raz
July 26, 2013, 2:25pm
1
Hi,
im trying to forward a Port 80, i got from my ISP a /29 Net.
[admin@MikroTik] > /ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
1 A S 0.0.0.0/0 83.236.242.121 1
2 ADC 10.20.50.0/24 10.20.50.6 ether1 0
3 ADC 99.99.99.120/29 99.99.99.122 ether7 0
4 ADC 172.16.10.0/24 172.16.10.45 ether2 0
[admin@MikroTik] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
chain=dstnat action=dst-nat to-addresses=172.16.10.18 to-ports=80 protocol=tcp dst-address=99.99.99.123 dst-port=80
[admin@MikroTik] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 10.20.50.1/24 10.20.50.0 ether1
1 172.16.10.1/24 172.16.10.0 ether2
2 99.99.99.120/29 99.99.99.120 ether7
i dont get it, what ive made wrong, maybe someone find whats wrong here.
Is the ip 99.99.99.122 or 99.99.99.123? Usually the pref-src is the ip assigned to the interface.
/ip route99.99.99.122 > ether7 0
/ip firewall nat99.99.99.123 > dst-port=80
raz
July 26, 2013, 2:41pm
3
Hi Tim,
the 99.99.99.122 is a IP they get SNAT, and for surfing.
the 99.99.99.123 is at the Router on a seperate Port, for DMZ, and the IP are from an /29 IP Block.
99.99.99.121 is in this case my Gateway, because the ISP dont give out ppoe Settings.
Anything in your “/ip firewall filter” that might block it?
OK. What does this mean by “separate port”? Port like port 80? Or port like interface?
the 99.99.99.123 is at the Router on a seperate Port, for DMZ, and the IP are from an /29 IP Block.
…and this?
/ip address99.99.99.120/29 > 99.99.99.120 ether7
I see no other ip assignment.
raz
July 26, 2013, 3:42pm
7
Oh, with Port i mean Interface, we call it here in Germany mainly Port.
Interface 1: Internal Network, 10.20.50.0/24
Interface 7: Uplink to the Router of our ISP, the Router has 99.99.99.121 as IP.
The Internet Connection works with SNAT and im using here the 99.99.99.122 as IP, but the
So you have 99.99.99.123/29 assigned to ether7 also? That did not show on your “/ip address”. All I saw is this, and that does not look right.
2 99.99.99.120/29 99.99.99.120 ether7
Can you ping 99.99.99.123?
raz
July 27, 2013, 8:28am
9
No, i assigned 99.99.99.120/29 to ether7 (uplink to Router of the ISP), because the ISP uses for his Router 99.99.99.121 as Gateway, so im using 99.99.99.122 for interface 1 and SNAT.
DNAT have to work with 99.99.99.123, but here’s the Problem.
and 99.99.99.123 isnt pingable.
Can you ping 99.99.99.122? I don’t see it assigned to that interface either.
Is there something special about your ISP connection?
raz
July 27, 2013, 9:05am
11
Yes the 99.99.99.122 i can ping, in addresses i added with gateway 122. Look at the routes, it routes to 121.
Im sure the Problem is there in assignment 123 to the interface 7, because dnat settings looks good.
raz
July 27, 2013, 9:17am
13
[admin@MikroTik] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 10.20.50.1/24 10.20.50.0 ether1
1 172.16.10.1/24 172.16.10.0 ether2
2 99.99.99.120/29 99.99.99.120 ether7
Where is the assignment for 99.99.99.122? Where is the assignment for 99.99.99.123?
I see only 99.99.99.120 assigned to that interface. Is there something else about your ISP connection that would be out of the ordinary?
raz
July 27, 2013, 9:26am
15
Yes, but the 99.99.99.120/29 has the Gateway at Mikrotik Router on 99.99.99.122 and on the Router of the ISP on 99.99.99.121.
Where is 99.99.99.122 assigned? Not in “/ip address” on that router. ??
raz
July 27, 2013, 9:37am
17
yes, its assigned on the router via ip addresses, the 122 works as gateway address
I don’t see that in “/ip address” that you posted for that router.
raz
July 27, 2013, 9:44am
19
you see this only in the route with pref source.
Why? It should show the correct ip and subnet in “/ip address”, and it does. 99.99.99.120/29
Here is what I expected to see:
[admin@MikroTik] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 10.20.50.1/24 10.20.50.0 ether1
1 172.16.10.1/24 172.16.10.0 ether2
2 99.99.99.122/29 99.99.99.120 ether7
3 99.99.99.123/29 99.99.99.120 ether7
Add: If you are using a masquerade in “/ip firewall nat”, you must change that to a srcnat to insure it “masquerades” as the correct ip.
/ip firewall nat
add chain=srcnat action=src-nat to-addresses=99.99.99.122 out-interface=ether7
