Cable Modem Port 1
Switch on Port 2
Torrent Server Port 3
IP scheme is default 192.168.88.1 is IP for inside RB750G
The static ip for the torrent server is 192.168.88.250
The torrent server has Utorrent installed. I've tried using the UPnP and it didn't work.
So made two NAT rules for DSTNAT.
SRC ADDRESS 192.168.88.1
DSC ADDRESS 192.168.88.1
Protocol 6 (TCP)
Port 55554
In. Interface eth1-gateway
the other rule is for UDP (everything else is the same)
Shouldn't this work? When a request comes into the gateway for 192.168.88.1 for port 55554 send the packet to 192.168.88.250?
When I try to change Out Interface to ether3, it says outgoing interface match no possible in input and prerouting chains. (6)
Re: Port Forward RB750G
Remove the source and destination address parameters from the dstnat rules, and add to-address and set it to 192.168.88.250.
Ensure you don't have filter rules that block the traffic.
Ensure you don't have filter rules that block the traffic.
Re: Port Forward RB750G
This is what I did delete everything I added to the gui interface
ip firewall nat add chain=dstnat protocol=tcp dst-port=55554 action=dst-nat to-addresses=192.168.88.250 to-ports=55554
ip firewall nat add chain=dstnat protocol=udp dst-port=55554 action=dst-nat to-addresses=192.168.88.250 to-ports=55554
http://wiki.mikrotik.com/wiki/Redirect_ ... ied_server
Seems to work, but I'm still missing something. The tracker still can't connect...
And I'm seeing a huge packet dump from the default firewall rule, talking about 3347 KiB being dumped every second.
ip firewall nat add chain=dstnat protocol=tcp dst-port=55554 action=dst-nat to-addresses=192.168.88.250 to-ports=55554
ip firewall nat add chain=dstnat protocol=udp dst-port=55554 action=dst-nat to-addresses=192.168.88.250 to-ports=55554
http://wiki.mikrotik.com/wiki/Redirect_ ... ied_server
Seems to work, but I'm still missing something. The tracker still can't connect...
And I'm seeing a huge packet dump from the default firewall rule, talking about 3347 KiB being dumped every second.
Re: Port Forward RB750G
So accept traffic on that port further above. You want to do that in the forward chain.
Re: Port Forward RB750G
I think that is what I tried? On the Filter Rules for the firewall I put 2 rules before the drop
Chain: Forward
Dst address 192.168.88.250
Protocol 6 (TCP)
SRC port 55554
DSC port 55554
Int interface ether1-gateway
should action be accept or passthrough? powerful little box!
Chain: Forward
Dst address 192.168.88.250
Protocol 6 (TCP)
SRC port 55554
DSC port 55554
Int interface ether1-gateway
should action be accept or passthrough? powerful little box!
Re: Port Forward RB750G
Accept. Make sure that the entry is earlier in the list than the drop/reject rules. Read the wiki manual for IP firewall filter on what all the options do.
Re: Port Forward RB750G
Ok it works just fine at least for port forwarding. Pretty sure the PAT or NAT is pretty screwed if it is dropping that many packets...
Re: Port Forward RB750G
Why do you have a drop NAT rule?
Post the output of /ip firewall export.
Post the output of /ip firewall export.
