Community discussions

MikroTik App
 
Zapnologica
Long time Member
Long time Member
Topic Author
Posts: 594
Joined: Fri Sep 25, 2009 8:15 pm
Location: South frica

Firelwall passthrough

Mon Apr 04, 2011 7:35 am

Howist,


How do you allot a certain ip or protocal to bypass your firewall with mikrotik?

I have a rotuer (NAT) and i want to let certain computers above the nat router see into my network??

What do i do? Thanks
 
Sanity
Member Candidate
Member Candidate
Posts: 198
Joined: Sun Mar 06, 2011 8:51 am

Re: Firelwall passthrough

Mon Apr 04, 2011 8:01 am

Howist,


How do you allot a certain ip or protocal to bypass your firewall with mikrotik?

I have a rotuer (NAT) and i want to let certain computers above the nat router see into my network??

What do i do? Thanks
Nothing. There is no bypass possibility because these computers upstairs DONT KNOW HOW TO ADDRESS YOUR COMPUTERS. If you hide behind NAT, then only the exposed IP address is routed to your router.

What you can do is forward individual ports of that address down to the computers in your LAN.
 
Zapnologica
Long time Member
Long time Member
Topic Author
Posts: 594
Joined: Fri Sep 25, 2009 8:15 pm
Location: South frica

Re: Firelwall passthrough

Mon Apr 04, 2011 5:49 pm

ah kak,

I see what you mean.
Even if the connection is initiated by the computer below the router ?


Cause reason i am asking, In this network the computers below the network connect to a server up stream using Novel, an dif they login now, the novel server connects to the IP of the router, so if some one logs in then all the computers below the router have access to the login of the last person who logged in,


So is there no way to allow computers to be seen?
 
Zapnologica
Long time Member
Long time Member
Topic Author
Posts: 594
Joined: Fri Sep 25, 2009 8:15 pm
Location: South frica

Re: Firelwall passthrough

Mon Apr 04, 2011 5:55 pm

ah kak,

I see what you mean.
Even if the connection is initiated by the computer below the router ?


Cause reason i am asking, In this network the computers below the network connect to a server up stream using Novel, an dif they login now, the novel server connects to the IP of the router, so if some one logs in then all the computers below the router have access to the login of the last person who logged in,


So is there no way to allow computers to be seen?
 
Sanity
Member Candidate
Member Candidate
Posts: 198
Joined: Sun Mar 06, 2011 8:51 am

Re: Firelwall passthrough

Mon Apr 04, 2011 7:42 pm

ah kak,

I see what you mean.
Even if the connection is initiated by the computer below the router ?


Cause reason i am asking, In this network the computers below the network connect to a server up stream using Novel, an dif they login now, the novel server connects to the IP of the router, so if some one logs in then all the computers below the router have access to the login of the last person who logged in,


So is there no way to allow computers to be seen?
Even then. Unless you have full routable addressed and the NAT was jsut for security. The apckets otherwise have a return address that upstream does not know to send to yuor computer. More particular, ANY isp /( provider worth a gfrain of salt will have a firewall rule to drop packets that have non-assigned source addresses from the interface of the customer.
 
Zapnologica
Long time Member
Long time Member
Topic Author
Posts: 594
Joined: Fri Sep 25, 2009 8:15 pm
Location: South frica

Re: Firelwall passthrough

Mon Apr 04, 2011 8:11 pm

I just have the nat to hide the computers from the network above it, its not for secutiry.

Is there not any other configuration that i can setup that will allow for the computers to be isolated but availble for certain ports and ips?
 
Sanity
Member Candidate
Member Candidate
Posts: 198
Joined: Sun Mar 06, 2011 8:51 am

Re: Firelwall passthrough

Tue Apr 05, 2011 10:04 am

I just have the nat to hide the computers from the network above it, its not for secutiry.

Is there not any other configuration that i can setup that will allow for the computers to be isolated but availble for certain ports and ips?
Well, there is the standard way: do NOT use NAT but use smart filteringin the firewall. Allow ALL connections initiated from the inside, only specific ones initiated frmo the outside. This is how classical firewalls work.
 
Zapnologica
Long time Member
Long time Member
Topic Author
Posts: 594
Joined: Fri Sep 25, 2009 8:15 pm
Location: South frica

Re: Firelwall passthrough

Wed Apr 06, 2011 11:35 pm

got any links? or tuts on how to do that?

Sounds like it could work.
 
Sanity
Member Candidate
Member Candidate
Posts: 198
Joined: Sun Mar 06, 2011 8:51 am

Re: Firelwall passthrough

Thu Apr 07, 2011 9:52 am

got any links? or tuts on how to do that?

Sounds like it could work.
Not really. Mikrotik documentation is not a larning guide, and otherwise network admins are supposed to know the basics of how firewals work.

Basiaclly:
* Remove NAT. Make sure you receive pakets for your formerly hidden network.
* Add a forwarding rule to stop all traffic from external interfadce to internal.
* Before that add the exception rules that are allowed.

Plus the usual setup (allow established, realted traffic etc.).

Who is online

Users browsing this forum: 0xAA55, CJWW, EmuAGR, LeoNaXe and 40 guests