Trying to set up a port forward and it isn't working. Hoping someone can tell me what I am doing wrong.
OS version is 2.9.23 on Routerboard 532.
I need to forward two ports on outside wan port (public side) to the "hotspot" port (ether3). Ether2 is the private lan side.
The first rule would be for HTTP traffic on port 8080, and the second is Telnet traffic on port 2332. Both are TCP. Doing this in /ip/firewall/nat.
chain=dstnat in-interface=ether1 dst-address=000.000.000.000 protocol=tcp dst-port=8080 action=dst-nat to-addresses=10.20.40.254 to-ports=8080
chain=dstnat in-interface=ether1 dst-address=000.000.000.000 protocol=tcp dst-port=2332 action=dst-nat to-addresses=10.20.40.254 to-ports=2332
Can anyone clue me in on what I am doing wrong? It looks correct based on what I have seen on the forum but it isn't working (no traffic is getting to the internal server).
Thank you
Lyle
I think that the dst-address needs to be the address of the router public interface. I think that you are trying to translate
<router public ip>:8080 to <private ip>:8080 and so the destination address of the NAT has to be the address of the router.
Here's something similar from my configuration..
chain=dstnat dst-address=<router public ip> protocol=tcp dst-port=17416
action=dst-nat to-addresses=192.168.2.16 to-ports=80
which allows an HTTP connection via port 17416 to an internal machine...
<router public ip>:8080 to <private ip>:8080 and so the destination address of the NAT has to be the address of the router.
Here's something similar from my configuration..
chain=dstnat dst-address=<router public ip> protocol=tcp dst-port=17416
action=dst-nat to-addresses=192.168.2.16 to-ports=80
which allows an HTTP connection via port 17416 to an internal machine...
Don't understand this
Same as what I have. I just put the 000.000.000.000 to mask the public IP.
It is strange because I have no problem getting to the router from the outside, just can't get it to translate to the inside. Is it possible that the reason it is not working is because I am trying to go to the hotspot interface?
Ether1 = Outside (public)
Ether2 = Private Lan (192.168.1.x)
Ether3 = Hotspot (10.20.40.x)
I think the problem might be deeper though. If I am sitting inside the router, and try to ping the internal IP on the 10.20.40 network, it never returns an answer. Telnet to the 8080 port also returns nothing. So maybe I can not talk to that network from inside the router?
Here is the working configuration I have in place:
/ interface ethernet
set ether1 name="ether1" mtu=1500 mac-address=00:0C:42:06:3D:FE arp=enabled \
disable-running-check=yes auto-negotiation=yes full-duplex=yes \
cable-settings=default mdix-enable=yes speed=100Mbps comment="" \
disabled=no
set ether2 name="ether2" mtu=1500 mac-address=00:0C:42:06:3D:FF arp=enabled \
disable-running-check=yes auto-negotiation=yes full-duplex=yes \
cable-settings=default speed=100Mbps comment="" disabled=no
set ether3 name="ether3" mtu=1500 mac-address=00:0C:42:06:3E:00 arp=enabled \
disable-running-check=yes auto-negotiation=yes full-duplex=yes \
cable-settings=default speed=100Mbps comment="" disabled=no
/ interface l2tp-server server
set enabled=no max-mtu=1460 max-mru=1460 \
authentication=pap,chap,mschap1,mschap2 default-profile=default-encryption
/ interface pptp-server server
set enabled=no max-mtu=1460 max-mru=1460 authentication=mschap1,mschap2 \
keepalive-timeout=30 default-profile=default-encryption
/ ip pool
add name="dhcp_pool1" ranges=192.168.0.100-192.168.1.240
add name="dhcp_pool2" ranges=10.20.40.50-10.20.40.200
/ ip accounting
set enabled=no account-local-traffic=no threshold=256
/ ip accounting web-access
set accessible-via-web=yes address=0.0.0.0/0
/ ip service
set telnet port=23 address=0.0.0.0/0 disabled=no
set ftp port=21 address=0.0.0.0/0 disabled=no
set www port=80 address=0.0.0.0/0 disabled=no
set ssh port=22 address=0.0.0.0/0 disabled=no
set www-ssl port=443 address=0.0.0.0/0 certificate=none disabled=no
/ ip socks
set enabled=no port=1080 connection-idle-timeout=2m max-connections=200
/ ip arp
/ ip upnp
set enabled=yes allow-disable-external-interface=no show-dummy-rule=yes
/ ip upnp interfaces
add interface=ether1 type=external disabled=no
add interface=ether2 type=internal disabled=no
add interface=ether3 type=internal disabled=no
/ ip traffic-flow
set enabled=no interfaces=all cache-entries=4k active-flow-timeout=30m \
inactive-flow-timeout=15s
/ ip dns
set primary-dns=000.000.000.2 secondary-dns=000.000.000.3 \
allow-remote-requests=no cache-size=2048KiB cache-max-ttl=1w
/ ip address
add address=000.000.000.000/25 network=000.000.000.0 broadcast=000.000.000.127 \
interface=ether1 comment="Outside" disabled=no
add address=192.168.1.1/24 network=192.168.1.0 broadcast=192.168.1.255 \
interface=ether2 comment="Inside" disabled=no
add address=10.20.40.1/24 network=10.20.40.0 broadcast=10.20.40.255 \
interface=ether3 comment="Hotspot" disabled=no
/ ip proxy
set enabled=no src-address=0.0.0.0 port=8080 parent-proxy=0.0.0.0:0 \
cache-administrator="webmaster" max-disk-cache-size=none \
max-ram-cache-size=8000KiB cache-only-on-disk=no \
