Code: Select all
chain=input action=accept protocol=tcp dst-port=22
Code: Select all
chain=dstnat action=dst-nat to-addresses=192.168.3.100 to-ports=22
protocol=tcp dst-port=22
chain=input action=accept protocol=tcp dst-port=22
chain=dstnat action=dst-nat to-addresses=192.168.3.100 to-ports=22
protocol=tcp dst-port=22
chain=input action=accept protocol=tcp dst-port=222
chain=dstnat action=dst-nat to-addresses=192.168.3.100 to-ports=222
protocol=tcp dst-port=22
You are right, so 'dst-nat' should works even without 'accept' action in firewall input rules.dst-nat happens right after pre-routing
0 ;;; default configuration
address=192.168.3.200/24 network=192.168.3.0 broadcast=192.168.3.255
interface=ether2-local-master actual-interface=ether2-local-master
1 ;;; hotspot network
address=192.168.88.1/24 network=192.168.88.0 broadcast=192.168.88.255
interface=Hostpot actual-interface=Hostpot
2 D address=68.231.31.95/22 network=68.231.28.0 broadcast=68.231.31.255
interface=ether1-gateway actual-interface=ether1-gateway
0 ADS dst-address=0.0.0.0/0 gateway=68.231.28.1
gateway-status=68.231.28.1 reachable ether1-gateway distance=1
scope=30 target-scope=10
1 ADC dst-address=68.231.28.0/22 pref-src=68.231.31.95 gateway=ether1-gateway
gateway-status=ether1-gateway reachable distance=0 scope=10
2 ADC dst-address=192.168.3.0/24 pref-src=192.168.3.200
gateway=ether2-local-master
gateway-status=ether2-local-master reachable distance=0 scope=10
3 ADC dst-address=192.168.88.0/24 pref-src=192.168.88.1 gateway=Hostpot
gateway-status=Hostpot reachable distance=0 scope=10
Hi, could some help me. I Have the same issue, and no Firewall roules.
The weirest thing, is that the RB see the packages (in the Nat roule) but dont link the connection
I will copy here the print asked in some previous post.
/ip address print detail
0 ;;; default configuration
address=192.168.88.1/24 network=192.168.88.0 interface=WAN
actual-interface=WAN
1 address=192.168.0.1/24 network=192.168.0.0 interface=CAIB LAN
actual-interface=CAIB LAN
2 address=192.168.10.1/24 network=192.168.10.0 interface=2nd Floor
actual-interface=2nd Floor
3 D address=A.B.C.D/24 network=A.B.C.0 interface=WAN
actual-interface=WAN
/ip route print detail
0 ADS dst-address=0.0.0.0/0 gateway=A.B.C.D
gateway-status=A.B.C.D reachable via WAN distance=0
scope=30 target-scope=10 vrf-interface=WAN
1 ADC dst-address=A.B.C.0/24 pref-src=A.B.C.D55 gateway=WAN
gateway-status=WAN reachable distance=0 scope=10
2 ADC dst-address=192.168.0.0/24 pref-src=192.168.0.1 gateway=CAIB LAN
gateway-status=CAIB LAN reachable distance=0 scope=10
3 ADC dst-address=192.168.10.0/24 pref-src=192.168.10.1
gateway=2nd Floor gateway-status=2nd Floor reachable distance=0
scope=10
4 ADC dst-address=192.168.88.0/24 pref-src=192.168.88.1 gateway=WAN
gateway-status=WAN reachable distance=0 scope=10
/ip firewall export
add address=192.168.0.0/24 list="CAIB LAN"
add address=192.168.0.1 list="CAIB RB"
add address=192.168.0.5 list=XBONE
add address=192.168.0.15 list=ALIEN
add address=192.168.0.10 list=BMU
/ip firewall nat
add action=masquerade chain=srcnat comment="Gateway CAIB" \
out-interface=WAN src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="Gateway Analia" \
out-interface=WAN src-address=192.168.10.0/24
add action=masquerade chain=srcnat out-interface=WAN
