Community discussions

MikroTik App
 
pekr
Member Candidate
Member Candidate
Topic Author
Posts: 138
Joined: Tue Feb 22, 2005 9:05 pm
Location: Czech Republic
Contact:

DST NAT entry not recognised by a FW rule

Sun Dec 30, 2018 10:19 am

Hi,

I am not sure if I found a bug in MT, or most probably am not correctly using a DST NAT, but here is my scenario:

Internet --> (Central CCR FW, public ip, DST NAT of services to Server IP) ---> MT hAP ac^2 (DST NAT to services) --> Synology NAS small server

The thing is, that on a central CCR FW, we are DST-NATting directly to the Server IP/port, so no need for further DST-NAT on our hAP ac^2. But I like at least minimal FW it implements, where there is a last rule, which blocks all incoming WAN traffic, which is New and not DST-NATted:

;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix=""

But - this rule simply blocks all WAN traffic, regardless of the DST-NAT rules present, or not. I can see counters being applied on DST-NAT rule, so it is a valid one and works. To check its validity, I changed the port of the web service and the web was not accessible anymore.

I found out, that above FW rule only works, if the central FW rule points to the IP assigned to the hAP ac^2 itself, and DST-NATted from there. But it does not catch the DST-NAT rule, if it is not using one of the IP addresses of the router itself:

;;; Web
chain=dstnat action=dst-nat to-addresses=x.x.x.x to-ports=80 protocol=tcp dst-address=x.x.x.x dst-port=80 log=no log-prefix=""

The FW rule starts to work, if on a central CCR FW, I change it from x.x.x.x, to the hAP ac^2's x.x.x.254. Of course I could do that, and from some point of view, it makes sense, but isn't my DST-NAT rule a regular one anyway? Why it is not recognised by FW as a regular DST-NAT rule?

Thanks,
/Petr
 
mkx
Forum Guru
Forum Guru
Posts: 4371
Joined: Thu Mar 03, 2016 10:23 pm

Re: DST NAT entry not recognised by a FW rule  [SOLVED]

Sun Dec 30, 2018 12:21 pm

If central CCR sends inbound connections directly to synology's address, then for hAP ac2 that's not DST-NAT job but regular routing job as it doesn't know anything about already performed NAT. If incoming connections are directed (by CCR) to hAP ac2's own address, then DST-NAT rules on hAP ac2 kick in.

Solution is to write specific FW rules without reference to DST-NAT on hAP ac2 ... or to perform final firewalling already in CCR ... whichever suits better.
BR,
Metod
 
pekr
Member Candidate
Member Candidate
Topic Author
Posts: 138
Joined: Tue Feb 22, 2005 9:05 pm
Location: Czech Republic
Contact:

Re: DST NAT entry not recognised by a FW rule

Sun Dec 30, 2018 1:47 pm

OK, understandable. It is just that if I do DST-NAT on hAP ac^2 even for the routed address, it does seem to work - packets are counted and if I change the destination port, it influences that. But agreed - this is not probably a correct way to do things.

Who is online

Users browsing this forum: fusa, glider, Google [Bot], jebz, sindy and 96 guests