Community discussions

MikroTik App
 
User avatar
sevenman
just joined
Topic Author
Posts: 12
Joined: Tue Aug 10, 2021 6:21 pm

is my NAT config is ok?

Tue Aug 10, 2021 6:38 pm

Hello,
i want to make one local user go through specific wan IP address.i believe that config will work.
it worked but i want to know is there any problem with it.

NOTE: im a new baby in mikrotik world.

This the updated settings:

IP> Address List
 #   ADDRESS            NETWORK         INTERFACE                                                                                                                                                                
 0   ;;; defconf
     192.168.4.1/24     192.168.4.0     bridge_Lan                                                                                                                                                               
 1   ;;; AIT_WAN
     10.151.000.14/30    10.151.000.12    ether1                                                                                                                                                                   
 2   ;;; Routed Block 
     118.179.000.73/29  118.179.000.72  bridge_Lan  
     

Routed ip address block is something the isp give me. they have set point to point ip first to connect radio devices together. and then uses ip> route like below.
IP> Route
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          10.151.000.13              1
 1 ADC  10.151.000.12/30    10.151.000.14    ether1                    0
 2 ADC  118.179.000.72/29  118.179.000.73  bridge_Lan                0
 3 ADC  192.168.4.0/24     192.168.4.1     bridge_Lan                0

IP> Firewall>NAT
chain=srcnat action=src-nat to-addresses=118.179.000.76 src-address=192.168.4.214 log=no log-prefix="" 
chain=srcnat action=src-nat to-addresses=118.179.000.74 log=no log-prefix="" 
chain=dstnat action=dst-nat to-addresses=192.168.4.208 to-ports=443 protocol=tcp dst-address=118.179.000.78 dst-port=443 log=no log-prefix="" 
chain=dstnat action=dst-nat to-addresses=192.168.4.208 to-ports=80 protocol=tcp dst-address=118.179.000.78 dst-port=80 log=no log-prefix="" 
And the first line on the NAT was my concern of this thread. could you please suggest me if it's fine or not.
Last edited by sevenman on Mon Aug 16, 2021 2:19 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: is my NAT config is ok?

Wed Aug 11, 2021 2:39 am

/export hide-sensitive file=anynameyouwish
 
User avatar
sevenman
just joined
Topic Author
Posts: 12
Joined: Tue Aug 10, 2021 6:21 pm

Re: is my NAT config is ok?

Wed Aug 11, 2021 7:04 am

/export hide-sensitive file=anynameyouwish
As I'm a noob. it will be appreciated if you mention what your code does.
But I guess you did not make a comment about my question.
 
User avatar
erkexzcx
Member Candidate
Member Candidate
Posts: 263
Joined: Mon Oct 07, 2019 11:42 pm

Re: is my NAT config is ok?

Wed Aug 11, 2021 9:38 am

/export hide-sensitive file=anynameyouwish
As I'm a noob. it will be appreciated if you mention what your code does.

In WinBox, there is "Terminal". You can also access terminal using SSH, Telnet, serial etc... After running this command, a new file called "anynameyouwish" would appear, containing your exported config for us to show.

Regarding your configuration:
  • Mikrotik comes with default configuration. Don't alter it unless you know what you are doing
  • As general recommendation - secure your router (including firewalls).
  • I would just use below simple & straightforward NAT rule:
/ip firewall nat add action=masquerade chain=srcnat comment=NAT out-interface-list=WAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: is my NAT config is ok?

Wed Aug 11, 2021 2:27 pm

For a noob, you certainly took liberties to make up source nat rules and god knows what else...... ;-=P

Running a command in terminal is really easy in comparison LOL.
the file will show up in the winbox FILES selection and then you simply download the text file to your pc etc.........

Also making the point that problems in a config are usually related to a number of areas of the config......
 
User avatar
sevenman
just joined
Topic Author
Posts: 12
Joined: Tue Aug 10, 2021 6:21 pm

Re: is my NAT config is ok?

