Community discussions

MikroTik App
  4. RouterOS
  5. General

Problem with NAT

Post Reply
 
Sigaro
just joined
Topic Author
Posts: 1
Joined: Mon Dec 25, 2017 2:12 pm
Location: Russia
Contact:
Contact Sigaro

Problem with NAT

Thu Oct 25, 2018 11:53 am

Hello forum, i am newbie in mikrotik.
I got a problem with my Mikrotik rb3011.
I have more connection to socks proxy from my server behind NAT, and connections will stuck on syn sent without reply.
Code: Select all
[root@Gateway] > /ip export 
# oct/25/2018 12:48:41 by RouterOS 6.43.2
# software id = 1YBD-GDI8
#
# model = RouterBOARD 3011UiAS
# serial number = 783D07F46768
/ip pool
add name=dhcp_pool0 ranges=192.168.1.2-192.168.1.254
add name=dhcp_pool1 ranges=192.168.1.2-192.168.1.254
/ip dhcp-server
add address-pool=dhcp_pool1 authoritative=after-2sec-delay disabled=no interface=main-bridge name=dhcp1
/ip address
add address=192.168.1.1/24 interface=main-bridge network=192.168.1.0
add address=ISP-ip/24 interface=WAN-Drugoy network=ISP-0
/ip dhcp-server lease
add address=192.168.1.88 client-id=1:38:d5:47:15:c8:85 mac-address=38:D5:47:15:C8:85 server=dhcp1
add address=192.168.1.42 client-id=1:dc:a9:4:77:82:b1 mac-address=DC:A9:04:77:82:B1 server=dhcp1
add address=192.168.1.118 client-id=1:dc:a9:4:77:82:8a mac-address=DC:A9:04:77:82:8A server=dhcp1
add address=192.168.1.193 mac-address=70:85:C2:2C:6A:58 server=dhcp1
add address=192.168.1.15 mac-address=10:7B:44:4C:C8:93 server=dhcp1
add address=192.168.1.3 mac-address=9C:5C:8E:87:7C:09 server=dhcp1
add address=192.168.1.4 mac-address=2C:56:DC:D5:5B:7E server=dhcp1
add address=192.168.1.10 mac-address=70:4D:7B:65:82:83 server=dhcp1
add address=192.168.1.2 mac-address=9C:5C:8E:89:56:C7 server=dhcp1
add address=192.168.1.16 mac-address=B0:6E:BF:D1:D7:39 server=dhcp1
add address=192.168.1.12 mac-address=30:9C:23:05:3E:F5 server=dhcp1
add address=192.168.1.123 client-id=1:0:17:c8:3b:b4:58 mac-address=00:17:C8:3B:B4:58 server=dhcp1
add address=192.168.1.133 client-id=1:10:dd:b1:99:48:67 mac-address=10:DD:B1:99:48:67 server=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d cache-size=7048KiB max-concurrent-tcp-sessions=500 servers=8.8.8.8,8.8.4.4,1.1.1.1,1.0.0.1
/ip dns static
add address=178.32.126.82 name=ip82.ip-178-32-126.eu
/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=Bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you need this subnet before enable it" list=Bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=Bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" disabled=yes list=Bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you need this subnet before enable it" list=Bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=Bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=Bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=Bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=Bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=Bogons
add address=224.0.0.0/4 comment="MC, Class D, IANA # Check if you need this subnet before enable it" list=-Bogons
/ip firewall connection tracking
set enabled=yes tcp-established-timeout=1h tcp-syn-received-timeout=15s
/ip settings
set accept-redirects=yes accept-source-route=yes icmp-rate-limit=1000 max-neighbor-entries=999192 tcp-syncookies=yes
/ip firewall filter
add action=jump chain=forward comment=" SYN Flood protect" connection-state=established,related,new,untracked disabled=yes jump-target=SYN-Protect protocol=tcp src-address=192.168.1.4 \
    tcp-flags=syn
add action=accept chain=SYN-Protect comment=" " connection-state=new disabled=yes limit=400M,5:packet protocol=tcp tcp-flags=syn
add action=accept chain=input disabled=yes protocol=icmp
add action=accept chain=forward disabled=yes protocol=icmp
add action=accept chain=input disabled=yes dst-port=8291 protocol=tcp
add action=accept chain=input connection-state=established,related disabled=yes
add action=accept chain=input disabled=yes dst-port=1723 protocol=tcp
add action=accept chain=input disabled=yes protocol=gre
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=accept chain=input disabled=yes port=69 protocol=udp
add action=accept chain=forward disabled=yes port=69 protocol=udp
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface=WAN-Drugoy
add action=drop chain=forward comment="Drop to bogon list" disabled=yes dst-address-list=Bogons
add action=drop chain=input disabled=yes in-interface=WAN-Drugoy log=yes
/ip firewall mangle
add action=change-mss chain=forward disabled=yes new-mss=1300 passthrough=yes protocol=tcp src-address=192.168.1.4 tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat
add action=netmap chain=dstnat comment="Nosok-Work SSH" dst-address=ISP-ip dst-port=1222 in-interface=WAN-Drugoy log=yes protocol=tcp to-addresses=192.168.1.12 to-ports=22
add action=netmap chain=dstnat comment="Nosok-4 SSH" dst-address=ISP-ip dst-port=422 in-interface=WAN-Drugoy log=yes protocol=tcp to-addresses=192.168.1.4 to-ports=22
add action=netmap chain=dstnat comment="Nosok-16 SSH" dst-address=ISP-ip dst-port=1622 in-interface=WAN-Drugoy log=yes protocol=tcp to-addresses=192.168.1.16 to-ports=22
add action=netmap chain=dstnat comment="Nosok-15 SSH" dst-address=ISP-ip dst-port=1522 in-interface=WAN-Drugoy log=yes protocol=tcp to-addresses=192.168.1.15 to-ports=22
add action=netmap chain=dstnat comment="Nosok-11 SSH" dst-address=ISP-ip dst-port=1122 in-interface=WAN-Drugoy log=yes protocol=tcp to-addresses=192.168.1.11 to-ports=22
add action=netmap chain=dstnat comment="Nosok-10 SSH" dst-address=ISP-ip dst-port=1022 in-interface=WAN-Drugoy log=yes protocol=tcp to-addresses=192.168.1.10 to-ports=22
add action=netmap chain=dstnat comment="Nosok-4 Tomcat" dst-address=ISP-ip dst-port=480 in-interface=WAN-Drugoy log=yes protocol=tcp to-addresses=192.168.1.4 to-ports=8080
add action=netmap chain=dstnat comment="Nosok-4 Tomcat" dst-address=ISP-ip dst-port=85 in-interface=WAN-Drugoy log=yes protocol=tcp to-addresses=192.168.1.133 to-ports=8080
add action=netmap chain=dstnat comment="Nosok-16 Tomcat" dst-address=ISP-ip dst-port=1680 in-interface=WAN-Drugoy log=yes protocol=tcp to-addresses=192.168.1.16 to-ports=8080
add action=netmap chain=dstnat comment="Nosok-15 Tomcat" dst-address=ISP-ip dst-port=1580 in-interface=WAN-Drugoy log=yes protocol=tcp to-addresses=192.168.1.15 to-ports=8080
add action=netmap chain=dstnat comment="Nosok-11 Tomcat" dst-address=ISP-ip dst-port=1180 in-interface=WAN-Drugoy log=yes protocol=tcp to-addresses=192.168.1.11 to-ports=8080
add action=netmap chain=dstnat comment="Nosok-10 Tomcat" dst-address=ISP-ip dst-port=1080 in-interface=WAN-Drugoy log=yes protocol=tcp to-addresses=192.168.1.10 to-ports=8080
add action=netmap chain=dstnat comment="Nosok-3 Tomcat" dst-address=ISP-ip dst-port=380 in-interface=WAN-Drugoy log=yes protocol=tcp to-addresses=192.168.1.3 to-ports=8080
add action=netmap chain=dstnat comment="Nosok-2 Tomcat" dst-address=ISP-ip dst-port=280 in-interface=WAN-Drugoy log=yes protocol=tcp to-addresses=192.168.1.2 to-ports=8080
add action=netmap chain=dstnat comment="Neptun SSH" dst-address=ISP-ip dst-port=822 in-interface=WAN-Drugoy log=yes protocol=tcp to-addresses=192.168.1.193 to-ports=22
add action=netmap chain=dstnat comment="Nosok-2 SSH" dst-address=ISP-ip dst-port=222 in-interface=WAN-Drugoy log=yes protocol=tcp to-addresses=192.168.1.2 to-ports=22
add action=netmap chain=dstnat comment="Nosok-3 SSH" dst-address=ISP-ip dst-port=322 in-interface=WAN-Drugoy log=yes protocol=tcp to-addresses=192.168.1.3 to-ports=22
add action=netmap chain=dstnat comment="Neptun Tomcat" dst-address=ISP-ip dst-port=580 in-interface=WAN-Drugoy log=yes protocol=tcp to-addresses=192.168.1.193 to-ports=8080
add action=netmap chain=dstnat comment="Nosok-Work Tomcat" dst-address=ISP-ip dst-port=1280 in-interface=WAN-Drugoy log=yes protocol=tcp to-addresses=192.168.1.12 to-ports=8080
add action=netmap chain=dstnat comment="Camera IP -8080" dst-address=ISP-ip dst-port=8080 in-interface=WAN-Drugoy log=yes protocol=tcp to-addresses=192.168.1.172 to-ports=8080
add action=netmap chain=dstnat comment="Camera IP -554" dst-address=ISP-ip dst-port=554 in-interface=WAN-Drugoy log=yes protocol=tcp to-addresses=192.168.1.172 to-ports=554
add action=netmap chain=dstnat comment="Camera IP -8000" dst-address=ISP-ip dst-port=8000 in-interface=WAN-Drugoy log=yes protocol=tcp to-addresses=192.168.1.172 to-ports=8000
/ip firewall service-port
set sip disabled=yes
/ip proxy
set parent-proxy=0.0.0.0
/ip route
add check-gateway=ping distance=1 gateway=WAN-Drugoy
add distance=1 dst-address=192.168.11.0/24 gateway=192.168.1.240
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes port=8021
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip traffic-flow
set active-flow-timeout=1m cache-entries=16k
/ip traffic-flow target
add disabled=yes dst-address=195.201.101.160 port=9995
mikrotik.png
You do not have the required permissions to view the files attached to this post.
Top
Post Reply

Who is online

Users browsing this forum: beeman, Majestic-12 [Bot] and 196 guests
  4. RouterOS
  5. General