dst-nat question

rtr989 · January 26, 2007, 9:42am

i wona to make dst-nat from local address 192.168.0.1:6580 to 66.94.234.13:80

on 192.168.0.1 router i add this:
chain=dstnat dst-address=192.168.0.1 protocol=tcp dst-port=6580
action=dst-nat to-addresses=66.94.234.13 to-ports=80

so, i try to connect on port 6580 on 192.168.0.1 and nothing happen..
in firewall nat i see what packets count, in connection tcp state: syn sent and stop on this…
what is wrong?

firebat · January 26, 2007, 9:50am

You need to setup a dstnat and srcnat as follows:

chain=dstnat dst-address= 66.94.234.13 protocol=tcp dst-port=6580
action=dst-nat to-addresses= 192.168.0.1 to-ports=80

chain=srcnat dst-address= 192.168.0.1 protocol=tcp dst-port=80
action=dst-nat to-addresses= 66.94.234.13 to-ports=6580

rtr989 · January 26, 2007, 9:54am

can u get example?

firebat · January 26, 2007, 9:54am

Was editing response…see above You can open all of the ports to begin with to get it working then alter the config.

firebat · January 26, 2007, 10:02am

You can try just the dstnat example above alone if you want. What I gave is an example of poking a hole in the firewall. With additional ports open, you can put a server on a private IP and have it accessible from the internet.

rtr989 · January 26, 2007, 10:03am

this is wrong..

firebat · January 26, 2007, 10:06am

Possibly. I didnt try it.

Solusan · January 26, 2007, 12:11pm

Hi…

I have a little proble with NAT.

The post is in:

http://forum.mikrotik.com/t/trying-not-to-let-pass-to-an-user-group-to-certain-network/11284/21

I’m a little bit desperate…

very many thanks.

rtr989 · January 26, 2007, 2:26pm

chain=dstnat dst-address=192.168.0.1 protocol=tcp dst-port=6580
action=dst-nat to-addresses=66.94.234.13 to-ports=80

this rule is right?
it is not work!

firebat · January 27, 2007, 3:05am

Can you describe exactly what you are trying to accomplish? Are you trying to access 192.168.0.1 from the internet using public IP 66.94.234.13?

Solusan · January 28, 2007, 9:25pm

Hi,

I have a question about this:

I did this:

Add one rule to chain=forward,
'ip firewall filter add action=jump jump-target=hotspot chain=forward',
set for 'guest' user profile,
'ip hotspot user profile set profile_name incoming-filter=1 outgoing-filter=1', that will redirect current profile traffoc to chain=1.

Add rule to chain 1 to drop traffic with specific dst-address,
'ip firewall filter add chain=1 dst-address=172.0.0.0/8 action=drop'.

And I applied this rule at the user ‘guest’

I did that for locking to the user ‘guest’ couldn’t acceed to 172.0.0.0/8 but as you can see I obtain a drop
But now I would need that the user could redirect to the hotspot home page or to nay error page where the user can be alerted that can not be acceed to the rank
How could I do it?

Many thanks for your help and understanding.

mneumark · January 29, 2007, 6:28am

/ip firewall nat add chain=srcnat src-address=192.168.0.1 protocol=tcp src-port=6580 action=src-nat to-addresses=66.94.234.13 to-ports=80