Community discussions

MikroTik App
 
PerlAmutor
just joined
Topic Author
Posts: 7
Joined: Fri Nov 02, 2012 9:48 am

NAT + Firewall

Fri Nov 02, 2012 10:07 am

As I understand packets incoming to router first processing by NAT, and then (changed) pass to firewall.
My network have rule - what is not permitted is forbidden. So when i try configure NAT using RDP from internet i get closed ports.
I add rule to firewall accept all incoming packets for port 3389 (changed by NAT from 33389 before processing through firewall), but also have
closed port. So i add second rule to firewall - pasthrough all packets from local network to internet from port 3389, and only after this i see open port 33389. This is my config:
/ip fi fi
add action=accept chain=forward comment=\
    "Allow incoming RDP connections from internet for RDPUSERS" disabled=no \
    dst-port=3389 protocol=tcp src-address-list=RDPUSERS
add action=accept chain=forward comment=\
    "Allow outgoing RDP packets from local net" disabled=no protocol=tcp \
    src-port=3389
/ip fi nat
add action=dst-nat chain=dstnat comment="RDP 192.168.1.55" disabled=no \
    dst-address=176.192.8.74 dst-port=33389 protocol=tcp src-address-list=\
    RDPUSERS to-addresses=192.168.1.55 to-ports=3389
Now when i want to forward port i need add 2 rule to firewall and 1 rule to nat. How can I configure mikrotik do this automatically for new NAT rules? Or add universal rule to firewall alllow all incoming and outgoing packets for NAT rules?
 
jandafields
Forum Guru
Forum Guru
Posts: 1514
Joined: Mon Sep 19, 2005 6:12 pm

Re: NAT + Firewall

Fri Nov 02, 2012 2:36 pm

As I understand packets incoming to router first processing by NAT, and then (changed) pass to firewall.
My network have rule - what is not permitted is forbidden. So when i try configure NAT using RDP from internet i get closed ports.
I add rule to firewall accept all incoming packets for port 3389 (changed by NAT from 33389 before processing through firewall), but also have
closed port. So i add second rule to firewall - pasthrough all packets from local network to internet from port 3389, and only after this i see open port 33389. This is my config:
/ip fi fi
add action=accept chain=forward comment=\
    "Allow incoming RDP connections from internet for RDPUSERS" disabled=no \
    dst-port=3389 protocol=tcp src-address-list=RDPUSERS
add action=accept chain=forward comment=\
    "Allow outgoing RDP packets from local net" disabled=no protocol=tcp \
    src-port=3389
/ip fi nat
add action=dst-nat chain=dstnat comment="RDP 192.168.1.55" disabled=no \
    dst-address=176.192.8.74 dst-port=33389 protocol=tcp src-address-list=\
    RDPUSERS to-addresses=192.168.1.55 to-ports=3389
Now when i want to forward port i need add 2 rule to firewall and 1 rule to nat. How can I configure mikrotik do this automatically for new NAT rules? Or add universal rule to firewall alllow all incoming and outgoing packets for NAT rules?
You can't automatically add new NAT rules, how would it know what PC to port forward to??? If you want to forward EVERYTHING to a certain PC, you can certainly do that. Just empty out the dst-port and to-port and remove the filter.

Also, you don't need the dst-address at all... unless you have multiple public IP addresses and you want to only use that one.
 
PerlAmutor
just joined
Topic Author
Posts: 7
Joined: Fri Nov 02, 2012 9:48 am

Re: NAT + Firewall

Wed Nov 07, 2012 6:10 am

May be you don't understand me. For example, I want connect to my local machine with RDP port from Internet, then I create NAT rule, but I don't want remember add next two rules to FIREWALL for accept incoming and outgoing traffic for this port, for this computer. Can this rules for firewall add automatic when I create NAT rule?
 
brandonrossl
Frequent Visitor
Frequent Visitor
Posts: 61
Joined: Wed Jun 08, 2011 10:09 pm

Re: NAT + Firewall

Wed Nov 07, 2012 6:55 pm

May be you don't understand me. For example, I want connect to my local machine with RDP port from Internet, then I create NAT rule, but I don't want remember add next two rules to FIREWALL for accept incoming and outgoing traffic for this port, for this computer. Can this rules for firewall add automatic when I create NAT rule?
Unless specifically blocked, the port forward would function as the method to turn traffic that would normally be directed towards the router into traffic directed past the router. The NAT rule is just providing the route in a not already established connection.

For instance with an xbox, nobody wil be able to connect to you if you don't have a port opened & forwarded to the xbox's IP. Your xbox can access the internet just fine, and can connect to other users, but it can't respond to unsolicited requests. If you provide a NAT rule, the request is directed to the xbox from the internet, passing through the firewall rules normally.

Quick and dirty:
NAT without forward = packet directed to router = INPUT chain rules applied
NAT with forward = packet directed across router = FORWARD chain applied
 
ditonet
Forum Veteran
Forum Veteran
Posts: 841
Joined: Mon Oct 19, 2009 12:52 am
Location: Europe/Poland/Konstancin-Jeziorna
Contact:

Re: NAT + Firewall

Thu Nov 08, 2012 12:40 am

For DST-NAT traffic (port forwarding) there is no need to add any 'accept' rule in 'forward' chain.
According to packet flow (http://wiki.mikrotik.com/wiki/Packet_Flow#Diagram)
DST-NAT takes place before 'input' and 'forward' chains.
Port forwarding works for me without these rules.

Regards,
Grzegorz | MTCNA, MTCRE, MTCSE | konsultacje MikroTik Warszawa
It is a book about a Spanish guy called Manual. You should read it. - Dilbert
 
PerlAmutor
just joined
Topic Author
Posts: 7
Joined: Fri Nov 02, 2012 9:48 am

Re: NAT + Firewall

Thu Nov 08, 2012 5:48 am

As I wrote in my LAN what is not permitted is forbidden, I block all ports, what is not have rule.
 
ditonet
Forum Veteran
Forum Veteran
Posts: 841
Joined: Mon Oct 19, 2009 12:52 am
Location: Europe/Poland/Konstancin-Jeziorna
Contact:

Re: NAT + Firewall

Thu Nov 08, 2012 10:45 am

In first post you wrote:
As I understand packets incoming to router first processing by NAT, and then (changed) pass to firewall.
and
Now when i want to forward port i need add 2 rule to firewall and 1 rule to nat.
Hence my answer, that you don't need any rules in 'forward' chain for port forwarding
and 'src-address-list=RDPUSERS' check should be in 'prerouting' chain.

Regards,
Grzegorz | MTCNA, MTCRE, MTCSE | konsultacje MikroTik Warszawa
It is a book about a Spanish guy called Manual. You should read it. - Dilbert
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8394
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: NAT + Firewall

Tue Nov 13, 2012 9:51 pm

PerlAmutor, just create filter rule to accept all established connections - it will do what you want
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.

Who is online

Users browsing this forum: dmitrox, InoX and 98 guests