Fri Aug 13, 2021 1:51 pm

The community is very helpful and open to share knowledge.
# aug/13/2021 16:40:08 by RouterOS 6.48.3
# software id = YECP-330T
#
# model = 2011UiAS-2HnD
# serial number = 91E309B0B4DD
/interface bridge
add admin-mac=B8:69:F4:75:CF:FB auto-mac=no comment=defconf name=bridge_Lan
/interface ethernet
set [ find default-name=sfp1 ] disabled=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=bangladesh distance=indoors frequency=auto installation=indoor \
    mode=ap-bridge name=wifi ssid="gggi Limited" wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk group-ciphers=\
    tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik \
    unicast-ciphers=tkip,aes-ccm
/ip pool
add name=dhcp ranges=192.168.4.2-192.168.4.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge_Lan name=dhcp1
/queue simple
add max-limit=10M/10M name=esx-wz target=192.168.4.207/32
add disabled=yes max-limit=1M/1M name=proxy-pc target=192.168.4.81/32
add max-limit=5M/5M name="MYA wifi router" target=192.168.4.249/32
/interface bridge port
add bridge=bridge_Lan comment=defconf interface=ether2
add bridge=bridge_Lan comment=defconf interface=ether3
add bridge=bridge_Lan comment=defconf interface=ether4
add bridge=bridge_Lan comment=defconf interface=ether5
add bridge=bridge_Lan comment=defconf interface=sfp1
add bridge=bridge_Lan comment=defconf interface=wifi
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge_Lan list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.4.1/24 comment=defconf interface=bridge_Lan network=\
    192.168.4.0
add address=1**.1**.**2.74/29 disabled=yes interface=bridge_Lan network=\
    1**.1**.**2.72
add address=10.151.43.14/30 comment=AIT_WAN interface=ether1 network=\
    10.151.43.12
add address=1**.1**.**2.78/29 disabled=yes interface=bridge_Lan network=\
    1**.1**.**2.72
add address=1**.1**.**2.75/29 disabled=yes interface=bridge_Lan network=\
    1**.1**.**2.72
add address=1**.1**.**2.76/29 disabled=yes interface=bridge_Lan network=\
    1**.1**.**2.72
add address=1**.1**.**2.77/29 disabled=yes interface=bridge_Lan network=\
    1**.1**.**2.72
add address=1**.1**.**2.73/29 comment="Routed Block " interface=bridge_Lan \
    network=1**.1**.**2.72
/ip arp
add address=192.168.4.102 interface=bridge_Lan mac-address=30:9C:23:AF:C9:D5
add address=192.168.4.101 interface=bridge_Lan mac-address=1C:1B:0D:0F:EF:35
add address=192.168.4.251 comment="gggi wifi router" interface=bridge_Lan \
    mac-address=80:26:89:01:32:C5
add address=192.168.4.252 comment=fileserver3 interface=bridge_Lan \
    mac-address=00:08:9B:F9:39:20
add address=192.168.4.250 comment="bv wifi router" interface=bridge_Lan \
    mac-address=84:16:F9:23:9D:C3
add address=192.168.4.249 comment="newaz wifi router" interface=bridge_Lan \
    mac-address=64:EE:B7:14:92:1E
add address=192.168.4.206 comment=esx-cam interface=bridge_Lan mac-address=\
    00:0C:29:A0:3A:E4
add address=192.168.4.204 comment=esx-omv interface=bridge_Lan mac-address=\
    00:0C:29:75:A2:33
add address=192.168.4.213 comment=esx-Rocket interface=bridge_Lan \
    mac-address=00:0C:29:D0:B2:E6
add address=192.168.4.221 comment=cam interface=bridge_Lan mac-address=\
    E0:62:90:8E:DA:A1
add address=192.168.4.208 comment=esx-disk.gggi interface=bridge_Lan \
