Hi, all.
I have not experience work with RouterOS and same systems - I am beginer.
But, with help Internet, I made system for home. She is working stability.
But I have many questions about nuances.
For this moment, generally question is next.
I have a problem this attack to my DVR, which is located inside the network LAN behind the NAT. DVR is logging works.
The problem is that are often in log file of DVR specified local addresses of remote devices that want to access it. Accordingly, drive them to the black list does not work. Attacks occur periodically, so keep track of their realtime external address does not work.
What settings in the NAT rules I will set to the router, that DVR gave real external address of remote unit, which I can add to the black list.
Sorry for my bad english.
If your DVR is not connected to any of MTK’s ports you can do nothing as local devices talk to DVR directly without any MTK help. MTK does not even know that DVR is “talked to” from LAN as switch (I suppose that you have one) is forwarding packets only from-to ports where “talking” devices are connected. If DVR is connected to MTK and the rest of your LAN is on the other port than you can block forwarding packets to/from interface where the DVR is connected.
Ok, thanks.
Problem in next.
Pc with ip 192.168.x.x (I do not know this pc) make connect to my DVR in my local net (see att)
But in log in my DVR I see only address 192.168.x.x, addres 202.x.x.x of router i not see in log. Address 192.168.x.x I can not inner to the firewall.
I want to make changes to the NAT of my MTK (router) to the DVR I’ve seen address 202.x.x.x
Check this thread: viewtopic.php?f=2&t=102483&p=508981#p508981
It sounds like your NAT masquerade rule is too aggressive.
If your srcnat chain has a rule that just says:
chain=srcnat action=masquerade
.. then all packets will be masqueraded - both inbound and outbound. Add the criteria “in-interface=WAN” (replace WAN with the actual name of your router’s WAN interface, e.g. pppoe-out1
If you’re wanting to use hairpin NAT (so LAN hosts can use the public IP to reach the DVR) then add a separate srcnat rule:
chain=srcnat dst-address=192.168.x.0/24 src-address=192.168.x.0/24 action=masquerade
These changes will reveal the remote host’s public IP to your DVR for logging, but will continue to use the router’s LAN address whenever a local LAN host accesses the DVR using the router’s public IP address. (unfortunately, this is a requirement for hairpin NAT to work properly)
Hi,
In part NAT I have rule:
chain=srcnat out.interface=ether1 action=masquerade
After this rule I additional now new rule:
chain=srcnat src.address=172.x.x.x/24 dst.address=172.x.x.x/24 action=masquerade
ether1 - my WAN interface
172.x.x.x/24 - my LAN