Community discussions

MikroTik App
 
kipmckay
newbie
Topic Author
Posts: 26
Joined: Tue Sep 13, 2005 9:51 pm

Nat

Fri May 25, 2007 10:14 pm

I have followed the documentation and am lost. I have 5 public ip's. I have a couple servers in house that I want to forward ports to. Can someone give me an example of how to do this in the Mikrotik. I have even resorted back to factory several times and started over. Still no go.

Thanks in advanced.

Kip
 
chiefbmr
newbie
Posts: 47
Joined: Sat Jul 17, 2004 6:22 pm
Location: USA

Re: Nat

Fri May 25, 2007 10:41 pm

Maybe you could shows us the steps you are taking. The manual is pretty straight forward on NAT. There should be some examples that would show you how to do it.
 
galaxynet
Long time Member
Long time Member
Posts: 648
Joined: Fri Dec 17, 2004 2:52 pm
Contact:

Re: Nat

Sat May 26, 2007 3:42 pm

kpmckay -
You didn't give us much info to go on, public IP / port / internal network settings...So -

A shot in the dark for you. 5 IP addresses...there is no netmask for that, i.e. /30 has 4, a /29 has 8 a /28 has 16 ip addresses - how are you getting 5?

Ip addresses aside - I am going to assume you are using winbox to interface w/your ROS

Go to Ip / Firewall / NAT. First add a new rule, dest-nat - the Public IP you want to forward ports from. Action tab - the private IP you want those forwarded ports from the Public IP to go to. Select the ports. You might also want to select the dst port on the first tab as well, i.e. port 80 for http traffic - that way no matter what port the request comes in on as long as it is destined for port 80 it will get forwarded.... Now 'kind of' the reverse for src-natting from your private IP address / port to the Public IP address / port - same as before except you select scr-nat as the function instead of dst-nat....

Thom
 
kipmckay
newbie
Topic Author
Posts: 26
Joined: Tue Sep 13, 2005 9:51 pm

Re: Nat

Sat Aug 18, 2007 2:25 am

I have setup the firewall with masquerade srcnat 10.176.80.0/20

then for one of my public ip's i setup

/ip firewall nat add chain=dstnat dst-address=xx.xx.xx.91
action=dst-nat to-addresses=10.176.88.1 to-ports=0-65000

/ip firewall nat add chain=srcnat src-address=10.176.88.1 action=src-nat to-addresses=xx.xx.xx.91

I still can not hit the machines remotely using the external address.
My internal ips are
general dhcp -10.176.90.1-10.176.91.255
servers 10.176.80.1-100
and web servers and citrix 10.176.88.1-255

internal router ip is 10.176.80.110


Any help is greatly appreciate as I have struggled with this so long I resorted to a crappsys until I get it resolved.

Kip
 
User avatar
balimore
Forum Veteran
Forum Veteran
Posts: 892
Joined: Mon Apr 10, 2006 3:38 am

Re: Nat

Sat Aug 18, 2007 3:41 am

----
Hai frens.. :wink:
maybe this will help you: http://forum.mikrotik.com/viewtopic.php ... 485#p84485

regards
Hasbullah.com
----
 
galaxynet
Long time Member
Long time Member
Posts: 648
Joined: Fri Dec 17, 2004 2:52 pm
Contact:

Re: Nat

Sat Aug 18, 2007 2:22 pm

kipmckay -
Quoting you,
/ip firewall nat add chain=dstnat dst-address=xx.xx.xx.91
action=dst-nat to-addresses=10.176.88.1 to-ports=0-65000

/ip firewall nat add chain=srcnat src-address=10.176.88.1 action=src-nat to-addresses=xx.xx.xx.91

If you get just the rule above from the terminal interface I'll give you a hand. What you have above is the command, not the rule.

Another thing - to-port (should equal)=0-65535 (not 65000)

Last thing... The rule that you are trying to add - it has to be BEFORE another rule that might match it, i.e. chain=srcnat src-address=10.176.88.0/24 action=masquerade if this rule was before the rule above (your src-nat rule) then only this masq rule would work. Rule order IS important.


And once again - there are NO subnets with 5 IP addresses - see my first reply. It would REALLY be helpful to you if you would stop being coy with your public IP addresses, get a dump of your firewall nat rules and post them here. Also a dump of your IP addresses would go a long way in solving your mystery.