    mac-address=00:0C:29:A3:59:D0
add address=192.168.4.209 comment=esxBak-omv interface=bridge_Lan \
    mac-address=00:0C:29:28:D5:91
add address=192.168.4.224 comment=cam interface=bridge_Lan mac-address=\
    EC:C8:9C:58:30:93
add address=192.168.4.225 comment=cam interface=bridge_Lan mac-address=\
    EC:C8:9C:76:57:CF
add address=192.168.4.223 comment=cam interface=bridge_Lan mac-address=\
    E0:62:90:BB:F5:71
add address=192.168.4.207 comment=esx-wz interface=bridge_Lan mac-address=\
    00:0C:29:73:7B:66
add address=192.168.4.210 comment=esx-ready3dmodels interface=bridge_Lan \
    mac-address=00:0C:29:9D:5B:13
add address=192.168.4.103 interface=bridge_Lan mac-address=40:8D:5C:E0:D2:B4
add address=192.168.4.104 interface=bridge_Lan mac-address=18:D6:C7:01:21:BC
add address=192.168.4.105 interface=bridge_Lan mac-address=C0:25:E9:0E:DF:13
add address=192.168.4.107 interface=bridge_Lan mac-address=50:3E:AA:10:74:BD
add address=192.168.4.106 interface=bridge_Lan mac-address=50:3E:AA:14:27:6A
add address=192.168.4.222 comment=cam interface=bridge_Lan mac-address=\
    E0:62:90:31:61:F7
add address=192.168.4.200 interface=bridge_Lan mac-address=F4:92:BF:36:00:5E
add address=192.168.4.201 interface=bridge_Lan mac-address=74:83:C2:E4:7C:E8
add address=192.168.4.211 comment=esx-proxy interface=bridge_Lan mac-address=\
    00:0C:29:3E:7C:C2
add address=192.168.4.212 comment=esx-Cloudron interface=bridge_Lan \
    mac-address=00:0C:29:A4:E5:CA
add address=192.168.4.205 comment=esx-UCS interface=bridge_Lan mac-address=\
    00:0C:29:A4:4C:48
add address=192.168.4.254 comment=fileserver2 interface=bridge_Lan \
    mac-address=00:90:A9:EC:7D:77
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.4.207 client-id=1:0:c:29:73:7b:66 mac-address=\
    00:0C:29:73:7B:66 server=dhcp1
add address=192.168.4.102 client-id=1:30:9c:23:af:c9:d5 mac-address=\
    30:9C:23:AF:C9:D5 server=dhcp1
add address=192.168.4.101 client-id=1:1c:1b:d:f:ef:35 mac-address=\
    1C:1B:0D:0F:EF:35 server=dhcp1
add address=192.168.4.251 client-id=1:80:26:89:1:32:c5 mac-address=\
    80:26:89:01:32:C5 server=dhcp1
add address=192.168.4.110 client-id=1:40:8d:5c:b7:5c:a1 mac-address=\
    40:8D:5C:B7:5C:A1 server=dhcp1
add address=192.168.4.252 client-id=1:0:8:9b:f9:39:20 mac-address=\
    00:08:9B:F9:39:20 server=dhcp1
add address=192.168.4.106 client-id=1:50:3e:aa:14:27:6a mac-address=\
    50:3E:AA:14:27:6A server=dhcp1
add address=192.168.4.103 client-id=1:40:8d:5c:e0:d2:b4 mac-address=\
    40:8D:5C:E0:D2:B4 server=dhcp1
add address=192.168.4.108 client-id=1:50:3e:aa:14:f7:e9 mac-address=\
    50:3E:AA:14:F7:E9 server=dhcp1
add address=192.168.4.117 client-id=1:40:8d:5c:e1:48:94 mac-address=\
    40:8D:5C:E1:48:94 server=dhcp1
add address=192.168.4.113 client-id=1:50:3e:aa:15:2c:f8 mac-address=\
    50:3E:AA:15:2C:F8 server=dhcp1
add address=192.168.4.250 client-id=1:84:16:f9:23:9d:c3 mac-address=\
    84:16:F9:23:9D:C3 server=dhcp1
add address=192.168.4.111 client-id=1:30:9c:23:1c:66:78 mac-address=\
    30:9C:23:1C:66:78 server=dhcp1
add address=192.168.4.118 client-id=1:94:de:80:64:21:b0 mac-address=\
    94:DE:80:64:21:B0 server=dhcp1
add address=192.168.4.105 client-id=1:c0:25:e9:e:df:13 mac-address=\
    C0:25:E9:0E:DF:13 server=dhcp1
add address=192.168.4.104 client-id=1:18:d6:c7:1:21:bc mac-address=\
    18:D6:C7:01:21:BC server=dhcp1
add address=192.168.4.107 client-id=1:50:3e:aa:10:74:bd mac-address=\
    50:3E:AA:10:74:BD server=dhcp1
add address=192.168.4.109 client-id=1:1c:1b:d:60:e7:f8 mac-address=\
    1C:1B:0D:60:E7:F8 server=dhcp1
add address=192.168.4.112 client-id=1:1c:1b:d:f:d:72 mac-address=\
    1C:1B:0D:0F:0D:72 server=dhcp1
add address=192.168.4.116 client-id=1:50:3e:aa:14:9c:6d mac-address=\
    50:3E:AA:14:9C:6D server=dhcp1
add address=192.168.4.115 client-id=1:50:3e:aa:10:5d:4c mac-address=\
    50:3E:AA:10:5D:4C server=dhcp1
add address=192.168.4.114 client-id=1:18:d6:c7:1:48:ed mac-address=\
    18:D6:C7:01:48:ED server=dhcp1
add address=192.168.4.208 client-id=\
    ff:bc:9a:4a:2d:0:2:0:0:ab:11:98:c7:cc:d3:16:cc:29:0 mac-address=\
    00:0C:29:A3:59:D0 server=dhcp1
add address=192.168.4.210 mac-address=00:0C:29:9D:5B:13 server=dhcp1
add address=192.168.4.212 client-id=\
    ff:9f:6e:85:24:0:2:0:0:ab:11:8d:70:cf:6:24:8d:5c:bc mac-address=\
    00:0C:29:A4:E5:CA server=dhcp1
add address=192.168.4.205 client-id=\
    ff:29:a4:4c:48:0:1:0:1:28:82:95:27:0:c:29:a4:4c:48 mac-address=\
    00:0C:29:A4:4C:48 server=dhcp1
add address=192.168.4.213 mac-address=00:0C:29:D0:B2:E6 server=dhcp1
add address=192.168.4.214 client-id=1:0:c:29:96:43:2 mac-address=\
    00:0C:29:96:43:02 server=dhcp1
/ip dhcp-server network
add address=192.168.4.0/24 comment=defconf gateway=192.168.4.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=\
    118.179.223.10,202.4.96.6,2405:7600:0:8::a,2405:7600:0:6::6
/ip dns static
add address=192.168.4.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward disabled=yes src-address=192.168.4.4
add action=accept chain=forward disabled=yes src-address=192.168.4.5
add action=accept chain=forward disabled=yes src-address=192.168.4.3
add action=accept chain=forward disabled=yes src-address=192.168.4.100
add action=accept chain=forward src-address=192.168.4.101-192.168.4.106
add action=accept chain=forward disabled=yes src-address=192.168.4.108
add action=accept chain=forward disabled=yes src-address=192.168.4.113
add action=accept chain=forward src-address=192.168.4.205
add action=accept chain=forward src-address=192.168.4.207
add action=accept chain=forward src-address=192.168.4.208
add action=accept chain=forward disabled=yes src-address=192.168.4.209
add action=accept chain=forward src-address=192.168.4.210
add action=accept chain=forward src-address=192.168.4.211
add action=accept chain=forward src-address=192.168.4.212
add action=accept chain=forward src-address=192.168.4.213
add action=accept chain=forward src-address=192.168.4.214
add action=accept chain=forward protocol=tcp src-address=\
    192.168.4.221-192.168.4.225
add action=accept chain=forward src-address=192.168.4.250
add action=accept chain=forward src-address=192.168.4.249
add action=accept chain=forward src-address=192.168.4.251
add action=accept chain=forward src-address=192.168.4.252
add action=drop chain=forward comment=\
    "NMN_Drop all devices internet until accepted above" src-address=\
    192.168.4.0/24
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=redirect chain=dstnat disabled=yes dst-port=80 protocol=tcp \
