Community discussions

MikroTik App
 
y0d4
newbie
Topic Author
Posts: 31
Joined: Wed May 29, 2013 1:22 am

Port forwarding by IP

Sun Nov 03, 2013 4:56 pm

Hello,

i have next scenario:
LAN - 10.0.1.0/24
WIFI - 10.0.2.0/24

I block between that two network communications by:
chain=forward action=drop src-address-list=local-networks dst-address-list=local-networks
Now i want only couple ports to open for specific IP in lan, example:
i want 10.0.1.10 to access 10.0.2.50 on port 80


How to do this?
I try many option but seems that filter rules blocking or i don`t know to setup proper via NAT.
for example, i try:
chain=dstnat action=dst-nat to-addresses=10.0.2.50 to-ports=80 protocol=tcp dst-address=10.0.1.10 dst-port=80 
but nothing.



Any help?
thank you.
 
CelticComms
Forum Guru
Forum Guru
Posts: 1766
Joined: Wed May 02, 2012 5:48 am

Re: Port forwarding by IP

Mon Nov 04, 2013 5:18 am

The traffic referenced in the NAT entry must also be allowed in the forwarding chain. Make sure that overall you are allowing the traffic in the forwarding chain remembering that destination entries should match the DST NATed addresses since the forward chain filters occur after DST NAT.
Interlynx | Networking and Information Security Consultants & Trainers | Email: routerlynx@gmail.com
BGP | EIGRP | OSPF | MPLS | Firewall | VPN | IPsec | Multicast | QOS | IPv4/6 | STP | VLAN | PON | AE | M2M | and more!

 
y0d4
newbie
Topic Author
Posts: 31
Joined: Wed May 29, 2013 1:22 am

Re: Port forwarding by IP

Thu Nov 07, 2013 1:59 am

Thank you for explanation, i do it:

# allowing tcp 80 port
chain=forward action=accept protocol=tcp src-address=10.0.2.50 dst-address=10.0.1.10 port=80
chain=forward action=accept protocol=tcp src-address=10.0.1.10 dst-address=10.0.2.50 port=80
# allowing icmp (for ping)
chain=forward action=accept protocol=icmp src-address=10.0.2.50 dst-address=10.0.1.10
chain=forward action=accept protocol=icmp src-address=10.0.1.10 dst-address=10.0.2.50
work like charm :)
thank you.
 
evangel159
just joined
Posts: 5
Joined: Tue Nov 05, 2013 11:23 pm

Re: Port forwarding by IP

Fri Nov 22, 2013 9:13 pm

Hi

I have a similar problem but I can't fix it

I am using a simple application to try to establish a connection to the server using a TCP-IP socket. When the NAT rule I use is enabled I can see clearly how there is some traffic arriving to the server, and the application waits for some time while trying to connect to the server, but it fails. When the rule is disabled, the program immediately prompts a message indicating that the connection was refused.
From this I conclude that I am able to send data to the server, but it is unable to respond to the client to establish a connection.

My NAT rules are as following:

I am using winbox

1- srcnat
Src Address : 192.168.10.0/24
Out interface : wayout
Action: masqueradre

2- chain:dstnat
Dst Address: My Public-IP
Protocol:6(tcp)
Dst port:8087

Action

Action: dst-nat
To Addresses: server IP
To ports: 8082---is the server port


Is there any additional rule that I must use in order for a client to be able to connect to the server?. Am I missing something here?

Thanks in advance
 
CelticComms
Forum Guru
Forum Guru
Posts: 1766
Joined: Wed May 02, 2012 5:48 am

Re: Port forwarding by IP

Sat Nov 23, 2013 5:08 am

What does the routing table on the server look like?
Interlynx | Networking and Information Security Consultants & Trainers | Email: routerlynx@gmail.com
BGP | EIGRP | OSPF | MPLS | Firewall | VPN | IPsec | Multicast | QOS | IPv4/6 | STP | VLAN | PON | AE | M2M | and more!

 
evangel159
just joined
Posts: 5
Joined: Tue Nov 05, 2013 11:23 pm

Re: Port forwarding by IP

Mon Nov 25, 2013 5:26 pm

Of course

I got this routes:

Route list:
Routes:

Dst. Address Gateway

AS --0.0.0.0/0 une
AS --xxx.xxx.50.0/24 192.168.20.1 "es una vpn"
AS --192.168.1.0/24 192.168.20.1

Is that what you ask?
 
CelticComms
Forum Guru
Forum Guru
Posts: 1766
Joined: Wed May 02, 2012 5:48 am

Re: Port forwarding by IP

Mon Nov 25, 2013 8:18 pm

If you DST NAT traffic to a server it will still appear with the original source IP (unless you also SRC NAT the traffic) so the server needs a route back to the originator. It looks like you have no default route set on the server.
Interlynx | Networking and Information Security Consultants & Trainers | Email: routerlynx@gmail.com
BGP | EIGRP | OSPF | MPLS | Firewall | VPN | IPsec | Multicast | QOS | IPv4/6 | STP | VLAN | PON | AE | M2M | and more!

 
evangel159
just joined
Posts: 5
Joined: Tue Nov 05, 2013 11:23 pm

Re: Port forwarding by IP

Tue Nov 26, 2013 8:50 pm

This is the default route no?

AS --0.0.0.0/0 une

All the traffic will go out by that interface no? except the traffic for "xxx.xxx.50.0" and "192.168.1.0/24"

And this masquerade

1- srcnat
Src Address : 192.168.10.0/24
Out interface : wayout
Action: masqueradre

Should help to solve that no?

If you think I need another route could you please give me some advice?

Thanks a lot

Who is online

Users browsing this forum: No registered users and 35 guests