Re: Port Forward RB750G
# jan/01/2002 01:27:37 by RouterOS 5.0beta6
# software id = RPV2-MC9G
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="default configuration" disabled=no \
protocol=icmp
add action=accept chain=input comment="default configuration" \
connection-state=established disabled=no in-interface=ether1-gateway
add action=accept chain=input comment="default configuration" \
connection-state=related disabled=no dst-address=192.168.88.250 dst-port=\
55554 in-interface=ether1-gateway protocol=udp src-port=55554
add action=accept chain=input connection-state=related disabled=no \
dst-address=192.168.88.250 dst-port=55554 in-interface=ether1-gateway \
protocol=tcp src-port=55554
add action=drop chain=input comment="default configuration" disabled=no \
in-interface=ether1-gateway
/ip firewall mangle
add action=mark-routing chain=prerouting disabled=no in-interface=\
ether1-gateway new-routing-mark="" passthrough=yes
/ip firewall nat
add action=dst-nat chain=dstnat disabled=no dst-port=55554 protocol=tcp \
to-addresses=192.168.88.250 to-ports=55554
add action=dst-nat chain=dstnat disabled=no dst-port=55554 protocol=udp \
to-addresses=192.168.88.250 to-ports=55554
add action=masquerade chain=srcnat comment="default configuration" disabled=\
no out-interface=ether1-gateway
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
# software id = RPV2-MC9G
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="default configuration" disabled=no \
protocol=icmp
add action=accept chain=input comment="default configuration" \
connection-state=established disabled=no in-interface=ether1-gateway
add action=accept chain=input comment="default configuration" \
connection-state=related disabled=no dst-address=192.168.88.250 dst-port=\
55554 in-interface=ether1-gateway protocol=udp src-port=55554
add action=accept chain=input connection-state=related disabled=no \
dst-address=192.168.88.250 dst-port=55554 in-interface=ether1-gateway \
protocol=tcp src-port=55554
add action=drop chain=input comment="default configuration" disabled=no \
in-interface=ether1-gateway
/ip firewall mangle
add action=mark-routing chain=prerouting disabled=no in-interface=\
ether1-gateway new-routing-mark="" passthrough=yes
/ip firewall nat
add action=dst-nat chain=dstnat disabled=no dst-port=55554 protocol=tcp \
to-addresses=192.168.88.250 to-ports=55554
add action=dst-nat chain=dstnat disabled=no dst-port=55554 protocol=udp \
to-addresses=192.168.88.250 to-ports=55554
add action=masquerade chain=srcnat comment="default configuration" disabled=\
no out-interface=ether1-gateway
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
Re: Port Forward RB750G
That's all messed up.
Read http://wiki.mikrotik.com/wiki/Manual:Packet_Flow - it shows the packet flow through the facilities.
'input' - traffic directly TO the router (destination IP address is on the router itself)
'output' - traffic sourced originated FROM the router
'forward' - traffic THROUGH the router
dst-nat happens in prerouting, which is before any of them. It changes the destination IP address to an IP address behind the router, so all your firewall filter rules for the forwarded traffic don't apply because you're in the wrong chain (the packet will be in 'forward', not 'input'). Also, setting an empty routing-mark is pointless. If you're trying to protect the router from being accessed from the Internet (which is a good idea) and also want only traffic originated from behind the router to flow through it with the exception of traffic forwarded to 192.168.88.50 with a destination port of 55554 on TCP and UDP the firewall filters, NAT and mangle would look something like this:
That should be fine to paste in via a network connection, if you want to make sure, use the console or safe mode: http://wiki.mikrotik.com/wiki/Manual:Console#Safe_Mode - generally a good idea when you're editing critical portions of the configuration.
Read http://wiki.mikrotik.com/wiki/Manual:Packet_Flow - it shows the packet flow through the facilities.
