Hi,
3 nic: lan, wan and dmz.
I want connect a server in dmz (internal ip 10.10.224.10) with external 200.200.200.107
I do these steps:
# setup lan
/ip address add address=10.10.0.2/20 interface=lan
# setup wan
/ip address add address=200.200.200.106/29 interface=wan
# setup default gateway
/ip route add gateway=200.200.200.105
# define nat for wan
/ip firewall nat add chain=srcnat action=masquerade out-interface=wan
# here all lan' clients browse the web
# setup dmz
/ip address add address=10.10.224.1/20 interface=dmz
/ip address add address=200.200.200.107/32 interface=wan
/ip firewall nat add chain=dstnat dst-address=200.200.200.107 \
action=dst-nat to-addresses=10.10.224.10
/ip firewall nat add chain=srcnat src-address=10.10.224.10 \
action=src-nat to-addresses=200.200.200.107
But:
- the server can ping internet
- the server is reached from lan
- the server can't be reached (pinged or telnet) from internet
May you help me?
Thanks in advance
v.
-
-
andrewluck
Forum Veteran
- Posts: 700
- Joined:
- Location: Norfolk, UK
Re: Where is my mistake?
Code: Select all
/ip address add address=200.200.200.107/32 interface=wanRegards
Andrew
Re: Where is my mistake?
drzen -
Actually you don't need to add this to your WAN interface at all:
Thom
Actually you don't need to add this to your WAN interface at all:
Your dst and scr NAT rules (if placed correctly in the firewall) will cause the server you have to answer as expected./ip address add address=200.200.200.107/32 interface=wan
Thom
Re: Where is my mistake?
ok. I do the correct address.
/ip address add address=200.200.200.107/29 interface=wan2
(in my case the interface name is wan2)
but no result. Take a look of picture.
v.
/ip address add address=200.200.200.107/29 interface=wan2
(in my case the interface name is wan2)
but no result. Take a look of picture.
v.
You do not have the required permissions to view the files attached to this post.
Re: Where is my mistake?
drzen -
Go in to terminal mode (you can do this in Winbox - new terminal).
Type this in and press return: /ip firewall nat print
Your output should look like this for your dst-nat rule:
chain=dstnat dst-address=200.200.200.107 action=dst-nat to-addresses=10.10.224.10
to-ports=0-65535
Post that here.
The order of your rules should also be changed. Dst-nat first, then the src-nat and then last should be your masq rule. Use Winbox, left click and hold mouse button on the masq rule, then drag it to the bottom. That should get your rule order correct.
Thom
Go in to terminal mode (you can do this in Winbox - new terminal).
Type this in and press return: /ip firewall nat print
Your output should look like this for your dst-nat rule:
chain=dstnat dst-address=200.200.200.107 action=dst-nat to-addresses=10.10.224.10
to-ports=0-65535
Post that here.
This IP address does NOT need to be put on any interface - your MT will see this come to it and will dst-nat it to the correct 'internal' IP address. This provided of course that 200.200.200.xx/29 is routed to your WAN2 interface by your upstream router (or by your upstream connectivity provider's router...)/ip address add address=200.200.200.107/29 interface=wan2
The order of your rules should also be changed. Dst-nat first, then the src-nat and then last should be your masq rule. Use Winbox, left click and hold mouse button on the masq rule, then drag it to the bottom. That should get your rule order correct.
Thom