wn/minimal-setups
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Mikrotik, 9
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Details

Browse Source
This commit is contained in:
Wolfgang Hottgenroth
2025-04-15 22:56:08 +02:00
parent 9d42f32059
commit 1c6fc37d65
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
content/snippets/0250-configuring-a-mikrotik.md
View File

@ -93,7 +93,7 @@ This is working perfectly in the current setup using a LANCOM router. But when s
It was a lot of debugging to understand the problem: the masquarading rule (`srcnat`), which is bound to the outgoing interface WAN is not triggered, because packets are no leaving the router through the WAN interface since they are addressed to an address which is configured directly on the router. Those, the source address of the packets will not be rewritten. The port-forwarding rule (`dstnat`) in turn is triggered, because a configured port is accessed via the public address of the router. The service itself consequently sees the original source address of the packet (the actual client address, which is in the scope of the router) and sends response packets to this address. These packets will be routed directly to the client without passing the connection handling of the masquarading engine. And then, the client sends to the public address of the router and receives directly from the service and thereby can not associate the request and response packet to the same connection.
The solution is to setup a dedicated masquarading rule which has the service addresses as `dst-address` condition and the addresses of the internal client networks as `src-address` condition. This rule will be triggered in the above described scenario and the source address is replaced by the local address of the interface, where the packet is leaving the router. That in turn will be used by the server to send responses to and then is handling correctly by the masquarading engine.
The solution is to setup a dedicated masquarading rule which has the service addresses as `dst-address` condition and the addresses of the internal client networks as `src-address` condition. This rule will be triggered in the above described scenario and the source address is replaced by the local address of the interface, where the packet is leaving the router. That in turn will be used by the server to send responses to, which are then handled correctly by the masquarading engine.
In the end I came to this rule: