Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Best way to securely host a Minecraft server at home?

Post Reply
 
kereru
just joined
Topic Author
Posts: 4
Joined: Sat Oct 02, 2021 1:17 am

Best way to securely host a Minecraft server at home?

Thu Dec 23, 2021 10:56 pm

As a holiday project, I told my son I'd try to get a small Minecraft server running at home on an old laptop for him and a few friends. What I would like to do is to have the server completely isolated from the rest of our local network, so that any security failures are limited to the old laptop. In other words, even when he is playing on our local network, I want his game to have to connect to the server via the internet rather than locally.

Essentially, I'd like to remove one port on the router from the local network bridge and plug the old laptop directly into that port, giving it access to the internet only. I'll then need to forward port 25565 to the old laptop. If I'm understanding correctly, this is possible without needing to mess around with VLANs.

Is anyone able to tell me what changes to the configuration below would be needed to accomplish this? Also, are there any other security implications I ought to consider before going ahead? It's all a little outside my comfort zone, but I figure it would be a good chance to learn a few new tricks...
Code: Select all
# dec/24/2021 09:24:05 by RouterOS 6.48.6
# software id = FX2N-77JL
#
# model = 951G-2HnD
# serial number = REMOVED
/interface bridge
add admin-mac=E4:8D:8C:DC:AB:38 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-g/n country="new zealand" distance=indoors installation=indoor mode=ap-bridge ssid=xxxxxxx station-roaming=enabled wireless-protocol=802.11 wps-mode=disabled
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 service-name=Bigpipe use-peer-dns=yes user=user@xtra.co.nz
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
REMOVED
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=pppoe-out1 type=external
/system clock
set time-zone-name=Pacific/Auckland
/system package update
set channel=long-term
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19363
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Best way to securely host a Minecraft server at home?

Fri Dec 24, 2021 3:11 pm

Okay one way to achieve your goals is this path..........
Is to start by having a safer place to change settngs (aka not be on the bridge while making bridge settings changes)

Remove ether4 from the Bridge Port Settings
Rename it to ether4-mine
Create a separate subnet attached to ether-mine
Create an address for it
IP address 192.168.50.1/24 network 192.168.50.0 with interface ether4-mine
Create an IP pool lets say 192.168.50.2-192.168.50.5, DHCP server and DHCP server network

Lastly ensure that the new subnet is part of the interface list LAN
/interface list member
add interface=ether3-mine list=LAN
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Since the subnet is different from the main subnet and its off the bridge you are separated a L2
With a subtle change to forward chain firewall rules, the new subnet will be isolated from the rest off the network.
Take the last rule in the Forward Chain and we are going to make some changes...
FROM
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
TO
add action=accept chain=forward comment="allow internet access" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=allow port forwarding" connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="drop all else"

Now ether3 cannot reach the bridge or the bridge cannot reach ether3 at Layer 3.
If you want a single IP to be able to connect to the server locally via LANIP, then you would add a rule just BEFORE the drop rule.....
add action=accept chain=forward in-interface=bridge dst-address=IPofMinecraft server src-address=IPofSonsPC

Which translates to, for traffic coming from the bridge, and specifically your sons computer please connect that to the minecraft server at the local address (dst...)
++++++++++++++++++++++++++++++++++++++++++

So we have created another subnet, added it to the LAN and then modified firewall rules to ensure all traffic is stopped (by the last rule), then above that we added in the rules required to allow the traffic you want ......... internet traffic, port forwarded traffic, and one person to access the new subnet.

