Community discussions

Search found 13 matches

by neko
Wed May 16, 2012 10:11 am
Forum: General
Topic: Simple road-warrior VPN configuration questions
Replies: 2
Views: 1750

Re: Simple road-warrior VPN configuration questions

We ended up buying ASA for this kind of things. Currently, a fully-featured road-warrior VPN setup does not seem to be possible on the RouterOS at all. For the pure IPsec solution RouterOS lacks mode-cfg. Additionally it is not possible to validate the client's internal address before a (dynamic) p...
by neko
Sun May 13, 2012 3:51 am
Forum: General
Topic: Simple road-warrior VPN configuration questions
Replies: 2
Views: 1750

Simple road-warrior VPN configuration questions

Story: want to configure our RB1100AH as a VPN server so our international employees can "road warrior" in to the main office in the US. Old Solution: we had a pure IPSec VPN (backed by raccoon) running on a rather whacked out Netgear FVX538. RWs used Shrew to connect, were not restricted by their I...
by neko
Sun May 13, 2012 3:26 am
Forum: General
Topic: Feature requests
Replies: 1163
Views: 213000

Re: Feature requests

Registering for the wiki and voting seems like something disabled right now (there's only Log In, no create account, or signup link at the login page) so I'm just going to post the features I would really really like here; [*] Automatic mapping of DHCP client hostnames into the DNS server, such that...
by neko
Sun May 13, 2012 2:50 am
Forum: General
Topic: Trouble figuring out port forwarding and NAT
Replies: 17
Views: 2753

Re: Trouble figuring out port forwarding and NAT

I'm glad it's working, though the problems that randomly fix themselves are the most annoying ones to deal with. The answer to your question has to do with ARP and the traffic getting to the input interface before it can even get to pre/postrouting. When your upstream provider routes one of the IP ...
by neko
Thu Apr 26, 2012 5:26 pm
Forum: General
Topic: Trouble figuring out port forwarding and NAT
Replies: 17
Views: 2753

Re: Trouble figuring out port forwarding and NAT

Like I said, you can use the torch tools to see what is going on with traffic. This will tell you what is going on, it may not be able to give you as much information as wireshark, but you don't need that level of information. You don't need explicit accept rules unless you have a catch all drop ru...
by neko
Tue Apr 24, 2012 6:30 am
Forum: General
Topic: Trouble figuring out port forwarding and NAT
Replies: 17
Views: 2753

Re: Trouble figuring out port forwarding and NAT

There's no problem with routing. It's something to do with the rules and they way they're interacting. I guess what we have right now is (I tried 5060,10000-20000 and also 5060 and 10000-20000 on seperate rules btw) filters: chain=forward action=accept protocol=udp src-address=10.0.19.50 chain=forwa...
by neko
Sun Apr 22, 2012 5:55 pm
Forum: General
Topic: Trouble figuring out port forwarding and NAT
Replies: 17
Views: 2753

Re: Trouble figuring out port forwarding and NAT

You don't need to touch anything in mangle at all for an IP address to work. Mangle is used for policy based routing functions, and QoS mainly. Only if you had multiple routing tables setup like in a failover or load balancing situation would you need it. And the only reason why you would need it t...
by neko
Sun Apr 22, 2012 12:39 am
Forum: General
Topic: Trouble figuring out port forwarding and NAT
Replies: 17
Views: 2753

Re: Trouble figuring out port forwarding and NAT

What IP addresses do you have assigned to the WAN interface of the router? You need to have any IP address that you want to NAT out of or forward for assigned to the router. If you don't have the address assigned it won't know to listen on that address. All of them (.18-.22) although my gut says do...
by neko
Sat Apr 21, 2012 10:37 pm
Forum: General
Topic: Trouble figuring out port forwarding and NAT
Replies: 17
Views: 2753

Re: Trouble figuring out port forwarding and NAT

What IP addresses do you have assigned to the WAN interface of the router? You need to have any IP address that you want to NAT out of or forward for assigned to the router. If you don't have the address assigned it won't know to listen on that address. All of them (.18-.22) although my gut says do...
by neko
Fri Apr 20, 2012 9:38 pm
Forum: General
Topic: Trouble figuring out port forwarding and NAT
Replies: 17
Views: 2753

Re: Trouble figuring out port forwarding and NAT

SRC and DST nat are different chains and processed at different times, so they don't effect each other with order. Your src-nat rule is messed up for the PBX. You want to src-nat the private IP address of the PBX out of a public IP, this means your src-address needs to be the private IP address of ...
by neko
Fri Apr 20, 2012 7:31 pm
Forum: General
Topic: Trouble figuring out port forwarding and NAT
Replies: 17
Views: 2753

Re: Trouble figuring out port forwarding and NAT

Please post your firewall rules with then with "/ip firewall export". If the rules aren't firing and incrementing there are a few potential causes. The first most likely one is that there is a rule further up the chain that is already matching them, so they never reach the more specific rule for th...
by neko
Fri Apr 20, 2012 3:13 am
Forum: General
Topic: Trouble figuring out port forwarding and NAT
Replies: 17
Views: 2753

Re: Trouble figuring out port forwarding and NAT

Everything that you are looking to do is fairly easy and straightforward. Here are the basic steps that will get you started and most of the way there. /ip firewall nat add action=dst-nat chain=dstnat dst-address=13.14.15.18 to-address=10.0.19.50 add action=src-nat chain=srcnat src-address=10.0.19....
by neko
Thu Apr 19, 2012 8:26 pm
Forum: General
Topic: Trouble figuring out port forwarding and NAT
Replies: 17
Views: 2753

Trouble figuring out port forwarding and NAT

Here's the scenario; ISP has given us a block of IP addresses which we will call 13.14.15.16/29. ISP gateway is at .17. RB1100AH at .18, on a port we renamed "wan1". Usable IP addresses after that are 13.14.15.19, 13.14.15.20, 13.14.15.21, 13.14.15.22 Internal network is 10.0.16.0/21. RB1100AH is at...