DST-NAT

zack · August 22, 2005, 11:50am

I have one public IP address and want to redirect port 3389 to internal IP address 10.10.10.3
The following config does not work:

ip firewall dst-nat add action=nat protocol=tcp dst-address=xx.xx.xx.xx/32:3389 to-dst-address=10.10.10.3 disabled=no

May be I must do something with the firewall because when I scan the public IP with nmap it is “closed”

cmit · August 22, 2005, 12:41pm

You should take care that your forward firewall rules also let this traffic through - perhaps it’s blocked at that level?

zack · August 22, 2005, 1:42pm

[admin@BR7] ip firewall> print detail
0 name=“input” policy=accept

1 name=“forward” policy=accept

2 name=“output” policy=accept
[admin@BR7] ip firewall>

What I need to add. Or everything is fine. Where I can fing good info about Mikrotik firewalls

cmit · August 22, 2005, 1:55pm

Post the output of “/ip firewall forward print without-paging” - this will show us (and you) if there are any rules in the forward chain that block your dst-natted traffic…

zack · August 22, 2005, 3:40pm

Is there any problem if I have only one real IP address and use it for PAT

wildbill442 · August 22, 2005, 4:46pm

the rule should be:

ip firewall dst-nat add action=nat protocol=tcp dst-port=3389 to-dst-address=10.10.10.3 disabled=no

zack · August 23, 2005, 7:11am

10x a lot. Everything is working