Re: [MT-AU Public] Puzzled why forwarding no work

7 Nov 2023

      Hi,

The dstnat rule is one way to enforce internet packets.
If the mikrotik is the main gateway, you can choose source interface.
If not you can have match source address to not (address list of lan addresses). 

To:             	MikroTik Public <public@talk.mikrotik.com.au>
Date sent:      	Tue, 07 Nov 2023 11:55:42 +1100
Organization:   	Nullarbor Consulting pty Ltd
Subject:        	[MT-AU Public] Puzzled why forwarding no work
From:           	Karl Auer via Public <public@talk.mikrotik.com.au>
Send reply to:  	MikroTik Australia Public List <public@talk.mikrotik.com.au>
Copies to:      	Karl Auer <kauer@nullarbor.com.au>

[ Double-click this line for list subscription options ] 

Some may recall I now have a Wireguard VPN between a
Starlink-connected site and another site. The other site has a static
IP address, the Starlink site does not.

Inevitably, someone now wants to connect from outside to a server in
TCP/85 in the Starlink site. No problem, thinks I. They can connect to
the static IP and I will ship their connection over the VPN to the
other network. Just dstnat plus srcnat.

In the following, xxx is the static IP address, and 192.168.103.184 is
the address they want to reach in the Starlink-connected network.

/ip filter nat

   add chain=dstnat action=dst-nat \
      dst-address=xxx dst-port=85 protocol=tcp \
      to-addresses=192.168.103.184 to-ports=85 \
      in-interface=e1-uplink log=yes log-prefix="A"

   add chain=srcnat action=masquerade \
      ????
      out-interface=wg0 log=yes log-prefix="B"

I can't figure out what I should put in the srcnat rule that will
limit it so it only src-nats packets coming from the public internet.
The obvious one, filtering on "in-interface=e1-uplink", isn't possible
with srcnat.

What am I missing? Or do I have to add "accept" rules for all the
networks I don't want NATted by wg0?

Regards, K.

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~ Karl Auer (kauer@nullarbor.com.au)                work   +61 2
64957435 http://www.nullarbor.com.au                       mobile +61
428 957160

_______________________________________________
Public mailing list
Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.
au----------------------------
Roger Plant