Community discussions

 
antsh
just joined
Topic Author
Posts: 16
Joined: Sat Apr 02, 2011 8:08 pm

Port forwarding with dynamic WAN IP

Sat Apr 02, 2011 8:40 pm

I have a 450G running 5.0 and my internet service that provides a dynamic IP. I also have several ports forward to an internal computer. My question is how do I go about settings these up so they don't get messed up every time my WAN IP changes? I read through the wiki, and it states you have to specify a dst-address. I can do this for the IP I have right now, but what happens when it changes? Do I have to go through every rule and update it? Am I missing something very simple?
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: Port forwarding with dynamic WAN IP

Sat Apr 02, 2011 10:31 pm

Remove the dst-address and add in-interface=wan, replacing wan with your ISP facing interface name.
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.
 
antsh
just joined
Topic Author
Posts: 16
Joined: Sat Apr 02, 2011 8:08 pm

Re: Port forwarding with dynamic WAN IP

Sat Apr 02, 2011 10:38 pm

Perfect, thank you.
 
netme
just joined
Posts: 8
Joined: Wed Aug 11, 2010 11:23 pm

Re: Port forwarding with dynamic WAN IP

Fri Jul 08, 2011 3:00 am

Remove the dst-address and add in-interface=wan, replacing wan with your ISP facing interface name.
Don't know why but this can’t work for me.
I’m novice in Microtik os and it’s hard to find ready-made solution for dynamic IP redirection and the other one hundred questions about Microtik os.
Today I tried experimentally modify this command above and, find that it's work only when I:
remove the dst-address and add dst.address list (name from firewall address-list)

So next step was how to put actual ip address from wan interface to firewall address-list?
I use DynDns.com service and some script which renew my domain address ip.
So I started to combine how to modify the script.
And here is the solution
# Set needed variables
:local username "user"
:local password "password"
:local hostname "mydomain_in_dyndns.net"
:global systemname [/system identity get name]

:if ($systemname  = "Site1" ) do= {
:set hostname "mydomain_in_dyndns.net"
}
:if ($systemname  = "Site2" ) do= {
:set hostname "mydomain1_in_dyndns.net"
}
:if ($systemname  = "Site3" ) do= {
:set hostname "mydomain2_in_dyndns.net"
}

:global dyndnsForce
:global previousIP

# print some debug info
:log info ("UpdateDynDNS: username = $username")
:log info ("UpdateDynDNS: password = $password")
:log info ("UpdateDynDNS: hostname = $hostname")
:log info ("UpdateDynDNS: previousIP = $previousIP")

# get the current IP address from the internet (in case of double-nat)
/tool fetch mode=http address="checkip.dyndns.org" src-path="/" dst-path="/dyndns.checkip.html"
:local result [/file get dyndns.checkip.html contents]

# parse the current IP result
:local resultLen [:len $result]
:local startLoc [:find $result ": " -1]
:set startLoc ($startLoc + 2)
:local endLoc [:find $result "</body>" -1]
:local currentIP [:pick $result $startLoc $endLoc]
:log info "UpdateDynDNS: currentIP = $currentIP"

# Remove the # on next line to force an update every single time - useful for debugging,
#  but you could end up getting blacklisted by DynDNS!

#:set dyndnsForce true

# Determine if dyndns update is needed
# more dyndns updater request details available at http://www.dyndns.com/developers/specs/syntax.html
:if (($currentIP != $previousIP) || ($dyndnsForce = true)) do={
    :set dyndnsForce false
    :set previousIP $currentIP
    /tool fetch user=$username password=$password mode=http address="members.dyndns.org" \
       src-path="/nic/update?hostname=$hostname&myip=$currentIP" dst-path="/dyndns.txt"
    :local result [/file get dyndns.txt contents]
    :log info ("UpdateDynDNS: Dyndns update needed")
    :log info ("UpdateDynDNS: Dyndns Update Result: ".$result)
    :put ("Dyndns Update Result: ".$result)
#Erase name from firewall address list
/ip firewall address-list
:foreach i in=[find list="current_IP"] do=[remove $i]
#New adrdres to 
/ip firewall address-list add address=$currentIP list=current_IP
} else={
    :log info ("UpdateDynDNS: No dyndns update needed")
}
This script update dyndns domain and after modify code now also put the actual ip adders to firewall address-list with name “current_IP”
You can easily update all your multiple firewall NAT rules
by removing the dst-address and add dst. address-list=current_IP

here is example which redirect wan port nr.80 to host with ip 192.168.0.10 behind NAT
ip firewall nat add chain=dstnat dst-port=80 action=dst-nat protocol=tcp dst-address-list=current_IP to-addresses=192.168.0.10 to-ports=80
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: Port forwarding with dynamic WAN IP

Fri Jul 08, 2011 3:13 am

Try removing the dst-address-list parameter and add dst-address-type=local. That may also work, and would be simpler and wouldn't require a script.

Though I'm puzzled why in-interface didn't work for you. It should.
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.
 
netme
just joined
Posts: 8
Joined: Wed Aug 11, 2010 11:23 pm

Re: Port forwarding with dynamic WAN IP

Mon Jul 11, 2011 2:11 am

Try removing the dst-address-list parameter and add dst-address-type=local.
I'm too green to understand the difference in the operation but it works.. Thx
Code example:
ip firewall nat add chain=dstnat dst-port=80 action=dst-nat protocol=tcp dst-address-type=local to-addresses=192.168.0.10 to-ports=80
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: Port forwarding with dynamic WAN IP

Mon Jul 11, 2011 3:19 am

It just means "if the destination IP address in the IP header of the packet before destination NAT is applied is an IP address assigned to a router interface, perform the specified destination NAT action".
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.

Who is online

Users browsing this forum: No registered users and 23 guests