Could you do Source address list ! <list with internal subnets in> That should catch external IP’s but not mask the internal ones. If you have an easy internal subnet to define you could just use source address ! <internal subnet and netmask> In winbox click the small “checkbox” next to the field for the ! To negate the value. Regards Alexander Alexander Neilson Neilson Productions Limited 021 329 681 alexander@neilson.net.nz
On 7/11/2023, at 14:14, Karl Auer via Public <public@talk.mikrotik.com.au> wrote:
Some may recall I now have a Wireguard VPN between a Starlink-connected site and another site. The other site has a static IP address, the Starlink site does not.
Inevitably, someone now wants to connect from outside to a server in TCP/85 in the Starlink site. No problem, thinks I. They can connect to the static IP and I will ship their connection over the VPN to the other network. Just dstnat plus srcnat.
In the following, xxx is the static IP address, and 192.168.103.184 is the address they want to reach in the Starlink-connected network.
/ip filter nat
add chain=dstnat action=dst-nat \ dst-address=xxx dst-port=85 protocol=tcp \ to-addresses=192.168.103.184 to-ports=85 \ in-interface=e1-uplink log=yes log-prefix="A"
add chain=srcnat action=masquerade \ ???? out-interface=wg0 log=yes log-prefix="B"
I can't figure out what I should put in the srcnat rule that will limit it so it only src-nats packets coming from the public internet. The obvious one, filtering on "in-interface=e1-uplink", isn't possible with srcnat.
What am I missing? Or do I have to add "accept" rules for all the networks I don't want NATted by wg0?
Regards, K.
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au