I'm using Mikrotik 750GL and I have such a problem:
I have subnet 10.0.0.0/16
Router has local ip 10.0.0.1
and external ip (e.g. 1.1.1.1)
I forward some ports to my local hosts (e.g. firewal nat dst-nat 1.1.1.1:444 -> 10.0.0.2:80)
When I go to 1.1.1.1:444 from internet, I can get access to my web server on 10.0.0.2, but when I go to 1.1.1.1:444 from LAN (e.g. 10.0.0.3), I stuck at loading page.
I understand, that 10.0.0.2 can answer to 10.0.0.3 only by switch routing and I tied to fix it by using new src-nat rule like 10.0.0.0/16 -> 2.2.2.2
, but nothing goes well
Where I did mistake?
Your question does not give the full picture of the situation, exports from console would be useful.
The simple use of src-nat and dst-nat must be supported by connection-mark, then you can masquerade traffic from local ips to your specfic local ip with some network service.
In Example:
[admin@MikroTik] > ip address export
/ip address
add address=1.1.1.1/24 disabled=no interface=ether1-gateway network=1.1.1.0
add address=10.0.0.1/24 disabled=no interface=ether2-master-local network=10.0.0.0
[admin@MikroTik] > ip firewall mangle export
/ip firewall mangle
add action=mark-connection chain=prerouting disabled=no dst-address=1.1.1.1 dst-port=444 new-connection-mark=int_to_444 passthrough=no protocol=tcp src-address=10.0.0.0/24
[admin@MikroTik] > ip firewall nat export
/ip firewall nat
add action=dst-nat chain=dstnat disabled=no dst-address=1.1.1.1 dst-port=444 protocol=tcp to-addresses=10.0.0.2 to-ports=80
add action=masquerade chain=srcnat disabled=no out-interface=ether1-gateway
add action=masquerade chain=srcnat connection-mark=int_to_444 disabled=no
You can see that Mangle Rule marks connection (int_to_444
)which are addressed from local subnet to 1.1.1.1:444
and last of Nat Rule is masquerade this connection-mark
. Explanation of similar cheating without mikrotik
Regards, I hope it will be useful.