Mikrotik Solution
hello ,
i need to make only 1 ip(our mail server) to go throught 2nd Line internet
and all network to the 1st line internet
i made that work fine
but now i need to make that mail server to send and recive thought one public ip address
i make src-nat and dst-nat for certian ip address ,now this server can go outside with this public ip address but i cannot connect from outside to this ip address
what might be the problem here?
i'll put my configuration in here
SLAN - LAN
SWAN - 1st internet Line
SABWAN - 2st Internet Line
0 ;;; LAN Address
192.168.1.2/24 192.168.1.0 192.168.1.255 SLAN
1 1.1.1.130/28 1.1.1.1 1.1.1.111 SWAN
2 ;;; IP Address - ADSL
2.2.2.244/28 2.2.2.128 2.2.2.143 SABWAN
Ip route
0 A S ;;; 1nd line Route
0.0.0.0/0 r 1.1.1.129 1 SWAN
1 A S ;;; 2nd Line for Server - Mark Route
0.0.0.0/0 r 2.2.2.241 10 SA..
2 ADC 2.2.2.240/28 2.2.2.243 0 SA..
3 ADC 192.168.1.0/24 192.168.1.2 0 SLAN
4 ADC 1.1.1.128/28 1.1.1.130 0 SWAN
Ip mangle
0 ;;; DC
chain=prerouting action=mark-routing new-routing-mark=dc passthrough=no
src-address=192.168.1.1
ip firewal NAT
0 ;;; Source From Mail - Access Outside
chain=srcnat action=src-nat to-addresses=2.2.2.244
src-address=192.168.1.1 out-interface=SABWAN
1 ;;; Destination To Mail - Access Outside
chain=dstnat action=dst-nat to-addresses=192.168.1.1
dst-address=2.2.2.244 in-interface=SABWAN
2 ;;; 1st Line Internet Masqurade
chain=srcnat action=masquerade out-interface=SWAN
3 ;;; 2st Line Internet Masqurade
chain=srcnat action=masquerade out-interface=SABWAN
all i want is to ppl can use internet line 1
and this mail server use internet line 2
and i can access from outside to the mail server?
my issue that i cann't access from outside to this mail server throught the public ip
and also i don't recive emails from outside
i need to make only 1 ip(our mail server) to go throught 2nd Line internet
and all network to the 1st line internet
i made that work fine
but now i need to make that mail server to send and recive thought one public ip address
i make src-nat and dst-nat for certian ip address ,now this server can go outside with this public ip address but i cannot connect from outside to this ip address
what might be the problem here?
i'll put my configuration in here
SLAN - LAN
SWAN - 1st internet Line
SABWAN - 2st Internet Line
0 ;;; LAN Address
192.168.1.2/24 192.168.1.0 192.168.1.255 SLAN
1 1.1.1.130/28 1.1.1.1 1.1.1.111 SWAN
2 ;;; IP Address - ADSL
2.2.2.244/28 2.2.2.128 2.2.2.143 SABWAN
Ip route
0 A S ;;; 1nd line Route
0.0.0.0/0 r 1.1.1.129 1 SWAN
1 A S ;;; 2nd Line for Server - Mark Route
0.0.0.0/0 r 2.2.2.241 10 SA..
2 ADC 2.2.2.240/28 2.2.2.243 0 SA..
3 ADC 192.168.1.0/24 192.168.1.2 0 SLAN
4 ADC 1.1.1.128/28 1.1.1.130 0 SWAN
Ip mangle
0 ;;; DC
chain=prerouting action=mark-routing new-routing-mark=dc passthrough=no
src-address=192.168.1.1
ip firewal NAT
0 ;;; Source From Mail - Access Outside
chain=srcnat action=src-nat to-addresses=2.2.2.244
src-address=192.168.1.1 out-interface=SABWAN
1 ;;; Destination To Mail - Access Outside
chain=dstnat action=dst-nat to-addresses=192.168.1.1
dst-address=2.2.2.244 in-interface=SABWAN
2 ;;; 1st Line Internet Masqurade
chain=srcnat action=masquerade out-interface=SWAN
3 ;;; 2st Line Internet Masqurade
chain=srcnat action=masquerade out-interface=SABWAN
all i want is to ppl can use internet line 1
and this mail server use internet line 2
and i can access from outside to the mail server?
