NETMAP

RouterOS Beginner Basics
1

hi FEWI need some help :slight_smile: i have my 3 public ip’s the two xxx.xx.xxx.xx1 and 2 is currently use and the 3rd ip is available now im trying to netmap but it doest work did i miss something i follow this guide http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT
my laptop is connected to ether3 subnet of 10.11.0.0/24 and i assign a 3rd available public xxx.xx.xxx.xx3 into laptop and then i use this netmap according in manual, my purpose is this laptop act as public static ip.


add action=netmap chain=dstnat comment=“netmap test” disabled=no dst-address=xxx.xx.xx.103 to-addresses=
10.11.0.10
add action=netmap chain=srcnat comment=“” disabled=no src-address=10.11.0.10 to-addresses=xxx.xx.xx.103

can someone gv some tips

thanks

2

Hi, I was able to get this working.

/ip firewall nat
add chain=dstnat action=netmap dst-address=192.0.2.20 to-addresses=10.1.50.254 place-before=0
add chain=srcnat action=netmap src-address=10.1.50.254 to-addresses=192.0.2.20 place-before=0

Do you have another rule which may be matching before the netmap rules? Try re-ordering your rules so the netmap rules match that host first, or just re-add them with place-before=0 to ensure they’re at the top and processed first.

3

thanks blake i will try by tommorow and i get back you soon.

cheers

4

hi blake i have this following place order

/ip firewall nat
add action=netmap chain=dstnat comment=“netmap test” disabled=no dst-address=xxx.xx.xxx.203
to-addresses=10.11.0.10
add action=netmap chain=srcnat comment=“” disabled=no src-address=10.11.0.10 to-addresses=xxx.xx.xxx.203
add action=masquerade chain=srcnat comment=NAT disabled=no out-interface=Ether1-WAN
add action=redirect chain=dstnat comment="web proxy allow to ether2 " disabled=no dst-port=80
in-interface=ether2-local protocol=tcp to-ports=8080
add action=redirect chain=dstnat comment=“web proxy allow to office network” disabled=no dst-port=80
in-interface=ether3-local protocol=tcp to-ports=8080

i saw the packets count in both netmap but the problem is from outside the ip xxx.xx.xxx.203 doesnt reply, i put 10.11.0.10 in laptop and i ping the xxx.xx.xxx.203 it work and reply im wondering this, can you please explain more bit blake hehe

thanks

5

Can you post the output of ‘/ip firewall filter export’?

I assume you have firewall rules in your forward chain. If you have a reject / drop rule at the end of your forward chain, you’ll have to add a rule explicitly allowing external traffic to access the internal, netmap host. Otherwise traffic to .203 will match the reject / drop rule and not be accessible, as you state is the case with your configuration.

/ip firewall filter add chain=forward in-interface=Ether1-WAN dst-address=10.11.0.10

The dst-address is specified as the internal IP because the packet enters the forward chain after the netmap translation has been performed from the external IP. Until you post your config I can’t tell you exactly where to place that rule.


The .203 IP is pingable from the inside of your network because your input chain likely does not prohibit access from the LAN subnet.

I’m just making some guesses based on common firewall configs. Post yours, and I could tell you for sure! :slight_smile:

