Bridge nat or firewall nat ?

Pilgrim · October 4, 2008, 12:54pm

if the output ports (lan interfaces) are bridged shall I then do the port forwarding in firewall nat or in bridge nat?

rgs Pilgrim

sergejs · October 15, 2008, 1:25pm

I assume you are making NAT between public and local interface. ip firewall nat should be used for this.
Do not forget to enable bridged packets to go through firewall,
interface bridge setting set use-ip-firewall=yes.

Pilgrim · October 23, 2008, 7:53pm

Thank you Sergejs

I didn’t manage to get the setting entered. I tried as pasted in below. Please could you - or any other kind person on the board here give a hint where I am going wrong.

Thanks, Pilgrim

[admin@MikroTik] interface bridge> pr
Flags: X - disabled, R - running
0 R name=“bridge-1” mtu=1500 arp=enabled mac-address=00:0C:42:13:66:18 stp=no priority=32768
ageing-time=5m forward-delay=15s garbage-collection-interval=4s hello-time=2s
max-message-age=20s
[admin@MikroTik] interface bridge> bridge-1
no such command or directory (bridge-1)
[admin@MikroTik] interface bridge> set
numbers: 0
[admin@MikroTik] interface bridge> use-ip-firewall=yes
no such command or directory (use-ip-firewall)
[admin@MikroTik] interface bridge> set use-ip-firewall=yes
no such argument (=)
[admin@MikroTik] interface bridge>

nightstar · October 24, 2008, 11:09am

Pilgrim:

Thank you Sergejs

I didn’t manage to get the setting entered. I tried as pasted in below. Please could you - or any other kind person on the board here give a hint where I am going wrong.

Thanks, Pilgrim

[admin@MikroTik] interface bridge> pr
Flags: X - disabled, R - running
0 R name=“bridge-1” mtu=1500 arp=enabled mac-address=00:0C:42:13:66:18 stp=no priority=32768
ageing-time=5m forward-delay=15s garbage-collection-interval=4s hello-time=2s
max-message-age=20s
[admin@MikroTik] interface bridge> bridge-1
no such command or directory (bridge-1)
[admin@MikroTik] interface bridge> set
numbers: 0
[admin@MikroTik] interface bridge> use-ip-firewall=yes
no such command or directory (use-ip-firewall)
[admin@MikroTik] interface bridge> set use-ip-firewall=yes
no such argument (=)
[admin@MikroTik] interface bridge>

Try:

interface bridge settings set use-ip-firewall=yes
or in winbox click on BRIDGE menu then on the SETTINGS menu and check “use IP firewall”
Which version of RouterOS you are using? looks like this command does not exists in version 2.9.x?

Best regards!

Pilgrim · October 24, 2008, 1:44pm

Thank you Nightstar

Neither of them seems to be possible in my router os. I am running ver. 2.9.51.

Or did I do something wrong again?

Best regards, Pilgrim

Terminal vt102 detected, using multiline input mode
[admin@MikroTik] > interface bridge
[admin@MikroTik] interface bridge> settings
no such command or directory (settings)
[admin@MikroTik] interface bridge> setting
no such command or directory (setting)
[admin@MikroTik] interface bridge>

Pilgrim · October 24, 2008, 1:49pm

In winbox I do not get any “seetings” tab when cliking on the bridge menu. I just get the following.

Best regards Pilgrim

nightstar · October 24, 2008, 4:29pm

Yep…it looks like you need to upgrade to RouterOS 3.x

Best Regards!

Pilgrim · October 27, 2008, 10:56am

Re-visiting this issue I would like to ask if I can not use bridging of the interfaces used for my me LAN in combination with the IP firewall.

The use-ip-firewall is as far as I was able to check not available in ver. 2.9.

I have a routerboard 150 and this board seems not to be compatible with ver. 3.x. So I can’t upgrade unless I buy a new mini router board.

The set up is that I am using Interface “ether1” as public interface and interfaces Ether2 through ether5 is brigded and used for my LAN.

I want of course to be able to do port forwarding and forward packets received through the public interface at a given port to computers on my LAN.

Can this not be done using the the IP firewall in ver. 2.9?

Best regards, Pilgrim

sergejs · October 29, 2008, 2:03pm

For 2.9 version use ‘ip firewall’ menu for NAT and filtering.