Community discussions

 
hwtech
just joined
Topic Author
Posts: 17
Joined: Sun Jan 26, 2014 11:00 pm
Location: Firenze, Italy

exclude IP from webproxy rule

Sun Jan 26, 2014 11:29 pm

I want to add transparent web proxy to the subnet office (192.168.200.0/24). I have 4 ipsec tunnes that i want to exclude from webproxy (always use port 80 through ipsec tunnels). Where should I place the NAT rule (add chain=dstnat protocol=tcp src-address=192.168.200.0/24 dst-port=80 action=redirect to-ports=8080) to exlcude ipsec traffic? Or i need to set dst-address-list=!ipsecsubnets in the NAT rule of webproxy? (where ipsecsubnets=10.xx.xx.xx/24,192.168.100.xx/24,192.9.xx.xx/24,192.168.10.xx/24).

/ip firewall nat>
.....
16 ;;; Disable masquerade for IPSEC tunnels
chain=srcnat action=accept src-address=192.168.200.0/24 dst-address=10.xx.xx.xx/24
17 chain=srcnat action=accept src-address=192.168.200.0/24 dst-address=192.168.100.xx/24
18 chain=srcnat action=accept src-address=192.168.200.0/24 dst-address=192.9.xx.xx/24
19 chain=srcnat action=accept src-address=192.168.200.0/24 dst-address=192.168.10.xx/24

20 ;;; NAT office
chain=srcnat action=src-nat to-addresses=2.xxx.xx.xx src-address=192.168.200.0/24 out-interface=ether1-gateway

Thanks!
 
User avatar
dasiu
Trainer
Trainer
Posts: 232
Joined: Fri Jan 30, 2009 11:41 am
Location: Reading, UK
Contact:

Re: exclude IP from webproxy rule

Mon Jan 27, 2014 9:47 am

The "dstnat" chain is TOTALLY SEPARATE from "srcnat". It means, that it doesn't matter, if you place it before or after the srcnat rules. When the packet enters the router, all dstnat rules (in proper order) are applied, and later - before it leaves - the srcnat rules. If you don't want the packets going to TCP port 80 of the IPSec addresses be redirected to proxy - then you need to exclude them, for example using the "address-list=!..." or adding a second dstnat rule "accept" for them before the redirect.
 
hwtech
just joined
Topic Author
Posts: 17
Joined: Sun Jan 26, 2014 11:00 pm
Location: Firenze, Italy

Re: exclude IP from webproxy rule

Mon Jan 27, 2014 12:24 pm

thank's a lot! :D

Who is online

Users browsing this forum: No registered users and 97 guests