Howist,
How do you allot a certain ip or protocal to bypass your firewall with mikrotik?
I have a rotuer (NAT) and i want to let certain computers above the nat router see into my network??
What do i do? Thanks
Nothing. There is no bypass possibility because these computers upstairs DONT KNOW HOW TO ADDRESS YOUR COMPUTERS. If you hide behind NAT, then only the exposed IP address is routed to your router.
What you can do is forward individual ports of that address down to the computers in your LAN.
ah kak,
I see what you mean.
Even if the connection is initiated by the computer below the router ?
Cause reason i am asking, In this network the computers below the network connect to a server up stream using Novel, an dif they login now, the novel server connects to the IP of the router, so if some one logs in then all the computers below the router have access to the login of the last person who logged in,
So is there no way to allow computers to be seen?
ah kak,
I see what you mean.
Even if the connection is initiated by the computer below the router ?
Cause reason i am asking, In this network the computers below the network connect to a server up stream using Novel, an dif they login now, the novel server connects to the IP of the router, so if some one logs in then all the computers below the router have access to the login of the last person who logged in,
So is there no way to allow computers to be seen?
Even then. Unless you have full routable addressed and the NAT was jsut for security. The apckets otherwise have a return address that upstream does not know to send to yuor computer. More particular, ANY isp /( provider worth a gfrain of salt will have a firewall rule to drop packets that have non-assigned source addresses from the interface of the customer.
I just have the nat to hide the computers from the network above it, its not for secutiry.
Is there not any other configuration that i can setup that will allow for the computers to be isolated but availble for certain ports and ips?
Well, there is the standard way: do NOT use NAT but use smart filteringin the firewall. Allow ALL connections initiated from the inside, only specific ones initiated frmo the outside. This is how classical firewalls work.
got any links? or tuts on how to do that?
Sounds like it could work.
Not really. Mikrotik documentation is not a larning guide, and otherwise network admins are supposed to know the basics of how firewals work.
Basiaclly:
- Remove NAT. Make sure you receive pakets for your formerly hidden network.
- Add a forwarding rule to stop all traffic from external interfadce to internal.
- Before that add the exception rules that are allowed.
Plus the usual setup (allow established, realted traffic etc.).