Community discussions

MikroTik App
 
tiran
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Fri Aug 07, 2015 2:53 pm

IP Firewall Nat

Thu Dec 27, 2018 9:27 am

I need to filter dst-nat by device mac.
My Nat as follows
chain=dstnat action=dst-nat to-addresses=192.168.x.x to-ports=4000
protocol=tcp in-interface-list=WAN dst-port=8055 log=no log-prefix=""
my requirement is to allow access or forward host to this dst-nat by allowed mac address. other host should blocked even they have correct URL. any one can help me
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: IP Firewall Nat

Thu Dec 27, 2018 10:48 am

You try to miks layer 3 nat/routing with layer 2 mac. May not work.
Last edited by Jotne on Thu Dec 27, 2018 3:42 pm, edited 1 time in total.
 
Redmor
Member Candidate
Member Candidate
Posts: 256
Joined: Wed May 31, 2017 7:40 pm
Location: Italy

Re: IP Firewall Nat

Thu Dec 27, 2018 1:19 pm

You can make two firewall rules with:
1. chain forward
2. protocol
3. dst-port
4. src-mac address
5. action accept

Repeat this one for every mac address you need, you can't make lists (if I remember correctly)

Second one:
1. chain forward
2. protocol
3. dst-port
4. action drop

Specify in-interface or dst-address as well.
 
tiran
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Fri Aug 07, 2015 2:53 pm

Re: IP Firewall Nat

Tue Dec 01, 2020 1:31 pm

if there any other methods to limit allowed users to access NAT? . SRC-mac is not the client device mac if device will connect through the internet. i think it is better if there any way to access NAT through certificate or key
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: IP Firewall Nat

Tue Dec 01, 2020 2:14 pm

As you have realized yourself, MAC addresses are only used on LAN, so the router cannot see it in the header of the packet which arrives from a remote network.

NAT works at L3 (IP) and L4 (e.g. TCP) layer, whereas certificates and keys are used on higher layers. So if you use the dst-nat to access some internal server, the solution may be to activate certificate-based authentication of the clients at that server, or you have to use a VPN. Depending on the operating system of the client devices, you have to choose an appropriate VPN type. IKEv2 is currently the best one for Windows, but for older Android versions you need to install a VPN application (e.g. Strongswan), with Apple devices, proper population of certificates fields can be a challenge. L2TP/IPsec seems to work on all mainstream systems but it uses only pre-shared key for authentication, not certificates.
 
tiran
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Fri Aug 07, 2015 2:53 pm

Re: IP Firewall Nat

Wed Jan 27, 2021 8:57 am

any one has any other option to fulfill my requirement? actually i need to manage outside devices who access to my server. urgent......
 
User avatar
16again
Frequent Visitor
Frequent Visitor
Posts: 78
Joined: Fri Dec 29, 2017 12:23 pm

Re: IP Firewall Nat

Wed Jan 27, 2021 12:27 pm

As src MAC isn't usable, go for alternatives that do work. Like source IP address. If thats dynamic, port knocking or access VPN
 
tiran
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Fri Aug 07, 2015 2:53 pm

Re: IP Firewall Nat

Fri Jan 29, 2021 10:56 am

i am thinking on something like that device certificate
do you have any idea
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: IP Firewall Nat

Fri Jan 29, 2021 3:10 pm

What is the use case that better describes the requirement instead of a forced solution approach.
What is the situation and what do you want users to be able to do or not do, in words without mentioning config at all.
 
tiran
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Fri Aug 07, 2015 2:53 pm

Re: IP Firewall Nat

Fri May 21, 2021 9:44 am

as a example
my router
public IP = 124.10.20.201
LAN IP = 192.168.10.1
Server IP = 192.168.10.100:4000
My NAT rule = "action=dst-nat chain=dstnat comment="WAN login" dst-port=8585 in-interface-list=WAN protocol=tcp src-address-type="" to-addresses=192.168.10.100 to-ports=4000"
So My Server web interface local address = http://192.168.10.100:4000/
My Server web interface remote address = http://124.10.20.201:8585/

My Problem is anyone who know My Server web interface remote address they can access my web interface. I need to limit access from WAN as a example Manager, Accountant allowed to access my web server interface by remote address(Managers use android devices) . other not allowed
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: IP Firewall Nat

Fri May 21, 2021 10:58 am

Simply:
YOU CAN NOT.
DOT.
Change idea.
On WAN the only MAC you see is the MAC of device where is connected to your device to your ISP.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: IP Firewall Nat

Fri May 21, 2021 1:56 pm

tiran.


