 ----(TCP packet with dst: 1.2.3.4) ---> 192.168.0.1 [ether2] -> masquerading seems to work here and the packet goes from ether2 to ether1 with src adr 1.2.3.4 already changed, t .e. src. adr. = dst. adr
After that, the packet, in theory, should still come to the ether1 port and dst-nat should already be processed there, but something somewhere in this chain is going wrong. I have a feeling that I'm just stupid somewhere and I need to somehow fix the masquerading or add another src-nat rule, or something like that. Help people who know, otherwise I'm completely confused.
Thanks in advance.
Answer the question
In order to leave comments, you need to log in
Masquerading doesn't work in your case. Add an explicit SNAT rule for such packets.
In general, everything looks something like this.
1. LAN client -> Mikrotik, 192.168.0.100:4555 -> 1.2.3.4:87 (on the router, this packet will have in-interface ether2, since the packet actually arrived from the local network) - if the rule specifies matching the packet by incoming interface for dst-nat (it is more logical to assume that you have it specified as ether1), then there will be no redirection. Either create two rules, or do not check the incoming interface for forwarded packets, but only the destination address, protocol and port. We move on.
2. Mikrotik -> LAN server, 192.168.0.100:4555 -> 192.168.0.2:87 (output-interface ether2) - Redirection won and packets now successfully fly to LAN after changing the destination address (that's the point of dst-nat ). But what will happen next? The local server receives the packet redirected through the router and responds to it directly, bypassing the router.
3. LAN server -> LAN client, 192.168.0.2:87 -> 192.168.0.100:4555 - This is a response packet from the server. But the client expects packets with source address 1.2.3.4, not these, and discards them. Either silently or explicitly by sending an ICMP message.
That's it. Hence the decision. Nat rules on Mikrotik.
1. Rule for port forwarding from the Internet:
chain = nat/prerouting,
input-interface = ether1,
dst-ip = 1.2.3.4,
protocol = tcp,
dst-port = 87,
action = dst-nat,
dst-nat-address = 192.168.0.2,
dst-nat-port = 87.
chain = nat/prerouting
input-interface = ether2,
dst-ip 1.2.3.4,
src-ip = 192.168.0.0/24,
protocol = tcp,
dst-port = 87,
action = dst-nat,
dst-nat-address = 192.168.0.2,
dst-nat-port = 87.
chain = nat/postrouting,
output-interface = ether2,
dst-ip = 192.168.0.2,
src-ip = 192.168.0.0/24,
protocol = tcp,
dst-port = 87,
action = src-nat,
src-nat-address = 192.168.0.1
1. In Action: you need to register dst-nat
2. Update the firmware to 6.7. They fixed a bug with hairpin nat
www.mikrotik.com/download/CHANGELOG_6
And I’ll add that if 1.2.3.4 is really static, then instead of a masquerade, it’s better to make src-nat to the address we know.
Much respect for the author of the answer. There is such a problem.
there are two mikrotik CRS125-24G-1S-IN routers and a server 192.168.0.110. (conditionally router A and router B)
The network is built as follows.
1) Port 1 - the Internet comes with a static address (1.2.3.4 (let's say)). 2-24 ports are combined into a switch with a master port 2. DHPC (192.168.0.1/24) is raised with dns from the provider.
# Default masquerading
Chain: src-nat
Out-interface: ether1
Action: masquerade
2) Forwarded port series 9292 , 9090 and so on.
1) reset all settings to zero. all ports are combined in a switch. I didn't create any more rules.
In general, I have a centralized network for 40 machines on the 192.168.0.1 network.
1) Like the author of this question, it is possible to reach the server from outside. from inside zero to ground. I did all three of your suggestions. For some reason it didn't help me. deaf as in a tank. I replaced 192.168.0.2 with 192.168.0.110 (on the server) and still didn't help
2) why Google Facebook sites are blocked and so on. Although I have rb750gl configured at home and all sites stomp normally. For me this is nonsense. I checked the provider. I connected a regular tplink, it easily skips packets. connected a router to it And also normally packets run from under the router. And as soon as I start up the main Internet directly into A router. Google immediately falls off with Facebook, A number of bank sites, etc.
Found that it is necessary to change MTU on the van port. did not help. Moreover, I want to indicate that the sites are pinged from the router. help me please
Hello.
Please tell me how to set up port forwarding.
Available: MikroTik RB951G-2HnD
In MikroTik, refrigeration equipment with the same IP is connected to ports 4 and 5 (1 refrigerator 10.100.1.199, 2 refrigerator 10.100.1.199). The local IP network (192.168.0.2/24) is connected to the 1st port.
Refrigerators are controlled via a web interface on port 80.
Tell me how to set up port forwarding from the local network to refrigerators, for example, at this address (1 refrigerator 192.168.0.2:8000, the second 192.168.0.2:8001)
Thank you in advance for your answer.
PS Reconfiguration of ip refrigerators is not possible
Good day! There is a head office, it has a Mikrotik with a VPN server (PPTP) and a static (white) IP. there are branches and just users who connect via VPN to the head office (at branches we use Mikrotik with a VPN client). There is a task to start up a certain type of traffic inside the VPN without using the static address of the head office, on which this VPN actually rises. Let's say the white IP of the head office is 1.1.1.1, the local is 192.168.0.0/24, the remote office is 192.168.2.0/24. The head office has a server with the address 192.168.0.10 (PBX) and port 4545, so the connection at the branch office needs to work in both directions, not one (you can hear me if you call from the head office, but the subscriber does not).
Sincerely!
I found a mini article for you, I think it will answer your question https://mikrotiklab.ru/nastrojka/probros-portov-mi...
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question