Community discussions

MikroTik App
 
ArthurC
just joined
Topic Author
Posts: 3
Joined: Fri May 14, 2021 8:13 pm

Dst-nat don't work

Fri May 14, 2021 8:30 pm

Hey,
I believe that due to some route configuration, I can no longer use dst-nat to redirect a service to the public IP.

I have a RB750Gr3 and two WANs. I left it as shown in the configuration below but I can't find the error. What could be wrong?
/ip firewall nat
add action=dst-nat chain=dstnat comment="WEB TEST" dst-port=80 \
    in-interface=pppoe-out1 protocol=tcp to-addresses=10.0.2.7 to-ports=80
add action=masquerade chain=srcnat comment="MASQUERADE WAN 2 PPoE" \
    out-interface=pppoe-out1 src-address=0.0.0.0/0
add action=masquerade chain=srcnat comment="MASQUERADE WAN 1" \
    out-interface=ether3 src-address=0.0.0.0/0

/ip route
add comment="Route VPN" distance=1 gateway=pppoe-out1 routing-mark=wan_pppoe
add check-gateway=ping comment=Default route WAN 1 distance=1 gateway=\
    208.67.222.222
add check-gateway=ping comment=Default route Wan 2 [PUBLIC IP] distance=2 gateway=8.8.8.8
add comment="Failover ping - WAN 2" distance=1 dst-address=8.8.8.8/32 gateway=\
    172.30.99.1 scope=10
add comment="Failover ping - WAN 1" distance=1 dst-address=208.67.222.222/32 \
    gateway=192.168.1.254 scope=10
I set up a VPN server and a failover system. Would the problem be with the failover rules?
 
ArthurC
just joined
Topic Author
Posts: 3
Joined: Fri May 14, 2021 8:13 pm

Re: Dst-nat don't work

Wed May 19, 2021 4:58 pm

Can someone help-me? :(
 
Cablenut9
Long time Member
Long time Member
Posts: 542
Joined: Fri Jan 08, 2021 5:30 am

Re: Dst-nat don't work

Wed May 19, 2021 5:03 pm

Do this:
/export hide-sensitive
 
ArthurC
just joined
Topic Author
Posts: 3
Joined: Fri May 14, 2021 8:13 pm

Re: Dst-nat don't work

Wed May 19, 2021 5:39 pm

Do this:
/export hide-sensitive

 # may/19/2021 11:40:07 by RouterOS 6.48.2
#
# model = RB750Gr3
/interface bridge
add arp=proxy-arp comment="INTRANET BRIDGE" name=bridge1
/interface ethernet
set [ find default-name=ether1 ] 
set [ find default-name=ether2 ] comment="Wan 2 PPPoE [Public IP]"
set [ find default-name=ether3 ] comment="Wan 1 [Main]"
set [ find default-name=ether4 ] 
set [ find default-name=ether5 ]

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.0.0.2-10.0.3.254
add name=POOL_VPN ranges=192.168.10.2-192.168.10.253

/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge1 lease-time=1h name=\
    dhcp1

/ppp profile
add bridge=bridge1 local-address=192.168.10.50 name=VPN remote-address=\
    POOLVPN use-encryption=required
add name=CONEXAO on-down=\
    "/ip rout remove [find comment=\"MONITORAMENTO-CONEXAO\"]" on-up="/ip rout\
    e add ds=8.8.8.8 gateway=\$\"remote-address\" scope=10 comment=MONITORAMEN\
    TO-CONEXAO"

/interface pppoe-client
add comment="PPOE Wan 2" disabled=no interface=ether2 name=pppoe-out1 \
    profile=CONEXAO use-peer-dns=yes user=xxxxx

/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"

/interface bridge port
add bridge=bridge1 comment= interface=ether1
add bridge=bridge1 comment= interface=ether5
add bridge=bridge1 comment= interface=ether4

/ip neighbor discovery-settings
set discover-interface-list=!dynamic

/interface detect-internet
set detect-interface-list=all

/interface l2tp-server server
set authentication=chap,mschap1,mschap2 default-profile=VPN \
    keepalive-timeout=disabled one-session-per-host=yes

