Cable Modem Port 1
Switch on Port 2
Torrent Server Port 3
IP scheme is default 192.168.88.1 is IP for inside RB750G
The static ip for the torrent server is 192.168.88.250
The torrent server has Utorrent installed. I’ve tried using the UPnP and it didn’t work.
So made two NAT rules for DSTNAT.
SRC ADDRESS 192.168.88.1
DSC ADDRESS 192.168.88.1
Protocol 6 (TCP)
Port 55554
In. Interface eth1-gateway
the other rule is for UDP (everything else is the same)
Shouldn’t this work? When a request comes into the gateway for 192.168.88.1 for port 55554 send the packet to 192.168.88.250?
When I try to change Out Interface to ether3, it says outgoing interface match no possible in input and prerouting chains. (6)
Accept. Make sure that the entry is earlier in the list than the drop/reject rules. Read the wiki manual for IP firewall filter on what all the options do.
‘input’ - traffic directly TO the router (destination IP address is on the router itself)
‘output’ - traffic sourced originated FROM the router
‘forward’ - traffic THROUGH the router
dst-nat happens in prerouting, which is before any of them. It changes the destination IP address to an IP address behind the router, so all your firewall filter rules for the forwarded traffic don’t apply because you’re in the wrong chain (the packet will be in ‘forward’, not ‘input’). Also, setting an empty routing-mark is pointless. If you’re trying to protect the router from being accessed from the Internet (which is a good idea) and also want only traffic originated from behind the router to flow through it with the exception of traffic forwarded to 192.168.88.50 with a destination port of 55554 on TCP and UDP the firewall filters, NAT and mangle would look something like this:
/ip firewall filter
# delete all existing rules
remove [find]
# allow all packets that belong to connections that have already been OK'd by the packets establishing them not having been dropped
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
# unconditionally allow ICMP
add action=accept chain=input protocol=icmp
# allow connections to be established from every interface but the WAN
add action=accept chain=input in-interface=!ether1-gateway
# drop everything else
add action=drop chain=input
# allow all packets that belong to connections that have already been OK'd by the packets establishing them not having been dropped
# allow all interfaces other than the WAN to establish new connections
add action=accept chain=forward connection-state=established
add action=accept chain=forward connection-state=related
add action=accept chain=forward in-interface=!ether1-gateway
# permit traffic from the WAN forwarded to 192.168.88.250 destined to tcp/55554 and udp/55554
add action=accept in-interface=ether1-gateway dst-address=192.168.88.250 protocol=tcp dst-port=55554
add action=accept in-interface=ether1-gateway dst-address=192.168.88.250 protocol=udp dst-port=55554
# drop everything else
add action=drop chain=forward
/ip firewall mangle
# delete all mangle rules, what is shown makes no sense
delete [find]
/ip firewall nat
# delete all existing rules
remove [find]
# port forward udp/55554 and tcp/55554 to 192.168.88.250
add action=dst-nat chain=dstnat dst-port=55554 protocol=tcp to-addresses=192.168.88.250 to-ports=55554
add action=dst-nat chain=dstnat dst-port=55554 protocol=udp to-addresses=192.168.88.250 to-ports=55554
# source NAT everything going out to the WAN
add action=masquerade chain=srcnat out-interface=ether1-gateway
That should be fine to paste in via a network connection, if you want to make sure, use the console or safe mode: http://wiki.mikrotik.com/wiki/Manual:Console#Safe_Mode - generally a good idea when you’re editing critical portions of the configuration.
Wow thanks a bundle. Starting to understand how things work in this device a little better. So all I need to do know is redirect port 80 to the internal webserver on 192.168.88.249
When I add a dst-nat rule to the dstnat chain for tcp, port 80 it kills all internet traffic on the local lan though. The firewall rule alone doesn’t do the trick. So I’m lost on how to do it. I can change the port on apache to listen to port 8080, instead of 80, but still I’m lost as to what I’m doing wrong.
I think from my understanding of networking is, when I request a website from this computer, I’m requesting port 80 from XXX.XXX.XXX.XXX, and it comes back as the src port 80; which is why I can’t browse the internet when I create the NAT rule for dstnat protocol 6 (tcp) dstport 80. Since that directly conflicts with the networking. Guess it isn’t that simple… or is it even possible? I changed the www service to port 64 from 80, and I can access that from the domain I purchased and point to my WAN ip. (which works fine).
Wait a second, I see the ! before ether1-gateway means every one except that one; which in the case of accepting requests for a website isn’t going to work. So I guess I need to delete those rules? Still I’m somewhat confused here; tricky.
Just add that. Ensure you move the firewall filter rule above the drop rule at the bottom. I should have specified ‘in-interface=ether1-gateway’ on the other dstnat rules as well, sorry for the oversight.