Where is my mistake?

drzen · November 20, 2007, 11:44am

Hi,

3 nic: lan, wan and dmz.
I want connect a server in dmz (internal ip 10.10.224.10) with external 200.200.200.107

I do these steps:

\

setup lan

/ip address add address=10.10.0.2/20 interface=lan

setup wan

/ip address add address=200.200.200.106/29 interface=wan

setup default gateway

/ip route add gateway=200.200.200.105

\

define nat for wan

/ip firewall nat add chain=srcnat action=masquerade out-interface=wan

\

here all lan' clients browse the web

\

setup dmz

/ip address add address=10.10.224.1/20 interface=dmz

/ip address add address=200.200.200.107/32 interface=wan

/ip firewall nat add chain=dstnat dst-address=200.200.200.107
action=dst-nat to-addresses=10.10.224.10
/ip firewall nat add chain=srcnat src-address=10.10.224.10
action=src-nat to-addresses=200.200.200.107

But:

the server can ping internet
the server is reached from lan
the server can't be reached (pinged or telnet) from internet

May you help me?

Thanks in advance
v.

andrewluck · November 20, 2007, 8:26pm

/ip address add address=200.200.200.107/32 interface=wan

This is incorrect. The subnet should be /29

Regards

Andrew

galaxynet · November 22, 2007, 1:00pm

drzen -
Actually you don’t need to add this to your WAN interface at all:

/ip address add address=200.200.200.107/32 interface=wan

Your dst and scr NAT rules (if placed correctly in the firewall) will cause the server you have to answer as expected.

Thom

drzen · November 26, 2007, 1:34pm

ok. I do the correct address.

/ip address add address=200.200.200.107/29 interface=wan2

(in my case the interface name is wan2)

but no result. Take a look of picture.

v.

galaxynet · November 26, 2007, 2:40pm

drzen -

Go in to terminal mode (you can do this in Winbox - new terminal).

Type this in and press return: /ip firewall nat print

Your output should look like this for your dst-nat rule:
chain=dstnat dst-address=200.200.200.107 action=dst-nat to-addresses=10.10.224.10
to-ports=0-65535

Post that here.

/ip address add address=200.200.200.107/29 interface=wan2

This IP address does NOT need to be put on any interface - your MT will see this come to it and will dst-nat it to the correct ‘internal’ IP address. This provided of course that 200.200.200.xx/29 is routed to your WAN2 interface by your upstream router (or by your upstream connectivity provider’s router…)

The order of your rules should also be changed. Dst-nat first, then the src-nat and then last should be your masq rule. Use Winbox, left click and hold mouse button on the masq rule, then drag it to the bottom. That should get your rule order correct.

Thom