Hi there.
I am trying to write a firewall rule like these I have in an old linux with iptables, which handles requests send to a specific hostname. I didn’t find a way to write names in RouterOS, it asks me for IPs.
How can I create something like this?
$IPTABLES -t nat -A PREROUTING -i $INTIF
-p tcp -d host.domain.com.ar --dport 8333 -j DNAT --to 10.0.2.202:8333
Thanks for your help!!
Regards- Sergio
Apply,
/ip firewall nat
add chain=dst-nat dst-address=host.domain.com.ar or Ip address of the Site
dst-port=8333 action=dst-nat to-address=10.0.2.202:8333.
ASHISH
thanks ashish for your reply,
but when I tried to do this from the Winbox, it won’t let me add a “non-IP” dst-address.
I will try this.
Regards!
When I tiped the command line, i get this error msg.
Thanks for your help!
[admin@MikroTik] > /ip firewall nat add chain=dst-nat dst-address=name.me.com.ar dst-port=8333 action=dst-nat to-address=10.0.2.202:8333
value of range expects range of ip addresses
[admin@MikroTik] >
What I am trying to do, is forward the port of the VMWare console when I tried to access from http://host.me.com.ar:8333 to 10.0.2.202:8333
you can use scripting to achieve what you want (if your ip address changes from time to time) so you run your scrpt that will resolve your host name and delete old rule (if address has been changed) and add new one.
see into scripting section of the forum and read manual about scripting:
http://www.mikrotik.com/testdocs/ros/2.9/system/scripting.php
I see.
I will try to make something out of scripting.
Thanks!
I cannot make any sense.
I made so far with this test scritp:
:global pub-ip [ /ip address get [/ip address find interface=Publica] address ]
:global tuero "me.host.com.ar"
:global tuero-ip [:resolve $tuero]
if
($pub-ip = $tuero-ip)
do
{:put son iguales}
else
{:put son diferentes}
I always get these values:
tuero-ip=221.231.113.178
pub-ip=221.231.113.178/24
so they’re always different b/c of the last “/24”.
How can I trim that? And how do i continue the script to update a certan filter rule??
What I need to do is (perhaps theres no need to use a script?):
Now, inside my network, when I want to go to http://me.host.com.ar:9000 I get a no response page. If I put http://10.0.2.2:9000 I get the page.
And if from outside this network (ie: home) I write http://me.host.com.ar:9000 I get the right page.
me.host.com.ar = host.change-ip.net, because of my dynamic cable IP.
Thanks a lot for your help!
Sounds like you have a DSL uplink with a dynamic name?
If yes, you could just scrap that scripting and use the in-interface value in the dst-nat rule instead. Then you would be independent of the ip address you currently have…
Best regards,
Christian Meis
Yes I have cablemodem with non-static IP.
I made a rule like this one, but its not working:
;;; Transparent D-nat?
chain=dstnat in-interface=Local protocol=tcp dst-port=2000 action=dst-nat to-addresses=10.0.2.200 to-ports=2000
In the old linux I am trying to replace, we had a rule like this one:
# Transparent Proxy / NAT
# LocalNet to me.host.com.ar
echo tuero 2000
$IPTABLES -t nat -A PREROUTING -i $INTIF \
-p tcp -d me.host.com.ar --dport 2000 -j DNAT --to 10.0.2.200:2000
So everytime we tried to access http://me.host.com.ar:2000 I get to where I meant to go.
Now I cant.
But it works just fine from outside my network.
Thanks y’all for your help to this noob! 
I’d be glad to hear your suggestions.
Thanks y’all.
Anyone please has any ideas?
I’ve tried a hundred different combinations of firewall and NAT rules, much to my despair, but none have worked.
I cant still resolve my own host name inside my network.
And old-time users are getting pissed! 
Thanks for your help! Sergio
please any tips?
Hello,
I believe this is called nat-on-a-stick. You are trying to access your public address from inside, which probably half way works, but the server is sending the traffic back to you directly and not back thru the router, ie:
1 - client send traffic to public ip.
2 - router dnat to the internal ip.
3 - server receives traffic and performs a response.
4 - server just sent the response to the original src address. Since this original source is on its local subnet the router never gets return traffic.
5 - client gets reply packet but DROPS because its not coming from original requested IP.
To fix this you have to dnat and src nat, this way when server sees the request it is coming from the router, not the client.
Post your rules and we’ll fix it up.
Sam
Thanks Sam!
Here are the rules for filter and nat.