'input' - traffic directly TO the router (destination IP address is on the router itself)
'output' - traffic sourced originated FROM the router
'forward' - traffic THROUGH the router
dst-nat happens in prerouting, which is before any of them. It changes the destination IP address to an IP address behind the router, so all your firewall filter rules for the forwarded traffic don't apply because you're in the wrong chain (the packet will be in 'forward', not 'input'). Also, setting an empty routing-mark is pointless. If you're trying to protect the router from being accessed from the Internet (which is a good idea) and also want only traffic originated from behind the router to flow through it with the exception of traffic forwarded to 192.168.88.50 with a destination port of 55554 on TCP and UDP the firewall filters, NAT and mangle would look something like this:
Code: Select all
/ip firewall filter
# delete all existing rules
remove [find]
# allow all packets that belong to connections that have already been OK'd by the packets establishing them not having been dropped
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
# unconditionally allow ICMP
add action=accept chain=input protocol=icmp
# allow connections to be established from every interface but the WAN
add action=accept chain=input in-interface=!ether1-gateway
# drop everything else
add action=drop chain=input
# allow all packets that belong to connections that have already been OK'd by the packets establishing them not having been dropped
# allow all interfaces other than the WAN to establish new connections
add action=accept chain=forward connection-state=established
add action=accept chain=forward connection-state=related
add action=accept chain=forward in-interface=!ether1-gateway
# permit traffic from the WAN forwarded to 192.168.88.250 destined to tcp/55554 and udp/55554
add action=accept in-interface=ether1-gateway dst-address=192.168.88.250 protocol=tcp dst-port=55554
add action=accept in-interface=ether1-gateway dst-address=192.168.88.250 protocol=udp dst-port=55554
# drop everything else
add action=drop chain=forward
/ip firewall mangle
# delete all mangle rules, what is shown makes no sense
delete [find]
/ip firewall nat
# delete all existing rules
remove [find]
# port forward udp/55554 and tcp/55554 to 192.168.88.250
add action=dst-nat chain=dstnat dst-port=55554 protocol=tcp to-addresses=192.168.88.250 to-ports=55554
add action=dst-nat chain=dstnat dst-port=55554 protocol=udp to-addresses=192.168.88.250 to-ports=55554
# source NAT everything going out to the WAN
add action=masquerade chain=srcnat out-interface=ether1-gateway
Re: Port Forward RB750G
Wow thanks a bundle. Starting to understand how things work in this device a little better. So all I need to do know is redirect port 80 to the internal webserver on 192.168.88.249
When I add a dst-nat rule to the dstnat chain for tcp, port 80 it kills all internet traffic on the local lan though. The firewall rule alone doesn't do the trick. So I'm lost on how to do it. I can change the port on apache to listen to port 8080, instead of 80, but still I'm lost as to what I'm doing wrong.
I think from my understanding of networking is, when I request a website from this computer, I'm requesting port 80 from XXX.XXX.XXX.XXX, and it comes back as the src port 80; which is why I can't browse the internet when I create the NAT rule for dstnat protocol 6 (tcp) dstport 80. Since that directly conflicts with the networking. Guess it isn't that simple... or is it even possible? I changed the www service to port 64 from 80, and I can access that from the domain I purchased and point to my WAN ip. (which works fine).
Wait a second, I see the ! before ether1-gateway means every one except that one; which in the case of accepting requests for a website isn't going to work. So I guess I need to delete those rules? Still I'm somewhat confused here; tricky.
When I add a dst-nat rule to the dstnat chain for tcp, port 80 it kills all internet traffic on the local lan though. The firewall rule alone doesn't do the trick. So I'm lost on how to do it. I can change the port on apache to listen to port 8080, instead of 80, but still I'm lost as to what I'm doing wrong.
I think from my understanding of networking is, when I request a website from this computer, I'm requesting port 80 from XXX.XXX.XXX.XXX, and it comes back as the src port 80; which is why I can't browse the internet when I create the NAT rule for dstnat protocol 6 (tcp) dstport 80. Since that directly conflicts with the networking. Guess it isn't that simple... or is it even possible? I changed the www service to port 64 from 80, and I can access that from the domain I purchased and point to my WAN ip. (which works fine).
Wait a second, I see the ! before ether1-gateway means every one except that one; which in the case of accepting requests for a website isn't going to work. So I guess I need to delete those rules? Still I'm somewhat confused here; tricky.
Re: Port Forward RB750G
Code: Select all
/ip firewall filter
add action=accept chain=forward in-interface=ether1-gateway dst-address=192.168.88.249 protocol=tcp dst-port=80
/ip firewall nat
add action=dst-nat chain=dstnat in-interface=ether1-gateway dst-port=80 protocol=tcp to-addresses=192.168.88.249 to-ports=80
Who is online
Users browsing this forum: nichky and 41 guests