6

hi blake this is my currently filter rules

/ip firewall filter
add action=drop chain=forward comment=rapidshare disabled=no dst-address-list=rapidshare protocol=tcp
add action=drop chain=forward comment=“yahoo messenger” disabled=yes layer7-protocol=yahoo-messenger time=
7h-12h,mon,tue,wed,thu,fri,sat
add action=drop chain=forward comment=“” disabled=yes layer7-protocol=yahoo-messenger time=13h-17h,mon,tue,wed,thu,fri,sat
add action=drop chain=forward comment=“fb block” disabled=yes dst-address-list=facebook
add action=drop chain=forward comment=“not allowed ip” disabled=yes dst-address=10.2.2.0/24 src-address=
10.11.0.25-10.11.0.200
add action=drop chain=forward comment=“” disabled=yes dst-address=10.2.2.0/24 src-address=10.12.0.2-10.12.0.254
add action=drop chain=forward comment=“” disabled=yes dst-address=10.2.2.0/24 protocol=icmp src-address=10.12.0.0/24
add action=drop chain=forward comment=“” disabled=yes dst-address=10.11.0.0/24 src-address=10.12.0.2-10.12.0.200
add action=drop chain=forward comment=“” disabled=yes dst-address=10.11.0.0/24 protocol=icmp src-address=10.12.0.0/24
add action=drop chain=forward comment=“Front 1 limited access by time” disabled=no dst-port=80 protocol=tcp src-address=
10.2.2.3 time=0s-6h,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward comment=“front 2 office limited access by time” disabled=no dst-port=80 protocol=tcp
src-address=10.2.2.5
add action=drop chain=forward comment=“remote desktop” disabled=yes dst-port=3389 protocol=tcp time=
0s-6h,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward comment=worms disabled=no dst-port=135,137,139,445,5554,1068,9996,4444,43 protocol=tcp
add action=drop chain=forward comment=“” disabled=no dst-port=135-39,445,69 protocol=udp
add action=add-src-to-address-list address-list=blocked-addr address-list-timeout=52w2d chain=input comment=
“tarpit instead of drop” connection-limit=200,32 disabled=yes protocol=tcp
add action=tarpit chain=input comment=“” connection-limit=3,32 disabled=no protocol=tcp src-address-list=blocked-addr
add action=jump chain=forward comment=“SYN Flood protect” connection-state=new disabled=yes jump-target=SYN-Protect protocol=
tcp tcp-flags=syn
add action=accept chain=SYN-Protect comment=“” connection-state=new disabled=yes limit=400,5 protocol=tcp tcp-flags=syn
add action=drop chain=SYN-Protect comment=“” connection-state=new disabled=yes protocol=tcp tcp-flags=syn
add action=add-src-to-address-list address-list=“port scanners” address-list-timeout=2w chain=input comment=
“Port scanners to list " disabled=no protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=“port scanners” address-list-timeout=2w chain=input comment=
“NMAP FIN Stealth scan” disabled=no protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=“port scanners” address-list-timeout=2w chain=input comment=“SYN/FIN scan”
disabled=no protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=“port scanners” address-list-timeout=2w chain=input comment=“SYN/RST scan”
disabled=no protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=“port scanners” address-list-timeout=2w chain=input comment=
“FIN/PSH/URG scan” disabled=no protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=“port scanners” address-list-timeout=2w chain=input comment=“ALL/ALL scan”
disabled=no protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=“port scanners” address-list-timeout=2w chain=input comment=“NMAP NULL scan”
disabled=no protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment=“dropping port scanners” disabled=no src-address-list=“port scanners”
add action=drop chain=input comment=“drop ssh brute forcers” disabled=no dst-port=22 protocol=tcp src-address-list=
ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=52w2d chain=input comment=”"
connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input comment=“” connection-state=
new disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input comment=“” connection-state=
new disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input comment=“” connection-state=
new disabled=no dst-port=22 protocol=tcp
add action=drop chain=input comment=“Bruteforce FTP” disabled=no dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output comment=“” content=“530 Login incorrect” disabled=no dst-limit=1/1m,9,dst-address/1m protocol=
tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output comment=“” content=
“530 Login incorrect” disabled=no protocol=tcp
add action=accept chain=forward comment=ICMP disabled=no protocol=icmp
add action=accept chain=forward comment=“chikka txt messenging” disabled=no dst-port=3128,6301 protocol=tcp
add action=accept chain=forward comment=MAIL disabled=no dst-port=25,26,143,110,465,995,2525,587 protocol=tcp
add action=accept chain=forward comment=HTTP disabled=no dst-port=80,2095 protocol=tcp
add action=accept chain=forward comment=HTTPS disabled=no dst-port=443 protocol=tcp
add action=accept chain=forward comment=FTP disabled=no dst-port=20,21 protocol=tcp
add action=accept chain=forward comment=MSN disabled=no dst-port=1863,6901-6900 protocol=tcp
add action=accept chain=forward comment=“” disabled=no dst-port=6901 protocol=udp
add action=accept chain=forward comment=“ventrillo and mumble” disabled=no dst-port=4346,64738 protocol=tcp
add action=accept chain=forward comment=“vonage " disabled=no dst-port=10000-20000 protocol=udp
add action=accept chain=forward comment=”" disabled=no dst-port=5050,5060-5063 protocol=udp
add action=accept chain=forward comment=“” disabled=no dst-port=53,8767 protocol=udp
add action=accept chain=forward comment=“” disabled=no dst-port=123 protocol=udp
add action=accept chain=forward comment=“” disabled=no dst-port=80 protocol=udp
add action=accept chain=forward comment=SSH disabled=no dst-port=22,23 protocol=tcp
add action=accept chain=forward comment=eve-online disabled=no dst-port=26000,6112 protocol=tcp
add action=accept chain=forward comment=7stones_cpanel disabled=no dst-port=2082 protocol=tcp
add action=accept chain=forward comment=wisevideo disabled=no dst-port=1935 protocol=tcp
add action=accept chain=forward comment=winbox disabled=no dst-port=8291 protocol=tcp
add action=accept chain=forward comment=mirc disabled=no dst-port=6667,6668 protocol=tcp
add action=accept chain=forward comment=“streaming server” disabled=no dst-port=8000 protocol=tcp
add action=accept chain=forward comment=“instant messenger” disabled=no dst-port=5050,5100,5000-5010 protocol=tcp
add action=accept chain=forward comment=“INCOMING Manila VPN” disabled=no protocol=tcp src-port=1723
add action=accept chain=forward comment=“” disabled=no protocol=gre
add action=accept chain=forward comment=“nano allow” disabled=no protocol=tcp src-port=1234,12345
add action=accept chain=forward comment=“ubi to outside” disabled=no dst-port=12345 protocol=tcp
add action=accept chain=forward comment=teamspeak disabled=no dst-port=9987 protocol=udp
add action=accept chain=forward comment=“google talk” disabled=no dst-port=5222,5223 protocol=tcp
add action=drop chain=forward comment=snmp disabled=no dst-port=161 protocol=udp
add action=drop chain=forward comment=“P2P block” disabled=no p2p=all-p2p
add action=drop chain=forward comment=“” disabled=no out-interface=Ether1-WAN

thanks for help blake

7

Add that rule before your last three deny rules. It should look like this.

add chain=forward in-interface=Ether1-WAN dst-address=10.11.0.10
add action=drop chain=forward comment=snmp disabled=no dst-port=161 protocol=udp
add action=drop chain=forward comment="P2P block" disabled=no p2p=all-p2p
add action=drop chain=forward comment="" disabled=no out-interface=Ether1-WAN

You may want to look at ‘/ip firewall filter print stats where chain=forward’ after its in there a while and move it up in your list if its hit quite a bit to ease filter processing.

8

Please can you post screenshots on how you setup Teamspeak and Apex