Community discussions

MikroTik App
 
l33byt
just joined
Topic Author
Posts: 1
Joined: Wed May 27, 2020 6:49 pm

Unable to route between WAN and inside network - Public IP and no Nat required.

Wed May 27, 2020 6:56 pm

Hi There,

Can any one help?

I have my WAN connection and also a LAN connection which uses NAT and works just fine.
BUT i also have a /28 network y.y.y and despite knowing it worked previously (Juniper SRX went faulty) i cannot get it to work on the Mikrotik.

add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
WAN add address=x.x.x.174/29 interface=ether1-WAN network=x.x.x.168
add address=192.168.1.1/24 interface=ether3-192.168.1.1/24 network=192.168.1.0
add address=y.y.y.97/28 interface=ether4-y.y.y..96/28 network=y.y.y..96

The public range y.y.y. will not need nat.

I have added these firewall rules

add action=accept chain=forward connection-state=established,new out-interface=ether1-WAN src-address=y.y.y..96/28
add action=accept chain=forward connection-state=established,new dst-address=y.y.y..96/28 in-interface=all-ethernet

But still unable to reach the y.y.y. from the internet/wan

Can some one please help.
 
millenium7
Long time Member
Long time Member
Posts: 538
Joined: Wed Mar 16, 2016 6:12 am

Re: Unable to route between WAN and inside network - Public IP and no Nat required.

Thu May 28, 2020 2:34 am

Might need a /export of the relevant sections

It really depends how you've set your firewall filter rules up, but if you have a typical set of requirements (public IP that the LAN shares, additional public IP's for other devices) you shouldn't need anything at all in 'firewall filter' you just need 1 rule in 'firewall nat' which is to prevent NAT'ing of public IP addresses, and/or specify which internal IP addresses would get NAT'd as which IP
You shouldn't need 'firewall filter' for this, unless you want to block incoming access (since devices will have a public IP address and not be inherently protected behind NAT)

i.e. if you normally have
/ip firewall nat add chain=src-nat out-interface=WAN action=masquerade

Then all traffic going out the WAN interface will be masquerade/NAT'd with the IP address on the WAN interface
Either add this rule above it

/ip firewall nat add chain=src-nat out-interface=WAN src-address=y.y.y.y/28 action=accept

Which will match first and then effectively just do nothing
Or adjust the other rule to something like

/ip firewall nat add chain=src-nat out-interface=WAN src-address=192.168.88.0/24 action=masquerade comment="Masquerade 192.168.88.0/24 addresses going out WAN"

Then it would only match that range. It just depends on your requirements, the first example is a broad scope covering all possible LAN ranges you might add in the future, the last example is being very specific but can be more useful when its something like....

/ip firewall nat add chain=src-nat out-interface=WAN src-address=192.168.88.0/24 action=src-nat to-address=1.1.1.1 comment="Masquerade 192.168.88.0/24 addresses going out WAN as 1.1.1.1"
/ip firewall nat add chain=src-nat out-interface=WAN src-address=192.168.1.0/24 action=src-nat to-address=2.2.2.2 comment="Masquerade 192.168.88.0/24 addresses going out WAN as 2.2.2.2"
/ip firewall nat add chain=src-nat out-interface=WAN action=src-nat to-address=3.3.3.3 comment="Masquerade anything else going out WAN as 3.3.3.3"
 
ntatemakgaola
just joined
Posts: 2
Joined: Sun May 31, 2020 9:46 pm

Re: Unable to route between WAN and inside network - Public IP and no Nat required.

Sun May 31, 2020 10:14 pm

i also have a problem i have RBLHGR&R11e-LTE i cannot do port forwading for dvr the simcard.

Who is online

Users browsing this forum: No registered users and 17 guests