add action=dst-nat chain=dstnat comment="XBONE STREAMMING" protocol=tcp \
src-port=5050 to-addresses=192.168.0.5 to-ports=5050
add action=dst-nat chain=dstnat protocol=tcp src-port=4838 \
to-addresses=192.168.0.5 to-ports=4838
add action=dst-nat chain=dstnat protocol=udp src-port=5050 \
to-addresses=192.168.0.5 to-ports=5050
add action=dst-nat chain=dstnat protocol=udp src-port=4838 \
to-addresses=192.168.0.5 to-ports=4838
add action=dst-nat chain=dstnat comment="ALIEN STEAM" protocol=udp \
src-port=4380 to-addresses=192.168.0.15 to-ports=4380
add action=dst-nat chain=dstnat protocol=tcp src-port=4380 \
to-addresses=192.168.0.15 to-ports=4380
add action=dst-nat chain=dstnat comment=TEST dst-port=3389 log=yes \
protocol=tcp to-addresses=192.168.0.228 to-ports=3389
I Just testing with the last roule named "TEST" to remote desktop a local computer in the network
Thanks.
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=1.1.1.1 dst-port=8000 protocol=\
tcp to-addresses=192.168.0.15 to-ports=22
[Roger@trk-mtk-01] /ip> address print detail
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf
address=192.168.0.1/24 network=192.168.0.0 interface=ether2-master actual-interface=bridge
1 address=64.251.74.211/29 network=64.251.74.208 interface=ether1 actual-interface=ether1
[Roger@trk-mtk-01] /ip> route print detail
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
0 A S dst-address=0.0.0.0/0 gateway=64.251.74.209 gateway-status=64.251.74.209 reachable via ether1 distance=1 scope=30 target-scope=10
1 ADC dst-address=64.251.74.208/29 pref-src=64.251.74.211 gateway=ether1 gateway-status=ether1 reachable distance=0 scope=10
2 ADC dst-address=192.168.0.0/24 pref-src=192.168.0.1 gateway=bridge gateway-status=bridge reachable distance=0 scope=10
[Roger@trk-mtk-01] /ip> firewall export
# oct/18/2016 14:37:27 by RouterOS 6.34.3
# software id = 5AVW-BE3W
#
/ip firewall filter
add chain=input comment="defconf: accept ICMP" protocol=icmp
add chain=input comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1
add action=dst-nat chain=dstnat comment="RT - SSH" dst-address=64.251.74.211 dst-port=22 protocol=tcp to-addresses=192.168.0.11 to-ports=22
add action=dst-nat chain=dstnat comment="RT - SMTP" dst-address=64.251.74.211 dst-port=25 protocol=tcp to-addresses=192.168.0.11
add action=dst-nat chain=dstnat comment="RT - HTTP" dst-address=64.251.74.211 dst-port=80 protocol=tcp to-addresses=192.168.0.11
add action=dst-nat chain=dstnat comment="RT - HTTPS" dst-address=64.251.74.211 dst-port=443 protocol=tcp to-addresses=192.168.0.11
add action=dst-nat chain=dstnat comment="TRK-KVM-01 - SSH" dst-address=64.251.74.211 dst-port=2220 protocol=tcp to-addresses=192.168.0.20 to-ports=22
add action=dst-nat chain=dstnat comment="TRK-KVM-03 - SSH" dst-address=64.251.74.211 dst-port=2210 in-interface=ether1 log=yes protocol=tcp to-addresses=192.168.0.10 to-ports=22
Hi Paul,I resolved the problem!
One of the comments on another thread where someone pointed out the importance of the target VM having the right gateway. I had multiple "default' gateways because the host has guests on different networks.
The short story, once I correctly configured the guests gateway to point to the RB 3011 everything just started working.
I hope that helps someone else.
Paul