Whats left.
a. DST NAT rule (to detail the port forwarding)
b. Change INput rules slightly because we dont want the minecraft server or that subnet to have full access to the router on the input chain.

a. add chain=dstnat action=dst-nat dst-port=25565 protocol=tcp in-interface-list=WAN
to-addresses=IPofminecraftserver {note dont need to-ports if same as dst-port)

b. Harder nut to crack......... since the entire LAN needs access to the router for at least DNS....... normally

So at the bottom of the input chain add these 3 rules and remove one
FROM
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
TO
add chain=input action=accept in-interface=bridge
add action=accept chain=input comment="Allow ether3-mine DNS queries-UDP" \
connection-state=new dst-port=53 in-interface=ether3-mine protocol=udp
add action=accept chain=input comment="Allow ether3-min DNS queries - TCP" \
connection-state=new dst-port=53 in-interfacet=eteher3-mine protocol=tcp

Now you have allowed main lan users to access DNS services and the admin to access the router
and you have allowed the new subnet to get DNS queries from the router but not full access.
Later you may wish to consider ONLY giving you the admin full access to the router and all other users, on the bridge,only access to DNS services.

The last step here is to block all other traffic to the input chain so add at the bottom of the input chain
add chain=input action=drop comment="drop all else"

DONE.............................

Finesse points.
1. You should only allow known addresses to access the server (for better security).
a. get the WANIP addresses of all those requiring access - that have FIXED/ STATIC WANIPs
b. for those that dont, get their dyndns URL , which the MT router will resolve to IP address.
Hint, there are many sites that will provide FREE dyndns URLs to keep a dynamic IP updated and thus there are no excuses for not providing them.

THis way you control who joins by access list this way.
a. add chain=dstnat action=dst-nat dst-port= protocol=tcp in-interface-list=WAN
to-addresses=IPofminecraftserver src-address-list=authorizedusers

where authorizedusers is a firewall address list you maintain

add IP=fixedwanipFriendA list=authorizedusers
add IP=fixedwanipFriendB list=authorizedusers
add IP=fixedwanipFriendC list=authorizedusers
add IP=dyndnsURL(FriendD) list=authorizedusers
add IP=dyndnsURL(FriendE list=authorizedusers
add IP=dyndnsURL(FriendF) list=authorizedusers
etc.......

Last point, turn UPNP off, shouldnt be required for anything
Last edited by anav on Sun Dec 26, 2021 5:41 pm, edited 1 time in total.
Top
 
Moba
Member Candidate
Member Candidate
Posts: 211
Joined: Sun Sep 27, 2020 6:15 pm

Re: Best way to securely host a Minecraft server at home?

Sat Dec 25, 2021 12:58 am

Once you have isolated your server from the rest of the network, you might consider additional DDoS protection:

https://tcpshield.com/
Top
 
kereru
just joined
Topic Author
Posts: 4
Joined: Sat Oct 02, 2021 1:17 am

Re: Best way to securely host a Minecraft server at home?

Sun Dec 26, 2021 9:56 am

Thank you for that very comprehensive reply - that was a lot different from what I had been contemplating. I've learned a lot from your comments alongside the commands too. I'll sit down and have a go at applying everything once Boxing Day is out of the way!
Top
 
kereru
just joined
Topic Author
Posts: 4
Joined: Sat Oct 02, 2021 1:17 am

Re: Best way to securely host a Minecraft server at home?

Mon Dec 27, 2021 6:31 am

Well after a couple of hours fiddling around, I'm pretty sure I have managed to do something stupid or miss a vital step. I have the server getting assigned an IP address in the new pool, but it doesn't seem to have any access to the internet at all (eg running 'sudo apt update' errors out) and I can't connect to the minecraft server when it is running.
I've posted my current router config below - is anyone able to see where I'm going wrong?
Code: Select all
# dec/27/2021 17:20:10 by RouterOS 6.48.6
# software id = FX2N-77JL
#
# model = 951G-2HnD
# serial number = REMOVED
/interface bridge
add admin-mac=REMOVED auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-g/n country="new zealand" distance=indoors installation=indoor mode=ap-bridge ssid=REMOVED station-roaming=enabled wireless-protocol=802.11 \
    wps-mode=disabled
/interface ethernet
set [ find default-name=ether5 ] name=ether5-minecraft
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 service-name=Bigpipe use-peer-dns=yes user=user@xtra.co.nz
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add comment=minecraft name=minecraft ranges=192.168.50.2-192.168.50.5
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=minecraft disabled=no interface=ether5-minecraft name=minecraft
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=ether5-minecraft list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
add address=192.168.50.1/24 comment="Separate network for minecraft" interface=ether5-minecraft network=192.168.50.0
/ip dhcp-client
add comment=defconf interface=ether1
add disabled=no interface=ether5-minecraft
/ip dhcp-server lease
REMOVED
add address=192.168.88.136 comment="Upstairs desktop" mac-address=REMOVED server=defconf
REMOVED
add address=192.168.50.2 client-id=ff:e:12:91:38:0:1:0:1:29:5b:a7:c8:3c:97:e:12:91:38 mac-address=3C:97:0E:12:91:38 server=minecraft
/ip dhcp-server network
add address=192.168.50.0/24 gateway=192.168.88.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface=bridge
add action=accept chain=input comment="Allow ether5-minecraft DNS queries-UDP" connection-state=new dst-port=53 in-interface=ether5-minecraft protocol=udp
add action=accept chain=input comment="Allow ether5-minecraft DNS queries-TCP" connection-state=new dst-port=53 in-interface=ether5-minecraft protocol=tcp
add action=drop chain=input comment="drop all else"
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface-list=WAN
add action=accept chain=forward comment="allow internet access" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=25565 in-interface-list=WAN protocol=tcp to-addresses=192.168.50.2
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ip upnp interfaces
add interface=bridge type=internal
add interface=pppoe-out1 type=external
/system clock
set time-zone-name=Pacific/Auckland
/system package update
set channel=long-term
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
Top
 
kereru
just joined
Topic Author
Posts: 4
Joined: Sat Oct 02, 2021 1:17 am

Re: Best way to securely host a Minecraft server at home?

Mon Dec 27, 2021 1:01 pm

And after staring at things for another hour I realised that I had accidentally re-enabled one of the default firewall rules - 'drop all from WAN not DSTNATed', which was clearly not a good idea...

Current config below lets me connect to the minecraft server from the 192.168.88.136 address I've allowed in the firewall. I'll ask one of my son's friends to try connecting from outside our local network tomorrow. If I understand correctly, testing the connection via our external IP won't work from within our local network unless hairpin NAT is enabled?

Code: Select all
# dec/27/2021 23:52:02 by RouterOS 6.48.6
# software id = FX2N-77JL
#
# model = 951G-2HnD
# serial number = REMOVED
/interface bridge
add admin-mac=REMOVED auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-g/n country="new zealand" distance=indoors installation=indoor mode=ap-bridge ssid=REMOVED station-roaming=enabled wireless-protocol=802.11 \
    wps-mode=disabled
/interface ethernet
set [ find default-name=ether5 ] name=ether5-minecraft
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 service-name=Bigpipe use-peer-dns=yes user=user@xtra.co.nz
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add comment=minecraft name=minecraft ranges=192.168.50.2-192.168.50.5
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=minecraft disabled=no interface=ether5-minecraft name=minecraft
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=ether5-minecraft list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
add address=192.168.50.1/24 comment="Separate network for minecraft" interface=ether5-minecraft network=192.168.50.0
/ip dhcp-client
add comment=defconf interface=ether1
add disabled=no interface=ether5-minecraft
/ip dhcp-server lease
REMOVED
add address=192.168.88.136 comment="Upstairs desktop" mac-address=6C:62:6D:E9:95:2D server=defconf
REMOVED
add address=192.168.50.2 client-id=ff:e:12:91:38:0:1:0:1:29:5b:a7:c8:3c:97:e:12:91:38 mac-address=3C:97:0E:12:91:38 server=minecraft
/ip dhcp-server network
add address=192.168.50.0/24 gateway=192.168.50.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface=bridge
add action=accept chain=input comment="Allow ether5-minecraft DNS queries-UDP" connection-state=new dst-port=53 in-interface=ether5-minecraft protocol=udp
add action=accept chain=input comment="Allow ether5-minecraft DNS queries-TCP" connection-state=new dst-port=53 in-interface=ether5-minecraft protocol=tcp
add action=drop chain=input comment="drop all else"
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="Allow this IP access to minecraft server" dst-address=192.168.50.2 in-interface=bridge src-address=192.168.88.136
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface-list=WAN
add action=accept chain=forward comment="allow internet access" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=25565 in-interface-list=WAN protocol=tcp to-addresses=192.168.50.2 to-ports=25565
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ip upnp interfaces
add interface=bridge type=internal
add interface=pppoe-out1 type=external
/system clock
set time-zone-name=Pacific/Auckland
/system package update
set channel=long-term
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19363
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Best way to securely host a Minecraft server at home?

