Configuring a PC Router

onubah · March 23, 2005, 11:54am

I can’t seem to figure out what is wrong in this configuration. I have my other PC connected to it through telnet and winbox. Bot I cant browse.

Below our my configurations:

/ip address add address=217.194.157.77/29 interface=ether1 disabled=no
/ip address add address=192.168.40.1/24 interface=ether1 disabled=no
/ip route add gateway=217.194.157.73
/ip firewall src-nat add out-interface=ether2 action=masquerade
/ip firewall dst-nat add action=nat protocol=tcp dst-address=217.194.157.77 to-dst-address=192.168.0.2
/ip firewall src-nat add src-address=192.168.40.0

Please feel free to spot out where the hole is or what is missing.

Thanks

Paul

edzix · March 23, 2005, 1:00pm

IMHO 217.194.157.77/29 should be set on the ether2 interface.

Edgars

bholler · March 23, 2005, 1:10pm

what does the dst-nat meant for ?
and the second source nat. pls examing them very well. if they have no real intention pls diable them

onubah · March 24, 2005, 9:55am

What do IMHO mean please

Eugene · March 24, 2005, 10:03am

AFAIK, IMHO means In My Humble Opinion

Next time use http://www.acronymfinder.com or http://www.dictionary.com

onubah · March 24, 2005, 12:04pm

Thanks guys.

Do you think that the Dst-nat or Src-nat could prevent the other computer on 192.168.40.1 from surfing the net?

Or if I set the 217.XXX.XXX.XX/29 to ether2 it enable it to surg?

djape · March 24, 2005, 3:06pm

Hi there, lafia or bauni

remove /ip firewall dst-nat add action=nat protocol=tcp dst-address=217.194.157.77 to-dst-address=192.168.0.2
/ip firewall src-nat add src-address=192.168.40.0

And forget src-nat and dst-nat as tools to forbidd somebody to use net.

You can acomplish something like that via input and forward rule.
Easiest way to do that is to bloc mac address…

Cheers…

P.S. How’s suya these days I miss that food a lot…

djape · March 24, 2005, 3:08pm

And always do Local traffic on one interface and Public traffic on another…

tonnie · March 24, 2005, 3:33pm

Like all others have hinted, all you need to be able to browse are the first three lines, followed by: /ip fire src-nat add out-interf=ether2 action=masque proto=all (for more free assistance in Nigeria, call Tony on 08023300004 or 08037264288)

P/S: the serbia guy should note that the suya is more interesting

postmanerk · March 24, 2005, 9:49pm

Try This:

/ip address add address=217.194.157.77/29 interface=ether2 disabled=no
/ip address add address=192.168.40.1/24 interface=ether1 disabled=no
/ip route add gateway=217.194.157.73
/ip firewall src-nat add src-address=192.168.40.0/24 out-interface=ether2 action=masquerade

REMOVE THE FOLLOWING
/ip firewall dst-nat add action=nat protocol=tcp dst-address=217.194.157.77 to-dst-address=192.168.0.2
/ip firewall src-nat add src-address=192.168.40.0

The first line I said to remove is /ip firewall dst-nat does not have a subnet 192.168.0.x associated with it. The default route is going to go back out and Masquerade traffic…Could be ugly unless you have another route added that pushes it down another route.

The second line /ip firewall src-nat… doesn’t do anything. No interfaces are specified, or no destinations are added.

This should all be in the documentation, or any IPTABLES documentation you see on the net.

onubah · March 25, 2005, 9:52am

Thats guys, you realy helped a lot.

I appreciate.

I am able to browse now. I will get back to you again.

Paul