It's your mystery - you want help - then give us some info to go on.

Thom
 
kipmckay
newbie
Topic Author
Posts: 26
Joined: Tue Sep 13, 2005 9:51 pm

Re: Nat

Tue Aug 21, 2007 1:35 am

Firewall NAt Dump

0 chain=srcnat src-address=10.176.80.0/20 action=masquerade

1 X chain=dstnat dst-address=xx.xx.xx.91 action=dst-nat to-addresses=10.176.88.1 to-ports=0-65535

2 X chain=srcnat src-address=10.176.88.1 action=src-nat to-addresses=xx.xx.xx.91 to-ports=0-65535

3 X chain=dstnat dst-address=xx.xx.xx.91 protocol=tcp dst-port=0-65000 action=dst-nat
to-addresses=10.176.88.1 to-ports=0-65535
(Yes I enabled them and they still did not work, also are you saying to put these rules first before the masquerade? Sorry but I have a hard time with this NAT stuff in Mikrotik.?


Ip Print (I have a .248 subnet)

# ADDRESS NETWORK BROADCAST INTERFACE
0 10.176.80.110/20 10.176.80.0 10.176.95.255 ether1
1 X xx.xx.xx.186/24 xx.xx.xx.0 xx.xx.xx.255 WAN
2 xx.xx.xx.90/24 xx.xx.xx.0 xx.xx.xx.255 WAN

Thanks

Kip
 
galaxynet
Long time Member
Long time Member
Posts: 648
Joined: Fri Dec 17, 2004 2:52 pm
Contact:

Re: Nat

Tue Aug 21, 2007 12:57 pm

kipmckay -
Yes - you'll have to change the order of your NAT rules. It is easier to do in Winbox. You simply 'grab' the rule and move it upward to the desired location or grab a rule and move it downward in the group.

If you are only trying to reach the MT from anywhere there is no need to use scr-nat. dst-nat will get you to the MT, connection tracking will make sure that you get the replys without using scr-nat.

Looking at what you provided below you only need two rules - 0 and 1. However the order should be:

0 chain=dstnat dst-address=xx.xx.xx.91 action=dst-nat to-addresses=10.176.88.1 to-ports=0-65535

1 chain=srcnat src-address=10.176.80.0/20 action=masquerade

Thom
 
kipmckay
newbie
Topic Author
Posts: 26
Joined: Tue Sep 13, 2005 9:51 pm

Re: Nat

Tue Nov 27, 2007 5:14 pm

ok I am successfully porting. Now I have a new dilemma. I want to forward only ports 4569 and 5631-5632 to an internal server. Do I have to create a new rule to do this?
 
galaxynet
Long time Member
Long time Member
Posts: 648
Joined: Fri Dec 17, 2004 2:52 pm
Contact:

Re: Nat

Tue Nov 27, 2007 5:54 pm

kipmckay -
You really need to read the manual - it will help you a lot!

In your dst-nat rule, you simply define the dst-port(s) you want dst-nat'ed. Right now you have all ports (this is default because you didn't define the dst-ports to begin with) forwarded to all ports on your server this is the "to-ports = 0-65535" in the dst-nat rule.

Thom
Thom Lawless
General Manager
RapidWiFi, LLC
thom.lawless [at] rapidwifi.com
 
kipmckay
newbie
Topic Author
Posts: 26
Joined: Tue Sep 13, 2005 9:51 pm

Re: Nat

Tue Nov 27, 2007 7:55 pm

I have read the manual several times. I am a hands on individual. The books do nothing but confuse me. I sent you a message with my printout to see if you can lead me in the right direction.
 
galaxynet
Long time Member
Long time Member
Posts: 648
Joined: Fri Dec 17, 2004 2:52 pm
Contact:

Re: Nat

Wed Nov 28, 2007 5:45 pm

Kip -
The rule looks like this in terminal mode....

chain=dstnat dst-address=xx.xx.xx.92 protocol=tcp dst-port=4569 action=dst-nat to-addresses=10.176.80.18 to-ports=4569

Use " /ip firewall nat add " before the above line - then look at in in winbox and that will show you what you need to put where in winbox...

Thom
Thom Lawless
General Manager
RapidWiFi, LLC
thom.lawless [at] rapidwifi.com

Who is online

Users browsing this forum: timotei and 32 guests