    src-address-list=!NOT to-ports=8080
add action=src-nat chain=srcnat src-address=192.168.4.214 to-addresses=\
    1**.1**.**2.76
add action=src-nat chain=srcnat to-addresses=1**.1**.**2.74
add action=dst-nat chain=dstnat comment=cam dst-address=1**.1**.**2.74 \
    dst-port=221 protocol=tcp to-addresses=192.168.4.221 to-ports=554
add action=dst-nat chain=dstnat dst-address=1**.1**.**2.74 dst-port=222 \
    protocol=tcp to-addresses=192.168.4.222 to-ports=554
add action=dst-nat chain=dstnat dst-address=1**.1**.**2.74 dst-port=223 \
    protocol=tcp to-addresses=192.168.4.223 to-ports=8554
add action=dst-nat chain=dstnat dst-address=1**.1**.**2.74 dst-port=224 \
    protocol=tcp to-addresses=192.168.4.224 to-ports=554
add action=dst-nat chain=dstnat dst-address=1**.1**.**2.74 dst-port=225 \
    protocol=tcp to-addresses=192.168.4.225 to-ports=554
add action=dst-nat chain=dstnat comment="my.gggi (Cloudron)" dst-address=\
    1**.1**.**2.74 dst-port=443 protocol=tcp to-addresses=192.168.4.212 \
    to-ports=443
add action=dst-nat chain=dstnat dst-address=1**.1**.**2.74 dst-port=80 \
    protocol=tcp to-addresses=192.168.4.212 to-ports=80
add action=dst-nat chain=dstnat comment="downloads.ready3dmodels (NC)" \
    dst-address=1**.1**.**2.75 dst-port=443 protocol=tcp to-addresses=\
    192.168.4.210 to-ports=443
add action=dst-nat chain=dstnat dst-address=1**.1**.**2.75 dst-port=80 \
    protocol=tcp to-addresses=192.168.4.210 to-ports=80
add action=dst-nat chain=dstnat comment=................... disabled=yes \
    dst-address=1**.1**.**2.76 dst-port=443 protocol=tcp to-addresses=\
    192.168.4.212 to-ports=443
add action=dst-nat chain=dstnat disabled=yes dst-address=1**.1**.**2.76 \
    dst-port=80 protocol=tcp to-addresses=192.168.4.212 to-ports=80
add action=dst-nat chain=dstnat comment="apps.gggi (UCS)" dst-address=\
    1**.1**.**2.77 dst-port=443 protocol=tcp to-addresses=192.168.4.205 \
    to-ports=443
add action=dst-nat chain=dstnat dst-address=1**.1**.**2.77 dst-port=80 \
    protocol=tcp to-addresses=192.168.4.205 to-ports=80
add action=dst-nat chain=dstnat comment="disk.gggi (NC)" dst-address=\
    1**.1**.**2.78 dst-port=443 protocol=tcp to-addresses=192.168.4.208 \
    to-ports=443
add action=dst-nat chain=dstnat dst-address=1**.1**.**2.78 dst-port=80 \
    protocol=tcp to-addresses=192.168.4.208 to-ports=80
add action=dst-nat chain=dstnat dst-address=1**.1**.**2.78 dst-port=3478 \
    protocol=tcp to-addresses=192.168.4.208 to-ports=3478
add action=dst-nat chain=dstnat disabled=yes dst-address=1**.1**.**2.78 \
    dst-port=3478 protocol=udp to-addresses=192.168.4.208 to-ports=3478
/ip proxy
set anonymous=yes src-address=1**.1**.**2.73
/ip route
add distance=1 gateway=10.151.43.13
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=8080
set ssh disabled=yes
set api disabled=yes
set winbox port=8***
set api-ssl disabled=yes
/lcd interface pages
set 0 interfaces=sfp1,ether1,ether2,ether3,ether4,ether5,ether6,ether7
/system clock
set time-zone-name=Asia/Dhaka
/system identity
set name=NoWhere_Mikrotik
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
sevenman
just joined
Topic Author
Posts: 12
Joined: Tue Aug 10, 2021 6:21 pm

