Hi everyone,
I don't really understand well the inner workings of NAT, and I'd like to know how to block packets coming from another router, using Mikrotik's firewall.
The setup is as follows:
There's a Huawei router that has a WAN interface connected to a fiber ONT. The WAN interface obtains a public IPv4 address not shared with anyone (it's not using CG-NAT) and a LAN interface has the IP address 192.168.92.1/24. This router is doing NAT and is also redirecting TCP port 6040 to a Windows computer located at 192.168.92.5/24
There's also a Mikrotik HEX router with the default configuration. Ethernet 1 is WAN. Ethernet 2 to 5 form a bridge named LAN (your typical configuration designed by Mikrotik when you reset to defaults). Mikrotik's bridge has the IP address 192.168.92.2/24
I have connected the Huawei LAN interface to Mikrotik's Ethernet 2. The Windows computer is connected to Mikrotik's Ethernet 3. (Please note that Mikrotik's Ethernet 1 is empty, I'm not connecting anything there)
I've manually set the Windows computer to use 192.168.92.2 as the default gateway.
How can I restrict connections to TCP port 6040 in the windows computer to originate only from specific public IP addresses?
I'm not sure where exactly is this processed in the Mikrotik (input, forwarding, output) ??? Remember that the Mikrotik is NOT doing any NAT. The NAT is performed by the Huawei.
I cannot configure the Huawei unfortunately (it's configured by Spain's Movistar) I can only call them by telephone to ask them to open ports, and that's it. I cannot ask them to touch the firewall, or anything else. They will just open ports for me and that's all.
Re: How do I intercept NAT packets from upstream router?
Ok, I think I've found the answer.
The trick is to open ports on the Huawei router redirected to the LAN IP address of the Mikrotik. In my case, I open port TCP 6040 to 192.168.92.2.
Then, on the Mikrotik, I add these lines:
IP address 8.8.8.8 is just an example. But I've tested it with my required public IPs and it seems to work fine!
The trick is to open ports on the Huawei router redirected to the LAN IP address of the Mikrotik. In my case, I open port TCP 6040 to 192.168.92.2.
Then, on the Mikrotik, I add these lines:
Code: Select all
/ip firewall address-list add address=8.8.8.8 list=my_allowed_ips
/ip firewall nat add action=dst-nat chain=dstnat dst-port=6040 protocol=tcp src-address-list=my_allowed_ips to-addresses=192.168.92.5
/ip route add disabled=no dst-address=0.0.0.0/0 gateway=192.168.92.1IP address 8.8.8.8 is just an example. But I've tested it with my required public IPs and it seems to work fine!
Re: How do I intercept NAT packets from upstream router?
Yes, simply port forward the ports to the IP address that the upstream router gives the mikrotik.
The lanip of the mikrotik from the upstream router perspective, which is also the WANIP from the Mikrotik user perspective.
For a vpn service, one uses the inut chain for the traffic going too the mikrotik router and one of its services.
For servers on the LAN, you need the basic allow port forwarding rule in the forward chain and then the dst nat rules with specifics in the NAT rule section.
The lanip of the mikrotik from the upstream router perspective, which is also the WANIP from the Mikrotik user perspective.
For a vpn service, one uses the inut chain for the traffic going too the mikrotik router and one of its services.
For servers on the LAN, you need the basic allow port forwarding rule in the forward chain and then the dst nat rules with specifics in the NAT rule section.
Who is online
Users browsing this forum: Bing [Bot] and 20 guests