I got my hand an 1100AHx2 (routerOS 6.47) after the company I work replaced it (I'm not working at the IT department, but they know I’m interested in it and let me "play" with some of the device, it’s just self-learning) but The IT guy not the “sit down and explain it” type of guy.
They let the configuration on the device and I’m currently trying to understand the /IP FIREWALL NAT rules.
There is a lot of rules on the device, and I do not understand all, can you explain them? (not real IPs, vlan names, interface names)
First the network:
- ethernet1: internet access with public address 50.50.50.3
- ethernet2: (vlan) DEV 192.168.0.0/24 (router address .254)
- ethernet3(vlan) SERVER 192.168.2.0/24
1. example: is this means everything from Src.address private ip changes “to addresses” private IP? Access to the internet?
Code: Select all
action chain Src.address to addresses
src-nat srcnat 192.168.0.0/24 50.50.50.3
Something like this:? Because the server can be found on different ethernet it needs a NAT. The PC on the LAN thinks this server can be find on the private address 50.50.50.2 ?
a) PC with 192.168.0.10 send a packet to 50.50.50.2 with port 666
b) Router changes the 192.168.0.10 to 192.168.0.254 (it’s own IP address)
c) Router changes the 50.50.50.2 to 192.168.0.200
d) SERVER reply with SRC: 192.168.0.200 and DST: 192.168.0.254
e) Router changes the SRC to 50.50.50.2 and the DST to 192.168.0.10
Is this correct?
Code: Select all
action chain Src.address Dst. Address to addresses dst.port
masquerade srcnat 192.168.0.0/24 192.168.0.200 666
Code: Select all
action chain Src.address Dst. Address to addresses dst.port
dst-nat dstnat 50.50.50.3 192.168.0.200 666
4. example: is this means when an incoming connection requests with 79.79.79.79 port 666 with destination address 50.50.50.3, change the dst address "to addresses"?
Code: Select all
action chain Src.address Dst. Address to addresses dst.port
dst-nat dstnat 79.79.79.79 50.50.50.3 192.168.0.200 666