my issue that i cann't access from outside to this mail server throught the public ip
and also i don't recive emails from outside
Berkson Wein
What model Mikrotic router do you have?
Hi,
first of all, you don't need the explicit src-nat for the mail server outbound - the masquerade rule on that imnterface will do that job for you.
secondly, are you attempting to access the mail server via ip address on the primary (SWAN) link? If so, that can't work because the reply packets will go via SABWAN and so be marked with that source address. The reply packets will reach the client OK, but will have the wrong IP address as source =, so they will be ignored by the client.
If you want to access the mail server on both interfaces, then you will need to first mark the connection based on what interface the connection comes in on, and then make your mangle rule mark the routing based on the connection mark/s.
Cheers, Mike.
first of all, you don't need the explicit src-nat for the mail server outbound - the masquerade rule on that imnterface will do that job for you.
secondly, are you attempting to access the mail server via ip address on the primary (SWAN) link? If so, that can't work because the reply packets will go via SABWAN and so be marked with that source address. The reply packets will reach the client OK, but will have the wrong IP address as source =, so they will be ignored by the client.
If you want to access the mail server on both interfaces, then you will need to first mark the connection based on what interface the connection comes in on, and then make your mangle rule mark the routing based on the connection mark/s.
Cheers, Mike.
ASKER
my MT is 3.30
can u show me how to configure in script ?
i want all ppl go to internet LINE 1
and i want the Mail server internal IP 192.168.1.1 use internet Line 2 and uses Public IP address 2.2.2.4 thatz what i want to do?
i really don't know how to do it?
can u show me how to configure in script ?
i want all ppl go to internet LINE 1
and i want the Mail server internal IP 192.168.1.1 use internet Line 2 and uses Public IP address 2.2.2.4 thatz what i want to do?
i really don't know how to do it?
ASKER
sorry i mean public ip 2.2.2.244
and i can access it from outside
and i can access it from outside
ASKER
i want to access from outside same ip address 2.2.2.244
Hi,
first, make masquerade rule for BOTH(/all) outbound links.
/ip firewall nat add chain=src-nat src-address=192.168.1.0/24
make sure that default route is via first line:
/ip route add dst-address=0.0.0.0/0 gateway=1.1.1.129
put a routing mark on traffic coming from the mail server:
ip firewall mangle add src-address=192.168.1.1 action=mark-routing routing-mark=mail
and create a default route for that mark:
/ip route add dst-address=0.0.0.0/0 gateway=2.2.2.243
last of all, use dst-nat to map the outside 2nd IP to the mail server:
/ip firewall nat add chain=dst-nat dst-address=2.2.2.244 action=dst-nat to-addresses=192.168.1.1
Should be all done...
cheers!
first, make masquerade rule for BOTH(/all) outbound links.
/ip firewall nat add chain=src-nat src-address=192.168.1.0/24
make sure that default route is via first line:
/ip route add dst-address=0.0.0.0/0 gateway=1.1.1.129
put a routing mark on traffic coming from the mail server:
ip firewall mangle add src-address=192.168.1.1 action=mark-routing routing-mark=mail
and create a default route for that mark:
/ip route add dst-address=0.0.0.0/0 gateway=2.2.2.243
last of all, use dst-nat to map the outside 2nd IP to the mail server:
/ip firewall nat add chain=dst-nat dst-address=2.2.2.244 action=dst-nat to-addresses=192.168.1.1
Should be all done...
cheers!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.