connect ip firewall with nat

NoaH11027 · February 7, 2014, 10:19am

Hi there,

I hope I can find help here, because I’m stuck in combining functions…

First of all, I setup a RB450G and did all the basic things like added user and basic network configuration and here is what I would like to do:

I need to setup a system that acts as a server for the ip-address 192.168.2.10 port 5001 from the client address 192.168.2.5. My first task is to “shield” my physical server from the physical client network, what I used the router for. So what I did was adding a destinating NAT the passes the connection attempt through my router and translates the address.

/ip firewall nat add chain=dstnat dst-address=192.168.2.10 protocol=tcp dst-port=5001 action=dst-nat to-addresses=10.0.0.1 to-ports=5001 comment="destination nat"

What should work fine.

But it is unfortunately a bit more complicated. For redundancy reasons, there is not just one target behind the firewall to connect to. There are 4 computers, from what just one is active acting as server (they are powered up all the time) at the time and there is where I got stuck. I found an firewall configuration example where a “knock” is used as trigger event to openning the access to the router and finaly the internet.
My idea was to use this trigger event to change the NAT configuration.

Basically I ould like to use:

/ip firewall filter add chain=input protocol=tcp dst-port=1337 action=add-src-to-address-list  address-list=server1 address-list-timeout=1m comment="" disabled=no

For the example 10.0.0.1 to 10.0.0.4 are my server addresses and 10.0.0.6 is the router address.
I also added 4 NAT configurations:

/ip firewall nat add chain=dstnat dst-address=192.168.2.10 protocol=tcp dst-port=5001 action=dst-nat to-addresses=10.0.0.1 to-ports=5001 comment="server1" disable=yes
/ip firewall nat add chain=dstnat dst-address=192.168.2.10 protocol=tcp dst-port=5001 action=dst-nat to-addresses=10.0.0.2 to-ports=5001 comment="server2" disable=yes
/ip firewall nat add chain=dstnat dst-address=192.168.2.10 protocol=tcp dst-port=5001 action=dst-nat to-addresses=10.0.0.3 to-ports=5001 comment="server3" disable=yes
/ip firewall nat add chain=dstnat dst-address=192.168.2.10 protocol=tcp dst-port=5001 action=dst-nat to-addresses=10.0.0.4 to-ports=5001 comment="server4" disable=yes

My idea is to to “knock” on a port from my servers to the router, put that in destination list and use that as trigger event to activate/deactivate the related translation.

I hope that there is someone out there who can help me, because I miss the link between the filter and the NAT configuration.

Thanks,
M

setup is: RouterBoard 450G with RouterOS 6.7

efaden · February 7, 2014, 5:55pm

NoaH11027:

Hi there,

I hope I can find help here, because I’m stuck in combining functions…

First of all, I setup a RB450G and did all the basic things like added user and basic network configuration and here is what I would like to do:

I need to setup a system that acts as a server for the ip-address 192.168.2.10 port 5001 from the client address 192.168.2.5. My first task is to “shield” my physical server from the physical client network, what I used the router for. So what I did was adding a destinating NAT the passes the connection attempt through my router and translates the address.
/ip firewall nat add chain=dstnat dst-address=192.168.2.10 protocol=tcp dst-port=5001 action=dst-nat to-addresses=10.0.0.1 to-ports=5001 comment="destination nat"
What should work fine.

But it is unfortunately a bit more complicated. For redundancy reasons, there is not just one target behind the firewall to connect to. There are 4 computers, from what just one is active acting as server (they are powered up all the time) at the time and there is where I got stuck. I found an firewall configuration example where a “knock” is used as trigger event to openning the access to the router and finaly the internet.
My idea was to use this trigger event to change the NAT configuration.

Basically I ould like to use:
/ip firewall filter add chain=input protocol=tcp dst-port=1337 action=add-src-to-address-list  address-list=server1 address-list-timeout=1m comment="" disabled=no
For the example 10.0.0.1 to 10.0.0.4 are my server addresses and 10.0.0.6 is the router address.
I also added 4 NAT configurations:
/ip firewall nat add chain=dstnat dst-address=192.168.2.10 protocol=tcp dst-port=5001 action=dst-nat to-addresses=10.0.0.1 to-ports=5001 comment="server1" disable=yes
/ip firewall nat add chain=dstnat dst-address=192.168.2.10 protocol=tcp dst-port=5001 action=dst-nat to-addresses=10.0.0.2 to-ports=5001 comment="server2" disable=yes
/ip firewall nat add chain=dstnat dst-address=192.168.2.10 protocol=tcp dst-port=5001 action=dst-nat to-addresses=10.0.0.3 to-ports=5001 comment="server3" disable=yes
/ip firewall nat add chain=dstnat dst-address=192.168.2.10 protocol=tcp dst-port=5001 action=dst-nat to-addresses=10.0.0.4 to-ports=5001 comment="server4" disable=yes
My idea is to to “knock” on a port from my servers to the router, put that in destination list and use that as trigger event to activate/deactivate the related translation.

I hope that there is someone out there who can help me, because I miss the link between the filter and the NAT configuration.

Thanks,
M

setup is: RouterBoard 450G with RouterOS 6.7

Huh?.. can you try to explain that one more time?.. I’m just a little foggy on exactly what your trying to do.

NoaH11027 · February 10, 2014, 6:37am

Ok, so here is a more detailed explanation.

I sketched a small drawing where my hardware setup is visible:
Router Konzept.jpg
I have on my end of the setup four server that work together. All four server are sharing one communication instance that is opening a server port to a client. This communication instance is redundant on every of the four server and unfortunately I can’t predict which on is the “master” one. The four instances are connected to each other, so that in case of error one of the other instances takes place.
To make that even more complex, my customer, who want’s to connect to my server just want’s to open a single ip with a single port.

So main main tasks are:

Translate the outside address to the inside ones.
Find a way to set the route always to the active server.

Thats what I tried to describe in my first attempt, I hope it is better understandable now?

I think I caught the first task, since it is a simple network translation. But I’m stuck how to solve the second one. My first idea was to use netwatch to observe the server and re-configure the route in case the connection is lost. Unfortunately I seems not possible to watch up ports. The ip-address of the servers are alway up, it is just the port that comes up if the server becomes active.
Thats why I came up with the idea that the server that becomes active is sending a knock (or some other signal) that pushes a configuration that routes the outside connection attempts to the correct server. I would like to set something up that re-configures the router by simple communication from the server.

M

I already tried to convince my customer that it would be much easier if my servers are the clients and his instance the server. But unfortunately that is not possible, since his side is already fully integrated and can’t be changed.

NoaH11027 · February 19, 2014, 7:17am

no one any idea?

SurferTim · February 19, 2014, 11:14am

Have you considered scripting to determine which server is up and change the dstnat rules?
http://wiki.mikrotik.com/wiki/Manual:Scripting

You can construct a script and schedule it to run every minute or so to check the servers and change the rules to disable all but one rule.