I'm making some experiments with Metarouter and trying to find solution which can suit my needs. So what I noticed is that zero packets are going through Metarouter's firewall filter, nat or prerouting any of the chains. That surprised me very much. So my host router config (ether1 is a public interface):
Code: Select all
[admin@MikroTik] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 192.168.1.254/24 192.168.1.0 ether2
1 192.168.3.7/24 192.168.3.0 ether1
2 110.32.0.1/24 110.32.0.0 vif1
[admin@MikroTik] > ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 192.168.3.254 1
1 ADC 110.32.0.0/24 110.32.0.1 vif1 0
2 ADC 192.168.1.0/24 192.168.1.254 clients 0
3 ADC 192.168.3.0/24 192.168.3.7 ether1 0
[admin@MikroTik] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade
1 chain=dstnat action=dst-nat to-addresses=192.168.1.253 to-ports=8291
protocol=tcp dst-address=192.168.1.254 dst-port=8111
[admin@MikroTik] > interface bridge print
Flags: X - disabled, R - running
0 R name="clients" mtu=1500 l2mtu=1522 arp=enabled
mac-address=00:0C:42:07:D5:E1 protocol-mode=none
auto-mac=yes admin-mac=00:00:00:00:00:00 max-mess
forward-delay=15s transmit-hold-count=6 ageing-ti
[admin@MikroTik] > interface bridge port print
Flags: X - disabled, I - inactive, D - dynamic
# INTERFACE BRIDGE PRIORITY PATH-COST HORIZON
0 ether2 clients 0x80 10 none
1 D vif2 clients 0x80 10 none
[admin@MikroTik] > metarouter interface print
Flags: X - disabled, A - active
# VIRTUAL-MACHINE TYPE STATIC-INTERFACE VM-MAC-ADDRESS
0 A mr1 dynamic 02:82:94:5A:3F:DA
1 A mr1 dynamic 02:62:8C:BC:81:9A
Code: Select all
[admin@RouterOS] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 110.32.0.2/24 110.32.0.0 ether1
1 192.168.1.253/24 192.168.1.0 ether2
[admin@RouterOS] > ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 110.32.0.1 1
1 ADC 110.32.0.0/24 110.32.0.2 ether1 0
2 ADC 192.168.1.0/24 192.168.1.253 ether2 0
[admin@RouterOS] > ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=forward action=reject reject-with=icmp-admin-prohibited protocol=icmp
1 chain=input action=reject reject-with=icmp-network-unreachable protocol=icmp
2 chain=output action=reject reject-with=icmp-network-unreachable protocol=icmp
[admin@RouterOS] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade