Community discussions

MikroTik App
 
walvord
just joined
Topic Author
Posts: 13
Joined: Thu May 23, 2019 12:52 am

Firewall NAT Question

Thu Apr 21, 2022 6:44 pm

With this topology:
ISP - rb4011 - rb4011 (with wifi) - other devices

I'd like to confirm that I'm on the right track. If I want to dst-nat a public address to some internal device, I believe this is the flow, but would appreciate a sanity check.

I'll need a dst-nat nat chain rule + a forward chain rule on the edge router, and then a forward chain rule on the next router? Am I on the right track?

Something like this
router 1:
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=443 in-interface=ether1 log=yes protocol=tcp to-addresses=[inside device address] to-ports=443
/ip firewall filter
add action=accept chain=forward dst-address=[inside device address] dst-port=443 in-interface=ether1 log=yes protocol=tcp

router 2:
/ip firewall filter
add action=accept chain=forward dst-address=[inside device address] dst-port=443 log=yes protocol=tcp
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: Mid-High Level Firewall Question

Thu Apr 21, 2022 6:53 pm

Am I on the right track?

It's one possibility. The other one (with much simpler config on the "internal" RB4011) depends on whether you need to separate "other devices" network from network between the two RB4011. In other words, what is the use case for the right side RB4011 ... would an ethernet switch and a simple AP do the job instead or you actually need a router with firewall because there are other things between in the space between RB4011s that you didn't mention?
 
walvord
just joined
Topic Author
Posts: 13
Joined: Thu May 23, 2019 12:52 am

Re: Firewall NAT Question

Thu Apr 21, 2022 7:26 pm

Well...the short of it is that I tend to fully embrace over-engineering. I've got an rb4011 at the edge, terminating the ethernet handoff from my ISP. Then I have an rb4011 wifi model connected to the edge router. That's the extent of the family network, with a 2nd rb4011 wap waiting for me to have time to install, but otherwise that's it.

Then I have a crs326 behind the edge router also, for the port density I need for my lab (cisco collab engineer by trade). Realistically, this is what I'll want to dst-nat to, but for now I threw a raspberry pi on one of the wap ports just to get the dst-nat configs working.
 
walvord
just joined
Topic Author
Posts: 13
Joined: Thu May 23, 2019 12:52 am

Re: Firewall NAT Question

Sat Apr 23, 2022 8:55 pm

Had a chance to work on this today, and have it working, but not sure if this is the best way (most secure, cleanest, etc) to accomplish it. Any thoughts/ideas/comments are appreciated.

First though, looking to confirm what I believe to be the case -- using dst-nat seems to bypass the other fw chains. This seems to align with https://wiki.mikrotik.com/wiki/Manual:Packet_Flow, but I'm not 100%.

topology:
router 1 (x.x.x.1/30) - (x.x.x.2/30) router 2 -- endpoint @ y.y.y.y
router 1:
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=80 in-interface=ether1 log=yes protocol=tcp to-addresses=x.x.x.2 to-ports=80

router 2:
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=x.x.x.2 dst-port=80 in-interface-list=WAN protocol=tcp to-addresses=y.y.y.y to-ports=80
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Firewall NAT Question  [SOLVED]

Sat Apr 23, 2022 9:38 pm

No, dstnat doesn't bypass any chains, it may only redirect packets that would otherwise go in input chain to forward chain or other way around (with usual port forwarding it's the former). If you don't need to add any extra rules in forward chain, it's because you either already have rule allowing dstnatted connections or open firewall.
 
walvord
just joined
Topic Author
Posts: 13
Joined: Thu May 23, 2019 12:52 am

Re: Firewall NAT Question

Sun Apr 24, 2022 4:57 pm

I'm accepting established, related, and untracked connections. When the dst-nat is hit, the firewall tracks subsequent packets under that conversation right?

Is it considered best practice to create explicit forward rules though?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall NAT Question

Sun Apr 24, 2022 5:30 pm

Draw a network diagram to assist in your explanations of the requirements.
You can daisy chain port forwardings 20 times if you need to, to get to the next device.
These are all DST NAT rules, the only firewall rule needed on each device assuming they are all MT devices is
add chain=forward action=accept connection-nat-state=dstnat
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: Firewall NAT Question

Mon Apr 25, 2022 9:38 pm

Well...the short of it is that I tend to fully embrace over-engineering. I've got an rb4011 at the edge, terminating the ethernet handoff from my ISP. Then I have an rb4011 wifi model connected to the edge router.
My opinion here is you are making your life more complicated than needed. Two simple options:
1) Eliminate the left side (in your original drawing) 4011 and use the right side 4011 as the only router.
2) Eliminate the right side 4011 and use the left side 4011 as your only router, and add an access point where it works for coverage.
Either saves you a couple hundred bucks (or since you already have the second 4011, gives you a spare).
You gain essentially nothing by having the second router.
 
walvord
just joined
Topic Author
Posts: 13
Joined: Thu May 23, 2019 12:52 am

Re: Firewall NAT Question

Thu Apr 28, 2022 6:08 pm

Draw a network diagram to assist in your explanations of the requirements.
You can daisy chain port forwardings 20 times if you need to, to get to the next device.
These are all DST NAT rules, the only firewall rule needed on each device assuming they are all MT devices is
add chain=forward action=accept connection-nat-state=dstnat
Noted on the drawing. Interesting about that forward rule being required. I don't have that rule on either router, and it's working fine. Something for me to look into later.
My opinion here is you are making your life more complicated than needed. Two simple options:
...
I glossed over my home/work setup a bit for brevity. I work from home, and have a fairly complex home lab and work from home setup, which I'd rather physically segregate than just vlan off. New house, and my 2nd ISP service isn't delivered yet, but when it is, I'm completely segregating my home and work networks by adding additional components. Overkill? Absolutely. Do I care? Not in the least. I understand completely that I could collapse the edge and wap. Like I said...I over engineer, and I'm not ashamed of it. I also do 10gig between the edge and wap. Is it needed? Likely not, but the theoretical throughput on the wap is higher than 1gbps.

Appreciate the help! Think I'm all set

Who is online

Users browsing this forum: 0xAA55, cmmike, holvoetn, neki, pazuwu, pmcsill, rarlup, svh79 and 40 guests