Re: is my NAT config is ok?

Fri Aug 13, 2021 2:00 pm

/ip firewall nat add action=masquerade chain=srcnat comment=NAT out-interface-list=WAN
What's inside the 'out interface list'?
and my Mikrotik doesn't have a straightforward wan configuration. I am connected with radio link. so,point-to-point IP set my isp and a couple of ipblock / real IP. so that I can port forward my domain hosted here. I don't get that what they are doing also in ip> routes.
see my config above.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: is my NAT config is ok?

Fri Aug 13, 2021 2:01 pm

To be honest I dont have a clue of the purpose or structure of these items.????

/ip address
add address=192.168.4.1/24 comment=defconf interface=bridge_Lan network=\
192.168.4.0
add address=10.151.43.14/30 comment=AIT_WAN interface=ether1 network=\
10.151.43.12

add address=1**.1**.**2.74/29 disabled=yes interface=bridge_Lan network=\
1**.1**.**2.72
add address=1**.1**.**2.78/29 disabled=yes interface=bridge_Lan network=\
1**.1**.**2.72
add address=1**.1**.**2.75/29 disabled=yes interface=bridge_Lan network=\
1**.1**.**2.72
add address=1**.1**.**2.76/29 disabled=yes interface=bridge_Lan network=\
1**.1**.**2.72
add address=1**.1**.**2.77/29 disabled=yes interface=bridge_Lan network=\
1**.1**.**2.72
add address=1**.1**.**2.73/29 comment="Routed Block " interface=bridge_Lan \
network=1**.1**.**2.72


I dont use IP ARP.
So again no clue why you need that, but at least its something others also do but not on the same scale????

Firewall rules........
WHY........ do you have it setup line by line this way in the forward chain, all these individual rules by IP, and then you have input chain rules and then you have forward rules again.
Very disjointed. What is it about the default rules that was not good enough for example........

In other words if the requirements were better communicated, a much cleaner firewall listing could be accomplished.
Totally lost on your NAT rules similar to above reasons...

Hopefully someone with more expertise will chime in!!
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: is my NAT config is ok?

Fri Aug 13, 2021 3:24 pm

Paste this on the terminal to set some settings not set like I would set the settings and some wrong settings are set like the best settings.
/interface bridge
set bridge_Lan protocol=none
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n
/interface wireless security-profiles
set [ find default=yes ] group-ciphers=aes-ccm unicast-ciphers=aes-ccm
/interface bridge port
remove [find where interface=sfp1]
/ip dhcp-server network
set [find] dns-server=192.168.4.1
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: is my NAT config is ok?

Fri Aug 13, 2021 3:28 pm

To be honest I dont have a clue of the purpose or structure of these items.????
All this is for provide some public IP to device inside LAN...
Better use routing to "ship" the public IP to device set with static IP from dhcp-server lease

ARP and firewall are used for something like access control.
Better add an address-list and enable/disable IP inside address-list than modify firewall.
 
User avatar
sevenman
just joined
Topic Author
Posts: 12
Joined: Tue Aug 10, 2021 6:21 pm

Re: is my NAT config is ok?

Fri Aug 13, 2021 5:55 pm

Paste this on the terminal to set some settings not set like I would set the settings and some wrong settings are set like the best settings.
/interface bridge
set bridge_Lan protocol=none
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n
/interface wireless security-profiles
set [ find default=yes ] group-ciphers=aes-ccm unicast-ciphers=aes-ccm
/interface bridge port
remove [find where interface=sfp1]
/ip dhcp-server network
set [find] dns-server=192.168.4.1
First, I believe that these rules are good for me but why these? what did these do?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: is my NAT config is ok?

Fri Aug 13, 2021 6:06 pm

Exactly the same if readed like are writed on english...

For example
/interface bridge set bridge_Lan protocol=none
can be
on interface bridge set the value of bridge_Lan property "protocol" to none
 
User avatar
sevenman
just joined
Topic Author
Posts: 12
Joined: Tue Aug 10, 2021 6:21 pm

Re: is my NAT config is ok?

Fri Aug 13, 2021 6:13 pm

To be honest I dont have a clue of the purpose or structure of these items.????
All this is for provide some public IP to device inside LAN...
Better use routing to "ship" the public IP to device set with static IP from dhcp-server lease

ARP and firewall are used for something like access control.
Better add an address-list and enable/disable IP inside address-list than modify firewall.
OK, I remove the disabled rules or settings.

IP> Address List
 #   ADDRESS            NETWORK         INTERFACE                                                                                                                                                                
 0   ;;; defconf
     192.168.4.1/24     192.168.4.0     bridge_Lan                                                                                                                                                               
 1   ;;; AIT_WAN
     10.151.000.14/30    10.151.000.12    ether1                                                                                                                                                                   
 2   ;;; Routed Block 
     118.179.000.73/29  118.179.000.72  bridge_Lan  
     
Routed ip address block is something the isp give me. they have set point to point ip first to connect radio devices together. and then uses ip> route like below.