[admin@LunaTik] ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Drop invalid connections
chain=input connection-state=invalid action=drop
1 ;;; Allow established connections
chain=input connection-state=established action=accept
2 ;;; Allow related connections
chain=input connection-state=related action=accept
3 ;;; drop ssh brute forcers
chain=input protocol=tcp dst-port=22 src-address-list=black_list action=drop
4 ;;; ssh-brute to blacklist
chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage3 action=add-src-to-address-list
address-list=black_list address-list-timeout=2w1d
5 ;;; ssh-brute -stage 3
chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage2 action=add-src-to-address-list
address-list=ssh_stage3 address-list-timeout=2m
6 ;;; ssh-brute -stage 2
chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 action=add-src-to-address-list
address-list=ssh_stage2 address-list-timeout=2m
7 ;;; ssh-brute - stage 1
chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list address-list=ssh_stage1
address-list-timeout=1m
8 ;;; Allow UDP
chain=input protocol=udp action=accept
9 ;;; Allow ICMP Ping
chain=input protocol=icmp action=accept
10 ;;; Allow access from our local network
chain=input src-address=10.0.2.0/24 action=accept
11 ;;; Mikrotik Winbox
chain=input in-interface=Publica dst-port=8291 action=accept
12 ;;; Mikrotik SSH
chain=input in-interface=Publica dst-address=0.0.0.0/0 dst-port=22 action=accept
13 ;;; Indy SSH
chain=input in-interface=Publica dst-address=0.0.0.0/0 dst-port=2222 action=accept
14 ;;; Uvnc
chain=input in-interface=Publica protocol=tcp dst-port=4000-4001 action=accept
15 ;;; Uvnc a SERVER-MX
chain=input in-interface=Publica protocol=tcp dst-port=4003-4004 action=accept
16 ;;; Terminal Server a SERVER-MX
chain=input in-interface=Publica protocol=tcp dst-port=4005 action=accept
17 ;;; KB 9000
chain=input in-interface=Publica dst-address=0.0.0.0/0 protocol=tcp dst-port=9000 action=accept
18 ;;; ? Copiada de Indy
chain=input in-interface=Publica dst-address=0.0.0.0/0 protocol=tcp dst-port=8000 action=accept
19 ;;; VMWare Web
chain=input in-interface=Publica dst-address=0.0.0.0/0 protocol=tcp dst-port=8333 action=accept
20 ;;; VMWare Consola
chain=input in-interface=Publica dst-address=0.0.0.0/0 protocol=tcp dst-port=902 action=accept
21 X ;;; MSN Messenger
chain=forward protocol=tcp dst-port=1863 action=drop
22 X ;;; MSN Messenger
chain=forward dst-address=207.46.110.0/24 protocol=tcp action=drop
23 X ;;; MSN Messenger
chain=forward protocol=tcp dst-port=5190 action=drop
24 X ;;; MSN Messenger
chain=forward protocol=tcp dst-port=6901 action=drop
25 X ;;; MSN Messenger
chain=forward protocol=tcp dst-port=6891-6900 action=drop
26 ;;; jump to chain ICMP
chain=input protocol=icmp action=jump jump-target=ICMP
27 ;;; jump to chain services
chain=input action=jump jump-target=services
28 ;;; Allow Broadcast Traffic
chain=input dst-address-type=broadcast action=accept
29 ;;; Log and drop everything else
chain=input action=log log-prefix="Filter:"
30 chain=input action=drop
31 ;;; 0:0 and limit for 5pac/s
chain=ICMP protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept
32 ;;; 3:3 and limit for 5pac/s
chain=ICMP protocol=icmp icmp-options=3:3 limit=5,5 action=accept
33 ;;; 3:4 and limit for 5pac/s
chain=ICMP protocol=icmp icmp-options=3:4 limit=5,5 action=accept
34 ;;; 8:0 and limit for 5pac/s
chain=ICMP protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept
35 ;;; 11:0 and limit for 5pac/s
chain=ICMP protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept
36 ;;; Drop everything else
chain=ICMP protocol=icmp action=drop
[admin@LunaTik] ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
1 ;;; NAT internal network to go out
chain=srcnat out-interface=Publica action=masquerade
4 ;;; KB
chain=dstnat in-interface=Publica protocol=tcp dst-port=9000 action=dst-nat to-addresses=10.0.2.2 to-ports=9000
5 ;;; Webmail
chain=dstnat in-interface=Publica protocol=tcp dst-port=2000 action=dst-nat to-addresses=10.0.2.200 to-ports=2000
I have other nat rules for emule, VNC, etc, forwarding certain ports.
However, as i said in my previous posts, these are the two relevant ones.
I need to be able to access “me.host.com:9000” and be the same as writing “10.0.2.2:9000”
with my local ip it works, but not with hostname.