1. You should never have a server that is public facing that does not have a user name and password entry that is SFTP or HTTPS etc encrypted.
No software worth its salt that is meant for this type of usage works "in the clear", you may have to point to a radius server to authenticate to the Server or some sort of other authentication.

2. Step 2, when limiting users, its best to use a firewall address list and then put that as the source address list in your DST NAT rule. Not fool proof but does limit exposure overall.
So you need to get the public IP of those other users. If they have a dynamic address tell them to get a free dyndns name and then use their domain name in the firewall address list and the router will resolve those to their public IP.

3. Why does everyone besides those requiring access know your web URL? Dont you mean domain name like dyndns.......
Change it and dont give it out.

4. As suggested if this is for one person or a few folks, considering creating a VPN tunnel for them so that they can enter to your LAN, securely (no destination nat) and then access the server from the internal LAN.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: IP Firewall Nat

Fri May 21, 2021 2:58 pm

tiran.
Ehm.... for be clear :)))



>>>You should never have a server that is public facing that does not have a user name and password entry that is SFTP or HTTPS etc encrypted<<<
+100
 
tiran
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Fri Aug 07, 2015 2:53 pm

Re: IP Firewall Nat

Sat May 29, 2021 6:35 am

actually I am already use domain to my access URL and I have setup and allowed few users to access system through domain. but those users not keep detail secretly. our manager has idea about they will share secret detail. that's why I try to do something.
actually I need solution to block device not authorized to access the system even some one know access URL and login cardinalities
As per the discussion and other documents I think the only way to do this is create VPN connection. but I have another issue if client device use internet whole traffic go through VPN connection also. but we may can handle this also. any idea?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: IP Firewall Nat

Sat May 29, 2021 1:44 pm

YOu need an additional step to authorize people before they are allowed to the server,
like being checked against a radius server. maybe use a hotspot portal first.

If someone who uses the server without permission then they are banned from any further use.
(aka they gave away credentials).
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: IP Firewall Nat

Sat May 29, 2021 3:21 pm

There's no way to prevent, in advance, third parties from logging in using credentials they've obtained from an authorized person, with or without consent/intention of the authorized person.

You can ban the account after you notice that, but it's typically too late. To some extent, two-factor authentication can help, as people usually don't share their mobile phone with friends, but it's still not 100% reliable, as the authorized persons may still willingly authenticate others' access.

Client-side certificates can help against intentional sharing of the account, but only if generated the proper way and only if they cannot be exported at the client side, so hardware tokens ("smart cards") holding non-exportable certificates are the only way (on some operating systems the certificates can be exported easily, on other ones it requires a serious effort, but you don't know in advance what operating systems your clients will use). But even a hardware token can be used for authentication of a 3rd party if stolen, unless you use 2FA along with it and unless the second factor has not been stolen too. Hardware tokens that require entering a password to use the certificate seem safe against both intentional sharing and theft, but not against torture/blackmail of the authorized user.

When trying to identify whether a particular access attempt is a "legal" one or not, you cannot rely on anything - several authorized users may connect from the same public IP due to CarrierGradeNAT so you cannot check the IP; people may connect from a mobile phone so the same device may establish two sessions, one via WiFi and the second one via mobile data. So you cannot link the account to a fixed IP address to detect credential sharing or theft.

You can limit the number of simultaneous connections using the same credentials, but definitely not to a single one, for the reasons above. And nevertheless expect problems in case of some outages, where the client will establish a new session while the server will still deem the previous sessions alive.

Who is online

Users browsing this forum: Bing [Bot], Google [Bot], holvoetn and 87 guests