Another NAT question

Bert5150 · November 22, 2005, 9:29pm

Hello. I'm having quite a time re-configuring MikroTik RouterOS 2.9.6 after replacing a NIC that went bad. When I originally configured the box I was running 2.8 (but have since upgraded) and the how-to documents covering NATing of external IP's to local machines don't cover the syntax changes in version 2.9.6.

Here's what I have:

[admin@MikroTik] interface> print
Flags: X - disabled, D - dynamic, R - running

NAME TYPE RX-RATE TX-RATE MTU

0 R Local ether 0 0 1500
1 R Public ether 0 0 1500

[admin@MikroTik] ip address> print
Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK BROADCAST INTERFACE

0 70.x.x.x/24 70.x.x.0 70.x.x.255 Public
1 192.168.0.254/24 192.168.0.0 192.168.0.255 Local
2 70.x.x.x/24 70.x.x.0 70.x.x.255 Public

[admin@MikroTik] ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat out-interface=Public src-address=192.168.0.2 action=src-nat to-addresses=70.x.x.x to-ports=0-65535

1 chain=dstnat in-interface=Public dst-address=70.x.x.x action=dst-nat to-addresses=192.168.0.10 to-ports=0-65535

2 chain=srcnat out-interface=Public action=masquerade

The dstnat & srcnat are for a web server I have located on the local network that I need to have accessable from the WAN (Public) interface. The problem is that when I try to go to the web server in a browser I get the MikroTik instead of the web page on that server. I read a post with an identical problem and solution but it was in reference to V 2.8. As stated many times in the forum, the syntax of the commands has changed, and I don't understand the documentation well enough to translate it.

To add even more frustration, I have 2 WinXP machines on the local network I need to access remotely using remote desktop. As stated before, I had this all setup on the previous version of MikroTik so the 2 machines have already been configured to accept remote connections on port 3389 (machine A) and port 3395 (machine B). I haven't even attempted to setup the port-fowarding yet. This is why they don't show up in my NAT rules.

Any help would be GREATLY appreciate!

Thanks

jaytcsd · November 23, 2005, 6:11am

My nat is working fine in 2.9.
One difference I see in my rules from yours is that I don't specify an interface.

ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat src-address=192.168.0.47 action=src-nat to-addresses=166.59.194.57 to-ports=0-65535

1 ;;; masquerade hotspot network
chain=srcnat src-address=10.20.7.0/24 action=masquerade

2 ;;; masquerade private network
chain=srcnat src-address=192.168.0.0/24 action=masquerade

ip address> print
Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK BROADCAST INTERFACE

0 ;;; WAN IP
166.59.194.58/24 166.59.194.0 166.59.194.255 public
1 10.20.7.1/24 10.20.7.0 10.20.7.255 hotspot
2 192.168.0.10/24 192.168.0.0 192.168.0.255 private
3 ;;; ip for 192.168.0.47
166.59.194.57/24 166.59.194.0 166.59.194.255 public

Tonda · November 23, 2005, 8:06am

To Bert5150:
rule number 0 is useless because this natting is performed by masquerading in rule number 2.

jaytcsd · November 23, 2005, 8:53am

rule 0 gives me a unique IP address for that one PC, the others use the masquerade rule and show the WAN IP address.

Tonda · November 23, 2005, 8:58am

My message was not for you (jaytcsd) but for Bert5150…

Bert5150 · November 23, 2005, 3:45pm

I made the suggested changes to the following:

[admin@MikroTik] ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=dstnat dst-address=70.x.x.x action=dst-nat to-addresses=192.168.0.2 to-ports=0-65535

1 chain=srcnat out-interface=Public action=masquerade

Now I’m not getting the MikroTik or anything else. The web browser times out saying it couldn’t find the server. Any ideas?

Thanks

Tonda · November 23, 2005, 5:30pm

When you want to redirect only web connections to your internal web server, it is of course necessary to specify port 80 for both dst-port and to-ports parameters in your dstnat rule.

Bert5150 · November 23, 2005, 7:39pm

I corrected the web server issue with a src-nat rule. It’s now working fine.

I’m now working on getting WinXP’s remote desktop through the MikroTik. Here’s what I have:

[admin@MikroTik] ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=dstnat dst-address=70.x.x.10 action=dst-nat to-addresses=192.168.0.2 to-ports=0-65535

1 chain=srcnat dst-address=192.168.0.2 action=src-nat to-addresses=70.x.x.10 to-ports=0-65535

2 chain=dstnat dst-address=70.x.x.9 protocol=tcp dst-port=3395 action=dst-nat to-addresses=192.168.0.5
to-ports=3395

3 chain=dstnat dst-address=70.x.x.9 protocol=udp dst-port=3395 action=dst-nat to-addresses=192.168.0.5
to-ports=3395

4 chain=srcnat out-interface=Public action=masquerade

There are two XP machines on the network, so I changed the port number RDP listens to to port 3395 on the second machine. The default port number is 3389, and I haven’t even bothered with that machine yet.

Thanks for all your help so far. I’ll buy you a beer sometime.

Tonda · November 24, 2005, 6:38am

Rule number 1 is useless because this natting is performed by masquerading in rule number 4.
RDP uses only TCP connection so rule number 3 is useless
It is not necessary to change any default RDP port. You can use for example this:

chain=dstnat dst-address=70.x.x.9 protocol=tcp dst-port=35333 action=dst-nat to-addresses=IP1 to-ports=3389

chain=dstnat dst-address=70.x.x.9 protocol=tcp dst-port=35334 action=dst-nat to-addresses=IP2 to-ports=3389

where IP1 and IP2 are internal addresses of these two PC. Access to these PC from internet is performed through 70.x.x.9:35333 and 70.x.x.9:35334 respectively.

Do not buy me beer, save your money and use them rather to improve your networking skills…

wildbill442 · November 24, 2005, 5:53pm

Actually.. Rule #1 isn’t useless, he has a 1:1 NAT setup. There are two public IP addresses assigned to the Public interface because he wants the webserver to appear as if it is not NAT’d. If he had connections coming from one IP address but left on another IP address then it would break the TCP connection. The rest of your suggestions look good.

Tonda · November 24, 2005, 7:50pm

Yes, you are right with 1:1 NAT but there is a question why to do it by this way.
What are the advantages of this solution comparing to my solution with natting only web connections? In my opinion it is better to have only certain connections explicitly allowed to internal network because you can exactly specify what to allow and what to drop.
What do you think about this?

wildbill442 · November 25, 2005, 5:24pm

Oh I agree 100%… I think its better to explicity allow the services you want to go to that host and drop everything else. Otherwise your server is just waiting to be compromized by some cunning 13 year old armed with subseven bots and the like..

This can still be done in the firewall’s forward filter, dosen’t neccessarily have to be done with multiple NAT rules. And you still want to make sure that connections coming in on one IP address are leaving on that same IP. So leaving the 1:1 NAT might not be a bad idea, and just add some firewall rules.

Anyway back to the original poster,

Is your problem resolved or are you still having issues with the NAT setup?