Community discussions

MikroTik App
 
irico
newbie
Topic Author
Posts: 47
Joined: Thu Nov 10, 2016 5:35 pm

Firewall filter/nat best practices

Fri Oct 05, 2018 6:59 pm

What is better? A NAT rule (dstnat) without src-address and a filter rule on forward chain with src-address or a NAT rule with src-address to limit access to a device on the LAN.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Firewall filter/nat best practices  [SOLVED]

Fri Oct 05, 2018 7:43 pm

It depends. If I'd need it only for one forwarded port, I'd do it in dstnat. Why let the packet pass, only to block it moment later. If I'd need filtering for target port and connections could come from different sources at the same time (from internet using dstnat, from some other subnet, from VPN, ...), I'd probably choose forward, to have it all in one place.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall filter/nat best practices

Mon Oct 08, 2018 10:18 pm

This is a very reasonable question coming from many other routers to the mikrotik router.
The long and short of it is that mikrotik provides much more fidelity than your normal consumer router and many soho routers.

To answer your question, note that the NAT menu item is under the FIREWALL menu, not a separate choice.
All my destination NAT rules, where I know (and can limit the source WAN address) who requires access is delineated by the SOURCE ADDRESS LIST (typically more than one user).
Also here (NAT rules) is where you differentiate if the incoming port from the user will actually go to a different server port (translation).
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: Firewall filter/nat best practices

Mon Oct 08, 2018 10:58 pm

In addition to what @Sob wrote: I find using src-address in dst-NAT translation also useful if same port should be forwarded to different DMZ/LAN hosts depending on the remote host's IP address. E.g.:
/ip firewall nat
add action=dst-nat chain=dstnat comment="ssh from remote1 goes to LAN1" in-interface-list=WAN dst-port=22 protocol=tcp src-address=1.2.3.4 to-addresses=192.168.1.12
add action=dst-nat chain=dstnat comment="ssh from remote2 goes to LAN2" in-interface-list=WAN dst-port=22 protocol=tcp src-address=2.3.4.5 to-addresses=10.11.12.13

Who is online

Users browsing this forum: andrep, boocko, mtkvvv and 41 guests