Need some config help

mikrotikfanboy · January 20, 2024, 6:00am

Hello Guys,

I have a routerboard 3011 UiAS-RM and on that two internal lans. On interface 1 is my internet connection. On interface 2 is my “personal lan” which goes to a switch that has my computer and a tv. Then on ETH3 or interface three I have a “work” lan which has four servers. What I want to do is basically point 1 public IP to ETH1 and the assign the remaining four public IPS to the servers but keep them on an internal lan as well. So ETH2 → PUBLIC IP 1 (which my pc and any other personal lan would share) than from ETH3 → a 1:1 PUBLIC IP 2 → 192.168.x.2 and PUBLIC IP 3 to 192.168.x.3 and the same with the remaining ones. I tried dst-nat and src-nat the IPs but for some reason the public ips keep just point back to the router admin on the local network and nothing from the public side. Any help would be much appreciated.

vingjfg · January 20, 2024, 8:18am

Hi there!

Can you post here the output of the following commands after having replaced the public IP (for example by public1 … public4)?

/ip/address/export verbose
/ip/firewall/nat/export
/ip/firewall/filter/export

mkx · January 20, 2024, 9:37am

@mikrotikfanboy I guess your NAT rules using those extra public IP addresses are not correct. So I agree with @vingfjg, post config so we can check it.

Additional idea: if you’re trying to connect to publuc addresses from inside LANs, then you may have to implement hairpinNAT. Exact implementation again depends on the rest of config.

mikrotikfanboy · January 21, 2024, 2:43am

Hey All,

Thanks! Yes I can post the output:

/ip address

add address=192.168.88.1/24 comment=defconf disabled=no interface=bridge network=192.168.88.0

add address=PUBLIC.IP.ONE/29 disabled=no interface=charter network=CHARTER.IP

add address=PUBLIC.IP.TWO/32 disabled=no interface=charter network=PUBLIC.IP.TWO

add address=PUBLIC.IP.THREE/32 disabled=no interface=charter network=PUBLIC.IP.THREE

add address=PUBLIC.IP.FOUR/32 disabled=no interface=charter network=PUBLIC.IP.FOUR

add address=PUBLIC.IP.FIVE/32 disabled=no interface=charter network=PUBLIC.IP.FIVE


/ip firewall nat

add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes ipsec-policy=out,none out-interface-list=WAN

add action=dst-nat chain=dstnat dst-address=PUBLIC.IP.ONE in-interface=charter to-addresses=192.168.88.254

add action=src-nat chain=srcnat out-interface=charter src-address=192.168.88.254 to-addresses=PUBLIC.IP.ONE

add action=src-nat chain=srcnat dst-address=PUBLIC.IP.TWO dst-port=80 out-interface=charter protocol=tcp src-address=192.168.88.248 src-port=80 to-addresses=PUBLIC.IP.TWO to-ports=80

add action=dst-nat chain=dstnat dst-address=PUBLIC.IP.TWO dst-port=80 in-interface=charter protocol=tcp src-address=192.168.88.248 src-port=80 to-addresses=192.168.88.248 to-ports=80


/ip firewall filter

add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked

add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid

add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp

add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1

add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN

add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec

add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related

add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked

add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid

add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

I replaced the actual IPs obviously with the text PUBLIC.IP.# I have five total allotted.

vingjfg · January 21, 2024, 2:01pm

Here is. Let me know if you have any questions.

Comments:

If the Public IP One to Five are in the same network, then the addresses with the netmask /32 are to be fixed. Or replace the additional addresses by host routes (my preferred version but that’s personal).
For the NAT configuration, there are some issues, see the corrections below.
There is no hairpin NAT, so you won’t be able to reach the servers using the public IP. This explains why you connect to the device when you use the public IP addresses.
The filter rules need some attention as you are fully exposing one of your servers, the other one is not exposed due to its NAT rules being incorrect.

Corrections

add action=src-nat chain=srcnat dst-address=PUBLIC.IP.TWO dst-port=80 out-interface=charter protocol=tcp src-address=192.168.88.248 src-port=80 to-addresses=PUBLIC.IP.TWO to-ports=80
add action=dst-nat chain=dstnat dst-address=PUBLIC.IP.TWO dst-port=80 in-interface=charter protocol=tcp src-address=192.168.88.248 src-port=80 to-addresses=192.168.88.248 to-ports=80

These NAT rules don’t do anything useful: the first one says “from 192.168.88.248 source port 80 to PUBLIC.IP.TWO destination port 80, change the source IP to PUBLIC.IP.TWO and the source port to 80.” The second one says “from 192.168.88.248 source port 80 to PUBLIC.IP.TWO destination port 80, change the destination to 192.168.88.248.”

Given this looks like you are doing bidirectional NAT, it should most likely be:

add action=src-nat chain=srcnat out-interface=charter src-address=192.168.88.248 to-addresses=PUBLIC.IP.TWO
add action=dst-nat chain=dstnat in-interface=charter dst-address=PUBLIC.IP.TWO to-addresses=192.168.88.248

This doesn’t address the hairpin NAT. Let me know if you need help with that.

The filter rules expose everything that is translated, which is pretty bad.

add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN disabled=yes

Instead, consider creating specific rules to permit the necessary traffic through. For example the following rules permit access to the HTTP port of two of your internal servers, drop everything else.

add action=accept chain=forward comment="Access HTTP to 88.248" dst-address=192.168.88.248 protocol=tcp dst-port=80 in-interface=charter
add action=accept chain=forward comment="Access HTTP to 88.254" dst-address=192.168.88.254 protocol=tcp dst-port=80 in-interface=charter
add action=drop chain=forward comment="Drop everything else coming from the WAN" in-interface=charter

Conclusions:
Your NAT rules should look like this. Keep in mind this doesn’t include the hairpin NAT.

/ip firewall nat
add action=dst-nat chain=dstnat dst-address=PUBLIC.IP.ONE in-interface=charter to-addresses=192.168.88.254
add action=src-nat chain=srcnat out-interface=charter src-address=192.168.88.254 to-addresses=PUBLIC.IP.ONE
add action=src-nat chain=srcnat out-interface=charter src-address=192.168.88.248 to-addresses=PUBLIC.IP.TWO
add action=dst-nat chain=dstnat dst-address=PUBLIC.IP.TWO in-interface=charter to-addresses=192.168.88.248
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes ipsec-policy=out,none out-interface-list=WAN

Your rules should look like (chain forward only):

/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="Access HTTP to 88.248" dst-address=192.168.88.248 protocol=tcp dst-port=80 in-interface=charter
add action=accept chain=forward comment="Access HTTP to 88.248" dst-address=192.168.88.254 protocol=tcp dst-port=80 in-interface=charter
add action=drop chain=forward comment="Drop everything else coming from the WAN" in-interface=charter
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN disabled=yes

anav · January 21, 2024, 2:37pm

Forward chain… simplified
/ip firewall filter
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=forward comment=“internet access” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“Drop ALL Else”

In other words take the default rule about dstnat and parse it out, so that the functions are clear and separate. By adding the drop rule at the end, ALL traffic ( wan to lan, lan to wan and lan to lan at L3) that was not specifically allowed above this last rule ( be it port forwarding, internet, or something else lik ADMIN to all vlans, OR, all subnets access to a shared printer etc… ) will be dropped. Clean clear and efficent.
If not doing ipsec the first two rules can be removed as well, as shown above.