Community discussions

MikroTik App
 
powerpub
just joined
Topic Author
Posts: 1
Joined: Wed Nov 14, 2018 7:03 pm

Can I Only Allow Port Forwarding (or Dstnat) Based On A Source Address List?

Wed Nov 14, 2018 9:45 pm

Is this possible because I can't make this work in the Forward or Dstnat chain rules but it works GREAT on the Input chain?

Example, I have a port knock scenario that adds an IP to an Address List named "Safe"

On the Input chain firewall rule for router access I reference the list "Safe" (under Advanced -> Src. Address List) and it works great! It will deny access to the router unless the source IP is on the "Safe" list.

However, when I try adding my "Safe" list into the Forward chain or Dstnat rules I lose connectivity to the server behind the firewall and I have verified the IP I'm using is on the "Safe" list. Removing the "Safe" list from the filter rule restores access to the server.

Any ideas why that is happening? I'm trying to avoid VPN access for a certain reason.

Thanks in advance.
 
nescafe2002
Forum Veteran
Forum Veteran
Posts: 897
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: Can I Only Allow Port Forwarding (or Dstnat) Based On A Source Address List?

Thu Nov 15, 2018 9:07 am

No problem, I have several port forwardings based on a address list:
/ip firewall address-list
add address=1.2.3.4 list=trusted
/ip firewall nat
add action=dst-nat chain=dstnat dst-address-type=local dst-port=8291 \
    protocol=tcp src-address-list=trusted to-addresses=192.168.88.100
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Can I Only Allow Port Forwarding (or Dstnat) Based On A Source Address List?

Thu Nov 15, 2018 3:15 pm

Hi there, very good question and one that I wrestled with first coming to mikrotik from zyxel routers.
On zyxel routers one had to create a port forwarding rule and a firewall rule.

On the mikrotik devices one creates a Destination Nat Rule and one can provide the granularity within the dstnat rule to limit access to one or more IPs.
As the previous poster noted, he created an address list and then applied the list (on winbox, the advanced tab one can find source-address-list).
I use this for access to a solar panel and a septic panel for the associated companies.

If you just had one IP and DONT ever think you will need more than one external IP to have access you can simply enter the IP in source address on the first tab.

/ip firewall nat
add action=dst-nat chain=dstnat comment=Solar_TCP dst-port=xxxxx \
in-interface-list=WAN log=yes protocol=tcp src-address-list=Solar_City \
to-addresses=192.168.0.yy
add action=dst-nat chain=dstnat comment=Solar_UDP dst-port=xxxxx \
in-interface-list=WAN log=yes protocol=udp src-address-list=Solar_City \
to-addresses=192.168.0.yy

I should note that you can add multiple ports separated by commas in dst-port.

By the way one can do port translation here as well. For any case where the port forwarding traffic (unsolicited traffic) comes in on port xxxxx and you want it to actually go to a server but on port zzzz, then that is easy too

/ip firewall nat
add action=dst-nat chain=dstnat comment=Solar_TCP dst-port=xxxxx \
in-interface-list=WAN log=yes protocol=tcp src-address-list=Solar_City \
to-addresses=192.168.0.yy to-ports=zzzz

Who is online

Users browsing this forum: lurker888 and 66 guests