SRC or DST

tadpole · November 12, 2013, 2:46pm

Hi all,
I can figure out how to use this darn SRC or DST address thing, if i have a port setup to forward to a specific IP can i limit it to 2 IP address only? And would it be under SRC or DST address under NAT or Mangle…or both?

Actually is this doable or have i missed the plot?

Setup is as follows

RB750-1 - IP 192.168.88.200 (eth1)
IP 192.168.1.2 (eth5)
PF on port 5900 to go to 192.168.1.5 from ether1 to ether5 (eth5 connects to a switch which is connected to RB750-2)

PC 192.168.1.5
RB750-2 - IP 192.168.1.1 (eth1)
PF setup for VNC to go out via one of two adsl modems (eth2) using PCC

I have tried forwarding to both devices, Im sure this is simple, Do i pf to the RB750-2 or the PC itself, and once its there do i mark it with different routing mark and route it back to the RB750-1? If my thinking is right…where should i start?

SoroushSoltani · November 12, 2013, 9:18pm

If you need to redirect x.x.x.x to y.y.y.y you need to do :

IP > Firewall > NAT

General Tab :
Chain : dstnat
Dest. Address : x.x.x.x

Action Tab :
Action : dst-nat
to Addresses : y.y.y.y

you’re able to configure which ports allowed for forwarding(dest-nat) .

Thanks .

tadpole · November 13, 2013, 3:54pm

Hi Soroush!
Thanks for the reply,

I couldnt get any traffic to pass with the IP specified, but it would start when i set it to the ethernet port, is this a routing issue maybe? Basicially i want to make this darn PC accessible from ether1 and im on ether5. The two networks are separate but i can ping everything from RB and the RB from each PC.

RB1 (192.168.88.200-eth1 192.168.1.237-eth5)

/ip firewall nat
add action=dst-nat chain=dstnat comment="VNC" dst-port=5900 in-interface=\
    ether5 protocol=tcp to-addresses=192.168.1.5 to-ports=5900

RB2
NAT

add action=mark-routing chain=prerouting comment=vnc-5900 disabled=yes \
    in-interface=ether10-LAN new-routing-mark=vnc-5900 passthrough=no protocol=\
    tcp src-port=5900

Mangle

add action=dst-nat chain=dstnat comment="VNC" disabled=yes dst-port=\
    5900 in-interface=ether10-LAN protocol=tcp to-addresses=192.168.1.5 \
    to-ports=5900

IP Route

add check-gateway=ping comment="VNC 5900" distance=1
gateway=192.168.1.237

I even tried sending the traffic to the 2nd networks Routerboard then NAT’d and mangled it with a route back to the IP it came from. I saw the packets even starting to go on the second routerboard but it wont come back to me, lol

Im probably overcomplicating this thing…