Thanks for your help!
you need a dst-nat rule that matches traffic to your public IP coming from your internal interface. dst-nat that back to your private address.
you also need a src-nat rule that matches traffic to that servers private IP coming from your internal interface. src-nat it to your routers internal ip, dont use masq.
Esentially this will change the src and destination packets and everything communicating locally will go thru the router. You will no longer be connecting directly to the server. This is mainly okay if its just web traffic, etc.
An even better solution is to put your servers on a different subnet / interface (dmz?). This way return traffic automatically comes back to you since you need to be routed to it.
Sam
A BIG THANKS SAM!
That was what I was needing!
I added rules like:
;;; Webmail desde adentro
8 chain=dstnat in-interface=Local dst-address=201.200.3.21 protocol=tcp dst-port=2000 action=dst-nat to-addresses=10.0.2.200 to-ports=2000
7 chain=srcnat out-interface=Local protocol=tcp dst-port=2000 action=src-nat to-addresses=10.0.2.209 to-ports=0-65535
and now I can type http://host.me.com:2000/ and get to my internal server.
Just to make it perfect: how can I script-change the value in dst-address to get updated when my public ip changes?
glad you stopped by and solved it with a few replies.
PS: How do I change the title to [Solved]??
Here is my script to just add the dymanically assigned IP address to a specific address list. Any reference to that address list in any firewall / NAT rule can always stay the same. Each time the IP changes it will update the address list entry.
Hope this helps, please critique and let me know how this works? Tested and works for me; handles reboots and non-existent list entries too.
:local WAN-INTERFACE-NAME ether4
:local WAN-LIST-NAME list2
\
:local DDNSCURWANIP [/ip dhcp-client get $WAN-INTERFACE-NAME address]
:set tmpDDNSCURWANIP ""
:set LENGTH [:len $DDNSCURWANIP]
:set x 0
:while ($x >= 0) do={
:set tmpChar [:pick $DDNSCURWANIP $x]
:if ($tmpChar = "/") do={
:set x -1
}else={
:set tmpDDNSCURWANIP ($tmpDDNSCURWANIP . $tmpChar)
:set x ($x + 1)
}
}
:if ([:len $tmpDDNSCURWANIP] = 0) do={
:log error "No IP returned. Cannot add IP to list Aborting"
}else={
:local DDNSCURWANIP $tmpDDNSCURWANIP
:local DDNSWANIP
:if ([:len $DDNSWANIP] = 0) do={
:global DDNSWANIP 0.0.0.0
}
:set CURITEM [/ip firewall address-list find list=$WAN-LIST-NAME address=$DDNSWANIP]
:if ([:len $CURITEM] = 0) do={
:if ($DDNSWANIP = 0.0.0.0) do={
/ip firewall address-list add list=$WAN-LIST-NAME address=$DDNSWANIP disabled=yes
}else={
/ip firewall address-list add list=$WAN-LIST-NAME address=$DDNSWANIP disabled=no
}
:log warning ($WAN-LIST-NAME . " list created")
}
\
:if ($DDNSCURWANIP != $DDNSWANIP) do={
:log warning ($WAN-INTERFACE-NAME . " IP changed from " . $DDNSWANIP . " to " . $DDNSCURWANIP)
:set NEWITEM [/ip firewall address-list find list=$WAN-LIST-NAME address=$DDNSCURWANIP]
:set CURITEM [/ip firewall address-list find list=$WAN-LIST-NAME address=$DDNSWANIP]
:if ([:len $NEWITEM] > 0) do={
:log warning ($WAN-LIST-NAME . " already contains " . $DDNSCURWANIP)
}
:if (([:len $CURITEM] = 1) && ([:len $NEWITEM] = 0)) do={
:log warning "Found old WAN IP in list"
/ip firewall address-list set $CURITEM address=$DDNSCURWANIP disabled=no
}
:if (([:len $CURITEM] = 0) && ([:len $NEWITEM] = 0)) do={
:log warning "Not found old WAN IP in list"
/ip firewall address-list add list=$WAN-LIST-NAME address=$DDNSCURWANIP disabled=no
}
:if (([:len $CURITEM] > 0) && ([:len $NEWITEM] > 0)) do={
:log warning ("Removing old entry " . $DDNSWANIP); /ip firewall address-list remove $CURITEM
}
:log warning ($WAN-LIST-NAME . " list updated")
:global DDNSWANIP $DDNSCURWANIP
}
}
:set CURITEM
:set NEWITEM
:set DDNSCURWANIP
:set LENGTH
:set tmpChar
:set tmpDDNSWANIP
great dssmiktik!
Thanks for your script.
How do you create filter rules to be updated by this script?
Could you please post an example?
Thanks I already figured it out. I used the Dst-Adrress-list.
Great script, glad you posted it.