1:1 Nat issue in 3.12 and 3.13

sdrenner · August 22, 2008, 8:53pm

I had this working in 3.10 don’t know about 3.11 Not working in 3.12 or 3.13

I had add these lines to 1:1 nat and block all ports except those I opened.

Issue is with the first line MT won’t let me add this line. I get “failure: to-ports valid only for tcp/udp”
How can I do this now?

#Generator
/ip firewall nat add chain=dstnat dst-address=x.x.x.x action=dst-nat to-addresses=192.168.107.12 to-ports=0 comment=Generator

/ip firewall nat add chain=srcnat src-address=192.168.107.12 action=src-nat to-addresses=x.x.x.x

/ip firewall nat add chain=dstnat dst-address=x.x.x.x protocol=tcp dst-port=22 action=dst-nat to-addresses=192.168.107.12 to-ports=22

/ip firewall nat add chain=dstnat dst-address=x.x.x.x protocol=tcp dst-port=443 action=dst-nat to-addresses=192.168.107.12 to-ports=443

Chupaka · August 22, 2008, 8:59pm

hm… just exclude ‘to-ports=0’ from that line =)
or add ‘protocol=tcp’, if you want only tcp packets to nat

sdrenner · August 22, 2008, 9:11pm

If I exclude to-ports=0 will the MT block all ports?

changeip · August 22, 2008, 9:19pm

use ‘/ip firewall filter’ to block packets, not ‘/ip firewall nat’. Natting is a completely separate function than firewalling.

sdrenner · August 22, 2008, 9:29pm

I was told awhile back that this rule:
/ip firewall nat add chain=dstnat dst-address=x.x.x.x action=dst-nat to-addresses=192.168.107.12 to-ports=0
would block or not allow traffic to any ports then open up the ports that I wanted open like this:
/ip firewall nat add chain=dstnat dst-address=x.x.x.x protocol=tcp dst-port=22 action=dst-nat to-addresses=192.168.107.12 to-ports=22

Chupaka · August 23, 2008, 9:10am

imho, is’s like pull out a tooth through the ass…