Page 1 of 1

hAP ac no Internet on LAN

Posted: Mon Feb 18, 2019 8:35 pm
by smccloud
I am in the process of setting up my hAP ac to replace my Meraki MX64. Initially, I had Internet access on it, but now I have lost it, I cannot think of a reason for this unless I have my NAT rules wrong.
# feb/18/2019 12:33:38 by RouterOS 6.43.12
# software id = RSZ9-Z8D6
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = NOWAY
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=3390 protocol=tcp src-address=\
    216.251.177.50 to-addresses=172.16.6.11 to-ports=3389
add action=dst-nat chain=dstnat dst-port=32400 protocol=tcp to-addresses=\
    172.16.6.2 to-ports=32400
add action=dst-nat chain=dstnat dst-port=51413 protocol=tcp to-addresses=\
    172.16.6.2 to-ports=51413
add action=dst-nat chain=dstnat dst-port=51413 protocol=udp to-addresses=\
    172.16.6.2 to-ports=51413
add action=dst-nat chain=dstnat dst-port=5631 protocol=tcp to-addresses=\
    172.16.6.2 to-ports=22
add action=dst-nat chain=dstnat disabled=yes dst-port=443 protocol=tcp \
    to-addresses=172.16.6.2 to-ports=443
add action=dst-nat chain=dstnat dst-port=55555 protocol=udp to-addresses=\
    172.16.6.2 to-ports=55555
add action=dst-nat chain=dstnat dst-port=8100 protocol=tcp to-addresses=\
    172.16.6.7 to-ports=80
Do I have my NAT wrong? Internet came back when I disabled the port 443 one.

Re: hAP ac no Internet on LAN

Posted: Mon Feb 18, 2019 8:58 pm
by proximus
Include a "in-interface=<Your WAN Interface>" parameter. As it is, the destination 443 rule is catching all 443 traffic.

Re: hAP ac no Internet on LAN

Posted: Mon Feb 18, 2019 9:05 pm
by smccloud
Include a "in-interface=<Your WAN Interface>" parameter. As it is, the destination 443 rule is catching all 443 traffic.
That did it, thank you. I wish more guides online would have that included.

Re: hAP ac no Internet on LAN

Posted: Tue Feb 19, 2019 3:34 pm
by anav
I think the key here is to think of MT functionality as being general and not specific.
In other words destination NAT and source NAT do not mean exclusively from WAN to LAN and LAN to WAN.
Its simply a way of tracking packets coming into one interface and going to another interface.

Thus its important to let the router know that the packets are coming in from the WAN side.......
Otherwise how is it to know??
Concur the examples in the WIKI are sheite in this regard.

Re: hAP ac no Internet on LAN

Posted: Tue Feb 19, 2019 4:12 pm
by smccloud
Still trying to get IPv6 working, specifically DNS. But I will figure it out.