Public IP display problem

k750 · March 29, 2016, 9:51pm

That’s right
An optical fiber line ONT box is arriving and is connected to the harbor ether7 (vlan832-orange)

Sob · March 29, 2016, 10:34pm

Then the only absolutely required srcnat rule is:

/ip firewall nat
add action=masquerade chain=srcnat out-interface=vlan832-orange

With this, your internet access must work and remote addresses on NAS must show correctly. If not, then it does not make sense.

With just this one rule, you won’t be able to connect to your forwarded ports (80,98,443,8443) on your public address 90.12.x.x from your internal network. To be able to do that, you need the rule from Pea’s post:

/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.1.198 protocol=tcp src-address=192.168.0.0/16 comment="LAN to Synology"

ShayanFiroozi · March 30, 2016, 5:16am

It seems you have a bridge in your router ,so what is that ? in your routing table you have 192.168.1.0 reachable from bridge ! i still recommend you to post you router configuration with hide-sensitive , may be it’s not about NAT at all because you are bridging some devices , also disabling your nat didn’t work

k750 · March 30, 2016, 7:56am

Hello
The problem is the same
How do I export my configuration?

ShayanFiroozi · March 30, 2016, 3:07pm

on Winbox go to NewTerminal and type this command : export hide-sensitive

and don’t forget to secure(hide) your router sensitive information such as public IP’s

k750 · March 30, 2016, 4:24pm

Hello everyone,
Here are the topics that may interest you
Ask if you need

[color=#0000FF]# mar/30/2016 16:57:52 by RouterOS 6.34.2
# software id = SPEA-6527
#
/interface bridge
add comment=Livebox mtu=1500 name=br-livebox
add name=bridge1

/interface ethernet
set [ find default-name=ether1 ] comment="PC Asus"
set [ find default-name=ether2 ] comment="Inoccupé"
set [ find default-name=ether3 ] comment=Serveur
set [ find default-name=ether4 ] comment="Inoccupé"
set [ find default-name=ether5 ] comment=Livebox
set [ find default-name=ether6 ] comment="Unifi Wifi"
set [ find default-name=ether7 ] comment="Boitier ONT (Optical Network Terminal)"
set [ find default-name=ether8 ] comment="Inoccupé"
set [ find default-name=sfp-sfpplus1 ] comment="Port SFP-Plus" disabled=yes name=sfp-plus
set [ find default-name=sfp1 ] comment="Port SFP" disabled=yes

/ip neighbor discovery
set ether1 comment="PC Asus"
set ether2 comment="Inoccupé"
set ether3 comment=Serveur
set ether4 comment="Inoccupé"
set ether5 comment=Livebox
set ether6 comment="Unifi Wifi"
set ether7 comment="Boitier ONT (Optical Network Terminal)"
set ether8 comment="Inoccupé"
set sfp-plus comment="Port SFP-Plus"
set sfp1 comment="Port SFP"
set br-livebox comment=Livebox

/interface vlan
add comment=vlan832-livebox interface=ether5 name=vlan832-livebox vlan-id=832
add comment=vlan832-orange interface=ether7 name=vlan832-orange vlan-id=832
add comment="VOD Livebox" disabled=yes interface=ether5 name=vlan838-livebox vlan-id=838
add comment="TV Livebox" disabled=yes interface=ether5 name=vlan840-livebox vlan-id=840
add comment="VoIP Livebox" disabled=yes interface=ether5 name=vlan851-livebox vlan-id=851
add comment="VoIP Orange" disabled=yes interface=ether7 name=vlan851-orange vlan-id=851

/ip neighbor discovery
set vlan832-livebox comment=vlan832-livebox
set vlan832-orange comment=vlan832-orange
set vlan838-livebox comment="VOD Livebox"
set vlan840-livebox comment="TV Livebox"
set vlan851-livebox comment="VoIP Livebox"
set vlan851-orange comment="VoIP Orange"

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc

/ip pool
add name=dhcp ranges=192.168.1.100-192.168.1.200
add name=livebox ranges=192.168.2.20-192.168.2.200

/ip dhcp-server
add address-pool=dhcp authoritative=yes disabled=no interface=bridge1 lease-time=1w name=LAN
add address-pool=livebox authoritative=yes disabled=no interface=vlan832-livebox lease-time=1w name=Livebox

/interface bridge port
add bridge=br-livebox comment="Déactivé car pas nécessaire" disabled=yes interface=vlan851-livebox
add bridge=br-livebox interface=vlan838-livebox
add bridge=br-livebox interface=vlan840-livebox
add bridge=bridge1 comment="PC Asus" interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 comment=Serveur interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 comment=Livebox interface=ether5
add bridge=bridge1 comment="Wifi Ubiquity" interface=ether6
add bridge=bridge1 comment="Boitier ONT (Optical Network Terminal)" interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=sfp-plus

/ip address
add address=192.168.1.1/24 interface=ether1 network=192.168.1.0
add address=192.168.2.1/24 interface=vlan832-livebox network=192.168.2.0

/ip arp
add address=192.168.1.198 comment=Serveur interface=ether3 mac-address=0000000000000000

/ip dhcp-client
add dhcp-options=hostname,clientid,authsend,userclass,vendor-class-identifier disabled=no interface=vlan832-orange
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no interface=ether1