Mon Dec 27, 2021 3:59 pm

That is correct, depending. If you have the server and users on the same subnet and want those users to access the server by the public WANIP and not a direct LANIP connection, then hairpin nat considerations have to be made and at that point, for dynamic WANIPs, have to consider some additional dst nat rules modifications.

However in your case the LAN users are on 192.168.88.x, while the minecraft server is on 192.168.50.x and thus hairpin will not be required.
However with a dynamic wanip your construction of the dst-nat rules needs to be reviewed.

(1) First observation is that this rule can be removed, it was a default rule that served its purpose as a starting point but is no longer valid.
We have taken a blanket access to the router rule for the LAN and changed it so that only the trusted LAN has access (and not the minecraft server)
whilst providing the minecraft subnet access to DNS services (only ones required) and then dropping everything else remaining, including wan to router and any other lan to router traffic.

Further this rule should be viewed as redundant. Why? Because no rule will ever hit this as the drop all before it, captures any remaining traffic.........
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN

(2) I see that you have allowed on LANIP address to reach the minecraft server, and am assuming that is for a player to directly access the server via its LANIP address??

(3) Yes, as you surmised the following default rule, good to start, is no longer relevant and should be removed. We specifically allow only LAN to LAN and LAN to WAN traffic desired and then by using the last drop rule, drop all other traffic. Then we have a requirement to allow Wan to LAn for DST nat (port forwarding traffic) and put the necessary rule just prior to the drop all rule. Thus the below rule is not required, which basically attempts to allow dst nat traffic from the WAN but drops all other WAN traffic,
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface-list=WAN

(4) OKAY AND NOW FOR THE MAIN COURSE.

a. The proper format for dst-nat rules is found below. It basically says that for any dst-nat traffic headed towards the WANIP with a specific dst-port etc, send to the lan subnet address so contained. You will note that this is very good for FIXED/STATIC WANIPS.
add action=dst-nat chain=dstnat dst-address=WANIP dst-port=xxxxx protocol=tcp to-addresses=192.168.50.2 {to ports only required for port translation}

b. What happens if the WANIP is dynamic? Clearly putting in the current WANIP under dst-address will work but as soon as the WANIP changes, then you will have to change the rule and most people want to make firewall rules that stick (and not have to monkey with them all the time). The solution for the general case of a dynamic WANIP for EXTERNAL users incoming to a server on the LAN is to describe the traffic as in-interface-list=WAN (or in-interface=pppoe1-out). This works for traffic coming from the internet, which is a very normal scenario but you can see completely misses traffic going to the WANIP from inside the router, if one wants internal users to also access the Server via WANIP. Therefore we have to MIMIC dst-address=wanip for the dynamic case.

NOTE: this is regardless of hairpin nat or not, so anytime you have a dynamic wanip and want both external and internal users to access the server, then you have to adjust the dst nat rules accordingly. Hairpin nat comes into play only if the users and servers ARE ALSO ON THE SAME subnet.

One of the easiest methods is simply to use your IP cloud address and input that as a firewall address list item.
add ip=ipcloudname list=DYNAMICWANIP
and the standard rule becomes.......
add action=dst-nat chain=dstnat dst-address-list=DYNAMICWANIP dst-port=25565 protocol=tcp to-addresses=192.168.50.2

For other methods, a fuller discussion, to address this tactic see
Section 1B (i), (ii), (iii)
viewtopic.php?t=179343#p885249
Top
Post Reply

Who is online

Users browsing this forum: Buechi, dvdlss, jaclaz, jh1 and 71 guests
  4. RouterOS
  5. Beginner Basics