IP> Route
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          10.151.000.13              1
 1 ADC  10.151.000.12/30    10.151.000.14    ether1                    0
 2 ADC  118.179.000.72/29  118.179.000.73  bridge_Lan                0
 3 ADC  192.168.4.0/24     192.168.4.1     bridge_Lan                0

IP> Firewall>NAT
chain=srcnat action=src-nat to-addresses=118.179.000.76 src-address=192.168.4.214 log=no log-prefix="" 
chain=srcnat action=src-nat to-addresses=118.179.000.74 log=no log-prefix="" 
chain=dstnat action=dst-nat to-addresses=192.168.4.208 to-ports=443 protocol=tcp dst-address=118.179.000.78 dst-port=443 log=no log-prefix="" 
chain=dstnat action=dst-nat to-addresses=192.168.4.208 to-ports=80 protocol=tcp dst-address=118.179.000.78 dst-port=80 log=no log-prefix="" 
And the first line on the NAT was my concern of this thread. you brilliant please say if it's fine or needs changes.
Last edited by sevenman on Mon Aug 16, 2021 2:15 pm, edited 3 times in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: is my NAT config is ok?

Fri Aug 13, 2021 6:20 pm

warning: censore revealed IP
 
User avatar
sevenman
just joined
Topic Author
Posts: 12
Joined: Tue Aug 10, 2021 6:21 pm

Re: is my NAT config is ok?

Sat Aug 14, 2021 6:03 am

warning: censore revealed IP
for your info, that's not my IP they are changed.
is there anything like "/export hide-sensitive file" which is also censored IP too.?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: is my NAT config is ok?

Sat Aug 14, 2021 10:13 pm

Good question but not hide-sensitive is not full proof so one needs to exercise caution.
I never put in winbox ports or anything I wouldnt want known externally.
I believe the sense is that if you know enough to change the config you know a basic amount of knowledge about networking and security.
 
User avatar
sevenman
just joined
Topic Author
Posts: 12
Joined: Tue Aug 10, 2021 6:21 pm

Re: is my NAT config is ok?

Mon Aug 16, 2021 2:17 pm

This the updated settings:

IP> Address List
 #   ADDRESS            NETWORK         INTERFACE                                                                                                                                                                
 0   ;;; defconf
     192.168.4.1/24     192.168.4.0     bridge_Lan                                                                                                                                                               
 1   ;;; AIT_WAN
     10.151.000.14/30    10.151.000.12    ether1                                                                                                                                                                   
 2   ;;; Routed Block 
     118.179.000.73/29  118.179.000.72  bridge_Lan  
     

Routed ip address block is something the isp give me. they have set point to point ip first to connect radio devices together. and then uses ip> route like below.
IP> Route
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          10.151.000.13              1
 1 ADC  10.151.000.12/30    10.151.000.14    ether1                    0
 2 ADC  118.179.000.72/29  118.179.000.73  bridge_Lan                0
 3 ADC  192.168.4.0/24     192.168.4.1     bridge_Lan                0

IP> Firewall>NAT
chain=srcnat action=src-nat to-addresses=118.179.000.76 src-address=192.168.4.214 log=no log-prefix="" 
chain=srcnat action=src-nat to-addresses=118.179.000.74 log=no log-prefix="" 
chain=dstnat action=dst-nat to-addresses=192.168.4.208 to-ports=443 protocol=tcp dst-address=118.179.000.78 dst-port=443 log=no log-prefix="" 
chain=dstnat action=dst-nat to-addresses=192.168.4.208 to-ports=80 protocol=tcp dst-address=118.179.000.78 dst-port=80 log=no log-prefix="" 
And the first line on the NAT was my concern of this thread. could you please suggest me if it's fine or not.
 
User avatar
sevenman
just joined
Topic Author
Posts: 12
Joined: Tue Aug 10, 2021 6:21 pm

Re: is my NAT config is ok?

Thu Oct 14, 2021 1:44 pm

Anyone please review my nat settings. is it ok?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: is my NAT config is ok?

Thu Oct 14, 2021 4:51 pm

Observatrions/Comments:

1. There is no need to detail a specific user for a specific source NAT, and by that I mean, source-nat does not tell the packet where to go!! That is the job of the IP ROUTE part of the configuration. In other words, source-nat just states replace the source address of this outgoing packet from the LANIP to the designated WANIP.

