We are a small startup community ISP; we have been advised by our backhaul provider to provide static, public, IP addresses to each of our subscribers.
Our public range, which the router is supposed to pass through is 95.142.121.0/24
However, pass through (via NAT setup) is not working. (And I believe all the Mikrotik can do is NAT IP ranges).
I have altered the rule order, so that it should match, and it does not.
(Rules below are disabled, but when enabled they do not work)
add action=accept chain=srcnat disabled=yes dst-address=95.142.121.0/24 \
src-address=95.142.121.0/24
add action=accept chain=dstnat disabled=yes dst-address=95.142.121.0/24 \
src-address=95.142.121.0/24
What am I doing wrong?
Thanks,
rroddy
-------------------------
[admin@gw1-wwcbb] > /ip address print detail
Flags: X - disabled, I - invalid, D - dynamic
0 address=194.0.76.236/29 network=194.0.76.232 interface=ether1-gateway
actual-interface=ether1-gateway
1 address=95.142.121.1/24 network=95.142.121.0 interface=ether2-local-master
actual-interface=ether2-local-master
2 address=194.0.76.237/29 network=194.0.76.232 interface=ether1-gateway
actual-interface=ether1-gateway
3 address=192.168.88.1/24 network=192.168.88.0 interface=ether2-local-master
actual-interface=ether2-local-master
[admin@gw1-wwcbb] > /ip route print detail
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 A S dst-address=0.0.0.0/0 gateway=194.0.76.234
gateway-status=194.0.76.234 reachable ether1-gateway distance=1
scope=30 target-scope=10
1 ADC dst-address=95.142.121.0/24 pref-src=95.142.121.1
gateway=ether2-local-master
gateway-status=ether2-local-master reachable distance=0 scope=10
2 ADC dst-address=192.168.88.0/24 pref-src=192.168.88.1
gateway=ether2-local-master
gateway-status=ether2-local-master reachable distance=0 scope=10
3 ADC dst-address=194.0.76.232/29 pref-src=194.0.76.236
gateway=ether1-gateway gateway-status=ether1-gateway reachable
distance=0 scope=10
[admin@gw1-wwcbb] > /interface print detail
Flags: D - dynamic, X - disabled, R - running, S - slave
0 R name="ether1-gateway" type="ether" mtu=1500 l2mtu=1598
1 R name="ether2-local-master" type="ether" mtu=1500 l2mtu=1598
2 R name="ether3-local-slave" type="ether" mtu=1500 l2mtu=1598
3 R name="ether4-local-slave" type="ether" mtu=1500 l2mtu=1598
4 R name="ether5-local-slave" type="ether" mtu=1500 l2mtu=1598
[admin@gw1-wwcbb] >
[admin@gw1-wwcbb] > /ip firewall export
# jan/03/1970 23:06:19 by RouterOS 5.2
# software id = SMTH-A17F
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="default configuration" disabled=no \
protocol=icmp
add action=accept chain=input comment="default configuration" \
connection-state=established disabled=no in-interface=ether1-gateway
add action=accept chain=input comment="default configuration" \
connection-state=related disabled=no in-interface=ether1-gateway
add action=accept chain=input comment="default configuration" disabled=no \
in-interface=ether1-gateway
/ip firewall nat
add action=accept chain=srcnat disabled=yes dst-address=95.142.121.0/24 \
src-address=95.142.121.0/24
add action=accept chain=dstnat disabled=yes dst-address=95.142.121.0/24 \
src-address=95.142.121.0/24
add action=accept chain=dstnat disabled=yes dst-address=192.168.88.0/24 \
src-address=95.142.121.0/24
add action=accept chain=srcnat disabled=yes dst-address=95.142.121.0/24 \
src-address=192.168.88.0/24
add action=accept chain=dstnat disabled=no dst-address=192.168.88.55 \
src-address=194.0.76.237
add action=masquerade chain=srcnat comment="default configuration" disabled=\
no out-interface=ether1-gateway
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no