Page 1 of 1
dst-nat question
Posted: Fri Jan 26, 2007 11:42 am
by rtr989
i wona to make dst-nat from local address 192.168.0.1:6580 to 66.94.234.13:80
on 192.168.0.1 router i add this:
chain=dstnat dst-address=192.168.0.1 protocol=tcp dst-port=6580
action=dst-nat to-addresses=66.94.234.13 to-ports=80
so, i try to connect on port 6580 on 192.168.0.1 and nothing happen..
in firewall nat i see what packets count, in connection tcp state: syn sent and stop on this...
what is wrong?
Posted: Fri Jan 26, 2007 11:50 am
by firebat
You need to setup a dstnat and srcnat as follows:
chain=dstnat dst-address= 66.94.234.13 protocol=tcp dst-port=6580
action=dst-nat to-addresses= 192.168.0.1 to-ports=80
chain=srcnat dst-address= 192.168.0.1 protocol=tcp dst-port=80
action=dst-nat to-addresses= 66.94.234.13 to-ports=6580
Posted: Fri Jan 26, 2007 11:54 am
by rtr989
You need to setup a dstnat and srcnat:
dstnat:
Setup a srcnat from 192.168.0.1 to 66.94.234.13
can u get example?
Posted: Fri Jan 26, 2007 11:54 am
by firebat
Was editing response...see above
You can open all of the ports to begin with to get it working then alter the config.
Posted: Fri Jan 26, 2007 12:02 pm
by firebat
You can try just the dstnat example above alone if you want. What I gave is an example of poking a hole in the firewall. With additional ports open, you can put a server on a private IP and have it accessible from the internet.
Posted: Fri Jan 26, 2007 12:03 pm
by rtr989
chain=srcnat dst-address= 192.168.0.1 protocol=tcp dst-port=80
action=dst-nat to-addresses= 66.94.234.13 to-ports=6580
this is wrong..
Posted: Fri Jan 26, 2007 12:06 pm
by firebat
Possibly. I didnt try it.
Posted: Fri Jan 26, 2007 2:11 pm
by Solusan
Hi...
I have a little proble with NAT.
The post is in:
http://forum.mikrotik.com/viewtopic.php?p=62693#62693
I'm a little bit desperate.....
very many thanks.
Posted: Fri Jan 26, 2007 4:26 pm
by rtr989
chain=dstnat dst-address=192.168.0.1 protocol=tcp dst-port=6580
action=dst-nat to-addresses=66.94.234.13 to-ports=80
this rule is right?
it is not work!
Posted: Sat Jan 27, 2007 5:05 am
by firebat
Can you describe exactly what you are trying to accomplish? Are you trying to access 192.168.0.1 from the internet using public IP 66.94.234.13?
Posted: Sun Jan 28, 2007 11:25 pm
by Solusan
Can you describe exactly what you are trying to accomplish? Are you trying to access 192.168.0.1 from the internet using public IP 66.94.234.13?
Hi,
I have a question about this:
I did this:
Add one rule to chain=forward,
'ip firewall filter add action=jump jump-target=hotspot chain=forward',
set for 'guest' user profile,
'ip hotspot user profile set profile_name incoming-filter=1 outgoing-filter=1', that will redirect current profile traffoc to chain=1.
Add rule to chain 1 to drop traffic with specific dst-address,
'ip firewall filter add chain=1 dst-address=172.0.0.0/8 action=drop'.
And I applied this rule at the user 'guest'
I did that for locking to the user 'guest' couldn't acceed to 172.0.0.0/8 but as you can see I obtain a drop
But now I would need that the user could redirect to the hotspot home page or to nay error page where the user can be alerted that can not be acceed to the rank
How could I do it?
Many thanks for your help and understanding.
Posted: Mon Jan 29, 2007 8:28 am
by mneumark
/ip firewall nat add chain=srcnat src-address=192.168.0.1 protocol=tcp src-port=6580 action=src-nat to-addresses=66.94.234.13 to-ports=80