Therefore if one has two WANs it is normally good enough to provide two of the generic source-nat rules and traffic going out these wan ports will be assigned their applicable IP. Here is an example of my config......
/ip firewall nat
add action=masquerade chain=srcnat comment="SCR_NAT FOR LAN - FibreOP" \
ipsec-policy=out,none out-interface=vlanbell
add action=masquerade chain=srcnat comment="SCR_NAT for LAN - Cable" \
ipsec-policy=out,none out-interface=Eastlink_eth7

2. It is not clear to me how your WAN setup works.
Assuming its a failover scenario with WAN1 being primary and WAN2 being failover the following is normal.

/ip route
add check-gateway=ping distance=10 gateway=ISP1 gateway IP
add distance=20 gateway=ISP2 gateway IP


Thus all users will get directed out WAN1 because of the lower distance setting.
WAN2 will only be used if WAN1 is not available.

If you want a particular LAN IP/device-user to go out WAN2 all the time, no need to mangle but one needs another route, and a route rule to accompany.
/ip route
add check-gateway=ping distance=10 gateway=ISP1 gateway IP
add distance=20 gateway=ISP2 gateway IP

add distance=20 gateway=ISP2 gateway IP routing-mark=USEWAN2

/ip route rule
add action=lookup-only-in-table src-address=LANIP table=USEWAN2

The action means that the user will only be able to go out WAN2, and if WAN2 is not available, then no internet traffic will occur for that user.
If the action selection is "Lookup-in-table", then if WAN2 is not available, the router will use the next main table entry with shortest route and that would be WAN1.
 
User avatar
sevenman
just joined
Topic Author
Posts: 12
Joined: Tue Aug 10, 2021 6:21 pm

Re: is my NAT config is ok?

Fri Oct 15, 2021 1:14 pm

Routing scenario:
I had a very simple connection like ISP has given me one static IP address with a subnet mask and gateway.
But when i ask them to give me more public IP addresses then they made this complex setup in Mikrotik. They told me that now they have given me a routed IP and I will get hit from outside internet from the following IP addresses. and also I can use the internet by using those IP addresses.

NAT:
I have a server (192.168.4.214) that is port forwarded from one of my public IP (118.179.000.76). but when I hit the internet to know 'what is my IP' it shows the default one (118.179.000.74). so I made this NAT setup and it worked.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: is my NAT config is ok?

Fri Oct 15, 2021 4:10 pm

Routing scenario:
I had a very simple connection like ISP has given me one static IP address with a subnet mask and gateway.
But when i ask them to give me more public IP addresses "then they made this complex setup in Mikrotik". They told me that now they have given me a routed IP and I will get hit from outside internet from the following IP addresses. and also I can use the internet by using those IP addresses.

NAT:
I have a server (192.168.4.214) that is port forwarded from one of my public IP (118.179.000.76). but when I hit the internet to know 'what is my IP' it shows the default one (118.179.000.74). so I made this NAT setup and it worked.
So the ISP uses a Mikrotik Router after their modem???
Where is your device in the equation??
 
User avatar
sevenman
just joined
Topic Author
Posts: 12
Joined: Tue Aug 10, 2021 6:21 pm

Re: is my NAT config is ok?

Thu Oct 21, 2021 8:07 am

So the ISP uses a Mikrotik Router after their modem???
Where is your device in the equation??
Actually, it's my fault not to make Understandable sentences.
"then they made this complex setup in MY Mikrotik". they did on my behalf.
ISP>radio device<-----50km----->radio device>my mikrotik
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: is my NAT config is ok?

Thu Oct 21, 2021 4:08 pm

Then we need to speak to the ISP configurer and not you, if they have control over the mikrotik.
 
User avatar
sevenman
just joined
Topic Author
Posts: 12
Joined: Tue Aug 10, 2021 6:21 pm

Re: is my NAT config is ok?

Sun Oct 24, 2021 7:01 am

Then we need to speak to the ISP configurer and not you, if they have control over the mikrotik.
they don't have control over my mikrotik.
the main question was: is my nat setting is ok? if there is a problem/drawback with that kind of setting that's what I need to know.
thanks!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: is my NAT config is ok?

Mon Oct 25, 2021 1:10 am

Sorry I dont understand perhaps someone else does.
Good luck.

Who is online

Users browsing this forum: GoogleOther [Bot], rplant and 33 guests