/ip dhcp-server lease
add address=192.168.2.21 comment=Livebox dhcp-option=authsend,SIP mac-address=0000000000000000 server=Livebox
add address=192.168.1.198 client-id=1:0:11:32:1b:ec:b7 comment=Serveur mac-address=0000000000000000 server=LAN
add address=192.168.1.194 client-id=1:44:d9:e7:f6:d3:22 comment=WiFi mac-address=0000000000000000 server=LAN
add address=192.168.1.200 client-id=1:14:da:e9:25:6e:c0 comment=Asus mac-address=000000000000000000000 server=LAN

/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.1.1 netmask=24
add address=192.168.2.0/24 dhcp-option=authsend,SIP dns-server=81.253.149.1,80.10.246.130 gateway=192.168.2.1 netmask=24

/ip dns
set allow-remote-requests=yes

/ip firewall address-list
add address=192.168.1.0/24 list=support
add address=192.168.2.0/24 list=support
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A" disabled=yes list=bogons
add address=127.0.0.0/16 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B" disabled=yes list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C" disabled=yes list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment="MC, Class D, IANA" disabled=yes list=bogons
	
/ip firewall nat
add action=masquerade chain=srcnat comment="Nat vlan832-orange" log-prefix=vlan832-orange out-interface=!vlan832-orange to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment="Nat All Ethernet" log-prefix="Port Ethernet" out-interface=!all-ethernet
add action=jump chain=dstnat dst-address=!192.168.0.0/16 dst-address-type=local jump-target=pinholes log-prefix=Voir-192.168.0.0
add action=dst-nat chain=pinholes comment=Photo-Station dst-port=80,443 log=yes log-prefix="Port 80-443" protocol=tcp to-addresses=192.168.1.198
add action=dst-nat chain=pinholes dst-port=98,8443 log=yes log-prefix="Port 98-8443" protocol=tcp to-addresses=192.168.1.198
add action=dst-nat chain=dstnat dst-port=5000 log=yes log-prefix="Port 5000" protocol=tcp to-addresses=192.168.1.198 to-ports=5000

/ip route
add distance=1 gateway=192.168.1.1

/ip service
set telnet address=192.168.1.200/32 disabled=yes
set ftp address=192.168.1.200/32 disabled=yes
set ssh address=192.168.1.200/32 disabled=yes
set winbox address=192.168.1.200/32

/queue interface
set sfp-plus queue=ethernet-default
set sfp1 queue=ethernet-default
set ether1 queue=ethernet-default
set ether2 queue=ethernet-default
set ether3 queue=ethernet-default
set ether4 queue=ethernet-default
set ether5 queue=ethernet-default
set ether6 queue=ethernet-default
set ether7 queue=ethernet-default
set ether8 queue=ethernet-default

/system logging
add disabled=yes topics=dhcp
add topics=firewall
add disabled=yes topics=interface
add disabled=yes topics=account
add prefix=Critique topics=critical

/system resource irq rps
set sfp-plus disabled=no
set sfp1 disabled=no
set ether5 disabled=no
set ether6 disabled=no
set ether7 disabled=no
set ether8 disabled=no

/system routerboard settings
set cpu-frequency=1000MHz memory-frequency=1066DDR protected-routerboot=disabled[/color]

ShayanFiroozi · March 30, 2016, 6:27pm

Change your NAT rules priority , make sure all NATs about Synology come first in you Firewall Nat list , you can easily drag them to top on Winbox.
you are masquerading your Synology interface , of course router will change real addresses with itself IP.

Sob · March 30, 2016, 9:14pm

Translation to English:

add action=masquerade chain=srcnat comment="Nat vlan832-orange" log-prefix=vlan832-orange out-interface=!vlan832-orange to-addresses=0.0.0.0

Masquerade any traffic if outgoing interface is not vlan832-orange (“!” before interface name means “not”). This changes all incoming connections from internet to NAS to look like they are coming from 192.168.1.1, because this rules matches any outgoing interface except WAN.

add action=masquerade chain=srcnat comment="Nat All Ethernet" log-prefix="Port Ethernet" out-interface=!all-ethernet

Masquerade any traffic if outgoing interface is not ethernet. This currently makes your internet work, because your WAN is VLAN and not ethernet.

Instead of those two, you need only one:

add action=masquerade chain=srcnat comment="Nat vlan832-orange" log-prefix=vlan832-orange out-interface=vlan832-orange

Masquerade any traffic if outgoing interface is vlan832-orange.

I’m also not sure why ether5 is part of bridge with all other ports, I’d say it shouldn’t be there, but it should not influence this.

k750 · March 30, 2016, 11:18pm

Hello Sob
Well I think you found the solution
This little box has check next to the name was activated
So I disable this check and did some tests
And the miracle in the server log I see the public IP of my tablet
I also did a test on Photo Station, same.
I'm going tomorrow deepen tests
I want to thank you all for your help and bring your patience
Claude

In French

Bonjour Sob
Bon je crois que tu a trouver la solution
Cette petite case a cocher a coté du nom était activée
J'ai donc désactiver cette case et fait quelques essais
Et la miracle dans le journal du serveur je vois bien l'IP publique de ma tablette
J'ai aussi fait un essai sur Photo Station, même chose.
Je vais donc demain approfondir les essais
Je tiens a vous tous vous remercier pour votre aide apporter et pour votre patience
Claude