In manual for Firewall nat it is written: "If you want to "hide" the private LAN 192.168.0.0/24 "behind" one address 10.5.8.109 given to you by the ISP, you should use the source network address translation (masquerading)"
But if you put some computer or router on same network as wan port is and you set that gateway for private LAN is WAN port of our router you can access private LAN.
So basically your private network can be accessed form neighboring device (it could be ISPs gateway - why should I trust them?).
Basic routing is still working.
Maybe some filter rules could be set so private LAN is really hidden, it can access internet and if I like I could set DSTNAT.
-
-
BinaryCrash
newbie
- Posts: 41
- Joined:
Re: masquerade - how to hide private lan
You use NAT to translate your LAN address to Internet address for outgoing connections.
For incoming connections you use firewall filter rules, Allowing the ports you want, and then blocking everything at the end.
You can allow communications with your ISP gateway and then block every other ip blocks, like 10.0.0.0/8 incoming from WAN port.
For incoming connections you use firewall filter rules, Allowing the ports you want, and then blocking everything at the end.
You can allow communications with your ISP gateway and then block every other ip blocks, like 10.0.0.0/8 incoming from WAN port.
Re: masquerade - how to hide private lan
So how shoud that rule look?You use NAT to translate your LAN address to Internet address for outgoing connections.
For incoming connections you use firewall filter rules, Allowing the ports you want, and then blocking everything at the end.
You can allow communications with your ISP gateway and then block every other ip blocks, like 10.0.0.0/8 incoming from WAN port.
Lets say I just want to computers from private LAN have internet access behind public address, but I do not want that ISP from gateway can ping comouters in private LAN trough mikrotik router.
Re: masquerade - how to hide private lan
I think that I have the answer but I am not sure:
/ip firewall filter add chain=forward in-interface=wan-int out-interface=lan-int connection-state=new action=drop
Now computer from LAN can ping ISP gateway, but ISP gateway can not ping computer in LAN (I have tested this).
/ip firewall filter add chain=forward in-interface=wan-int out-interface=lan-int connection-state=new action=drop
Now computer from LAN can ping ISP gateway, but ISP gateway can not ping computer in LAN (I have tested this).
-
-
BinaryCrash
newbie
- Posts: 41
- Joined:
Re: masquerade - how to hide private lan
You can also block in the input chain too.
It will block attempts to access your routers services (winbox, web, ssh, etc).
In this case, just use IN interface, there is no out.
i think it would be like this:
It will block attempts to access your routers services (winbox, web, ssh, etc).
In this case, just use IN interface, there is no out.
i think it would be like this:
Code: Select all
/ip firewall filter add chain=input in-interface=wan-int connection-state=new action=drop