Community discussions

MUM Europe 2020
 
User avatar
mambotech
Member Candidate
Member Candidate
Topic Author
Posts: 112
Joined: Thu Jun 08, 2006 6:20 pm

DST-NAT

Wed Jun 27, 2007 9:47 pm

Hi all,

I have a strange issue when trying to connect to port 22 on a server on my internal network from a public address.

I ran 3 session of winbox and used torch to monitor each interface.

WAN1 src pubilc address dst 172.22.1.100
WAN2 nothing captured
ether1 src 192.168.1.68 dst public address

The above capture seems to be working but I don't get prompted for a login. The ssh session just sits there!

Here is the export of the nat
dstnat dst-address=172.22.1.100 action=dst-nat to-address=192.168.1.68 to-port=22

If anyone can help on this one I will by them a beer :) I can't work out what is wrong.

Oh nearly forgot, I also recieve the ssh key as well.

Thanks Mark
 
illiniwireless
Member Candidate
Member Candidate
Posts: 152
Joined: Mon Dec 26, 2005 12:36 am
Location: USA

Re: DST-NAT

Thu Jun 28, 2007 6:59 am

You need to specify a dst port example (55555) and then when trying to access put http://172.22.1.100:55555 . This should work. Let me know.
 
User avatar
mambotech
Member Candidate
Member Candidate
Topic Author
Posts: 112
Joined: Thu Jun 08, 2006 6:20 pm

Re: DST-NAT

Thu Jun 28, 2007 9:30 am

Hi,

I added the dst-nat port 22 to the rule but it's still not responding. I can see the connection in torch but I don't get prompted for a password?????


Thanks
 
illiniwireless
Member Candidate
Member Candidate
Posts: 152
Joined: Mon Dec 26, 2005 12:36 am
Location: USA

Re: DST-NAT

Thu Jun 28, 2007 12:07 pm

The 22 is supposed to be listed on the action page when using winbox. You should have dst-nat, then the private ip that you are trying to access and then the port you are trying to use to access the device with like port 80 for http. Now on general page you should have the chain set as dstnat then set dst-address as the ip address listed on the port you are coming in on. Now select protocol as tcp. Next select a dst-port (use something like 4940). Apply these settings then try accessing like this ( http://0.0.0.0:4940 ) . Hope this works
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6621
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: DST-NAT

Thu Jun 28, 2007 2:21 pm

Use the following rule,
dstnat dst-address=172.22.1.100 protocol=tcp dst-port=22 action=dst-nat to-address=192.168.1.68 to-port=22
 
User avatar
mambotech
Member Candidate
Member Candidate
Topic Author
Posts: 112
Joined: Thu Jun 08, 2006 6:20 pm

Re: DST-NAT

Thu Jun 28, 2007 9:09 pm

Hi Sergejs

I have had this rule in all along

[[admin@LB-564] ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat out-interface=WAN1 action=masquerade

1 chain=srcnat out-interface=WAN2 action=masquerade

2 chain=dstnat dst-address=172.22.2.100 protocol=tcp dst-port=22 action=dst-nat to-addresses=192.168.1.68 to-ports=22

3 chain=dstnat dst-address=172.22.1.100 protocol=tcp dst-port=22 action=dst-nat to-addresses=192.168.1.68 to-ports=22


You can test it you like: here is the public address 81.39.91.206 See what response you get.

Thanks Mark
 
User avatar
mambotech
Member Candidate
Member Candidate
Topic Author
Posts: 112
Joined: Thu Jun 08, 2006 6:20 pm

Re: DST-NAT

Thu Jun 28, 2007 10:58 pm

Hi Guy's


Found the problem ....the NAT rules were correct. It looks like there is a strange issue with FREEBSD passing the login details back. I pointed the rule to another server running a version of Linux and it worked. I need to do more investigation.

Thanks for your time.

Mark
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6621
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: DST-NAT

Fri Jun 29, 2007 9:17 am

It looks like you are running double NAT, as dst-address of the rule is 172.22.2.100,
you have to ensure that server before MikroTik performs NAT functionality correctly.

Who is online

Users browsing this forum: JesusR, kiler129, MSN [Bot] and 114 guests