MikroTik 1:1 NAT

A question for the MikroTik experts. Probably a simple question but being new to MikroTik I want to make sure I get this right.

I have a customer requiring a Dual WAN setup. The customer has three devices:
- PIX Firewall (airCloud Public IP1)
- Exchange Server (airCloud Public IP2)
- Barracuda AntiSpam (airCloud Public IP3)

We are installing an RB532 configured as follows:
Eth1 - WAN1 airCloud Wireless
Eth2 - WAN2 airCloud DSL service
Eth3 - LAN Customer Network


When WAN1 is up (default route is responding to ping), Eth1 and Eth3 are bridged. If WAN1 goes down, WAN2 goes active. (We know this all works correctly from another similar installation)


In this case I need to do a 1:1 NAT that maps three DSL IP’s bound to Eth2 to the three airCloud IP’s on the PIX, Exchange, and Barracuda servers.


My question is: How would you do it? I’m pretty confused as to what to assign under

srcnat/dstnat
Masquerade/netmap
SrcAddress/DstAddress
InInterface/OutInterface.

I’m using WinBox primarily.

Any help would be greatly appreciated! I have to install this Thursday and I want to be sure I have it right.


Side Note:
We have already taken care of the mail DNS through multiple MX records with priority.

Thanks in advance

Jerry,

I think you should simply add two NAT rules for every NAT 1:1 association as follows:

rule #1:
chain: srcnat
scr-address: private IP on eth2
action: netmap
to-addresses: public IP on WAN2

rule #2:
chain: dstnat
dst-address: public IP on WAN2
action: netmap
to-addresses: private IP on eth2


If the three IP (public and private) are consecutive, you only need these two rules (using proper ranges, look at RouterOs 2.9 manual, page 409), otherwise you will need 2x3 rules.

Ciao
Massimo

Hi Jerry,

Do you need any more information on this?

Ron

Actually, as busy as I have been I have not touched it. Hoping to work on it tonight.

Thanks

Two rules per IP you want to assign.

Lets Say you want an outside address of 123.123.123.2
and your inside 192.168.1.123

NAT RULE under IP -> Firewall -> NAT:

1St RULE
General:
Chain =Dstnat
Dst Address = 123.123.123.2
Action:
Action=dst-nat
To Address:192.168.1.123
to Ports = 0-65535

2nd Rule
General:
Chain= srcnat
Src Address = 192.168.1.123
Action:
Action=src-nat
to Address= 123.123.123.2
to ports= 0-65535

You can also make this particular to one port access if you like by assigining a port and the protocl typ[e if you like. But this will set up one Ip address one to one NAT.

-Sincerely,
DesertAdmin