/interface ovpn-server server
set auth=sha1 certificate=servidor cipher=aes256 default-profile=VPN \
    enabled=yes require-client-certificate=yes

/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=VPN

/ip address
add address=10.0.0.1/22 comment="INTRANET" interface=bridge1 network=\
    10.0.0.0

/ip dhcp-client
add add-default-route=no disabled=no interface=ether3 script=":local IP \"208.\
    67.222.222/32\"\r\
    \n:if ([/ip route print count-only where dst-address=\$IP]=0) do={/ip rout\
    e add dst-address=\$IP gateway=\$\"gateway-address\" scope=10}" \
    use-peer-dns=no use-peer-ntp=no

/ip dhcp-server lease

/ip dhcp-server network
add address=10.0.0.0/22 dns-server=10.0.0.2,208.67.222.222,8.8.8.8,4.2.2.1 \
    domain=LOCALDOMAIN gateway=10.0.0.1

/ip dns
set servers=10.0.0.2,208.67.222.222,4.2.2.1

/ip firewall address-list
add address=10.0.3.243-10.0.0.3 list=NAT-LIST

/ip firewall filter
add action=accept chain=input comment=OpenVPN dst-port=1194 protocol=tcp

/ip firewall mangle
add action=accept chain=prerouting comment="BYPASS INTRANET" dst-address=\
    10.0.0.0/22 src-address=10.0.0.0/22
add action=mark-routing chain=output connection-mark=conn_pppoe \
    new-routing-mark=wan_pppoe passthrough=yes
add action=mark-connection chain=input connection-state=new in-interface=\
    pppoe-out1 new-connection-mark=conn_pppoe passthrough=yes
/ip firewall nat
add action=dst-nat chain=dstnat comment="Webservice test" dst-port=80 \
    in-interface=pppoe-out1 protocol=tcp to-addresses=10.0.2.7 to-ports=80

add action=masquerade chain=srcnat comment="MASQUERADE WAN 2 PPoE" \
    out-interface=pppoe-out1 src-address=0.0.0.0/0
add action=masquerade chain=srcnat comment="MASQUERADE WAN 1" \
    out-interface=ether3 src-address=0.0.0.0/0

/ip route
add comment="Route VPN" distance=1 gateway=pppoe-out1 routing-mark=wan_pppoe
add check-gateway=ping comment=ROTA-PADRAO-OIFIBRA distance=1 gateway=\
    208.67.222.222
add check-gateway=ping comment=ROTA-PADRAO-CONEXAO distance=2 gateway=8.8.8.8
add comment=MONITORAMENTO-CONEXAO distance=1 dst-address=8.8.8.8/32 gateway=\
    172.30.99.1 scope=10
add comment=MONITORAMENTO-OIFIBRA distance=1 dst-address=208.67.222.222/32 \
    gateway=192.168.1.254 scope=10

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes

/ppp secret
add name=xxx profile=VPN service=ovpn

/system clock
set time-zone-name=America/Sao_Paulo
/system identity
set name="MK01" 
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Dst-nat don't work

Wed May 19, 2021 6:59 pm

Comments:
(1) Not sure what this address list is used for but the range seems werid? Typo?
/ip firewall address-list
add address=10.0.3.243-10.0.0.3 list=NAT-LIST

(2) Lack of firewall rules means your router is not safe facing the internet!!!

(3) Source addresss=0.0.0.0/0 not required............
add action=masquerade chain=srcnat comment="MASQUERADE WAN 2 PPoE" \
out-interface=pppoe-out1 src-address=0.0.0.0/0
add action=masquerade chain=srcnat comment="MASQUERADE WAN 1" \
out-interface=ether3 src-address=0.0.0.0/0

(4) As to the question posed. Destination nat in terms of port forwarding is to redirect incoming requests on the public IP to a server within the intranet.
Without firewall rules to allow such traffic not sure it can occur.

(5) The dst nat rule is misconfigured....
to-addresses=10.0.2.7 to-ports=80

Who is online

Users browsing this forum: Bolendox, cmmike, mtkvvv, svh79 and 38 guests