maximal-client-connections=1000 maximal-server-connections=1000 \
max-object-size=4000KiB max-fresh-time=3d
/ ip neighbor discovery
set ether1 discover=yes
set ether2 discover=yes
set ether3 discover=yes
/ ip route
add dst-address=0.0.0.0/0 gateway=000.000.000.1 distance=1 scope=255 \
target-scope=10 comment="" disabled=no
/ ip firewall nat
add chain=srcnat out-interface=ether1 action=masquerade comment="" disabled=no
add chain=srcnat src-address=10.20.40.0/24 action=masquerade \
comment="masquerade hotspot network" disabled=no
add chain=dstnat in-interface=ether1 dst-address=000.000.000.000 protocol=tcp \
dst-port=8080 action=dst-nat to-addresses=10.20.40.254 to-ports=8080 \
comment="" disabled=no
add chain=dstnat in-interface=ether1 dst-address=000.000.000.000 protocol=tcp \
dst-port=3223 action=dst-nat to-addresses=10.20.40.254 to-ports=3223 \
comment="" disabled=no
/ ip firewall connection tracking
set enabled=yes tcp-syn-sent-timeout=5s tcp-syn-received-timeout=5s \
tcp-established-timeout=1d tcp-fin-wait-timeout=10s \
tcp-close-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-time-wait-timeout=10s tcp-close-timeout=10s udp-timeout=10s \
udp-stream-timeout=3m icmp-timeout=10s generic-timeout=10m \
tcp-syncookie=no
/ ip firewall filter
add chain=input connection-state=invalid action=drop comment="Drop invalid \
connections" disabled=yes
add chain=input connection-state=established action=accept comment="Allow \
esatblished connections" disabled=yes
add chain=input connection-state=related action=accept comment="Allow related \
connections" disabled=yes
add chain=input protocol=udp action=accept comment="Allow UDP" disabled=yes
add chain=input protocol=icmp action=accept comment="Allow ICMP" disabled=yes
add chain=input in-interface=!ether1 action=accept comment="Allow connection \
to router from local network" disabled=yes
add chain=input action=drop comment="Drop everything else" disabled=yes
add chain=forward in-interface=ether1 action=jump jump-target=customer \
comment="" disabled=yes
add chain=customer connection-state=invalid action=drop comment="Drop invalid \
connection packets" disabled=yes
add chain=customer connection-state=established action=accept comment="Allow \
established connections" disabled=yes
add chain=customer connection-state=related action=accept comment="Allow \
related connections" disabled=yes
add chain=customer action=log log-prefix="customer_drop" comment="Log dropped \
connections" disabled=yes
add chain=customer action=drop comment="Drop and log everything else" \
disabled=yes
/ ip firewall service-port
set ftp ports=21 disabled=no
set tftp ports=69 disabled=no
set irc ports=6667 disabled=no
set h323 disabled=no
set quake3 disabled=no
set mms disabled=no
set gre disabled=no
set pptp disabled=no
/ ip hotspot
add name="hotspot1" interface=ether3 address-pool=dhcp_pool2 profile=default \
idle-timeout=5m keepalive-timeout=none addresses-per-mac=2 disabled=no
/ ip hotspot service-port
set ftp ports=21 disabled=no
/ ip hotspot ip-binding
add mac-address=00:0A:80:00:07:A6 type=bypassed comment="" disabled=no
/ ip hotspot profile
set default name="default" hotspot-address=0.0.0.0 dns-name="" \
html-directory=hotspot rate-limit="" http-proxy=0.0.0.0:0 \
smtp-server=0.0.0.0 login-by=cookie,http-chap http-cookie-lifetime=3d \
split-user-domain=no use-radius=no
add name="hosprof1" hotspot-address=10.20.40.1 dns-name="something.com" \
html-directory=hotspot rate-limit="" http-proxy=0.0.0.0:0 \
smtp-server=216.110.195.7 login-by=cookie,http-chap \
http-cookie-lifetime=12h split-user-domain=no use-radius=no
/ ip hotspot user
add name="admin" password="xxxx" profile=default comment="" disabled=no
add server=hotspot1 name="101" password="" profile=default comment="" \
disabled=no
/ ip hotspot user profile
set default name="default" address-pool=dhcp_pool2 idle-timeout=none \
keepalive-timeout=2m status-autorefresh=1m shared-users=2 \
transparent-proxy=yes open-status-page=always advertise=no
add name="lobby" address-pool=dhcp_pool2 session-timeout=1h idle-timeout=none \
keepalive-timeout=2m status-autorefresh=1m shared-users=1 \
transparent-proxy=yes open-status-page=always advertise=no
/ ip dhcp-server
add name="dhcp1" interface=ether2 lease-time=3d address-pool=dhcp_pool1 \
bootp-support=static authoritative=after-2sec-delay disabled=no
add name="dhcp2" interface=ether3 lease-time=12h address-pool=dhcp_pool2 \
bootp-support=static authoritative=after-2sec-delay disabled=no
/ ip dhcp-server config
set store-leases-disk=5m
/ ip dhcp-server lease
/ ip dhcp-server network
add address=10.20.40.0/24 gateway=10.20.40.1 \
dns-server=216.110.195.2,216.110.195.3 comment=""
add address=192.168.1.0/24 gateway=192.168.1.1 \
dns-server=216.110.195.2,216.110.195.3 comment=""
/ ip ipsec proposal
add name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m \
lifebytes=0 pfs-group=modp1024 disabled=no
/ system logging
add topics=info prefix="" action=memory disabled=no
add topics=error prefix="" action=memory disabled=no
add topics=warning prefix="" action=memory disabled=no
add topics=critical prefix="" action=echo disabled=no
/ system logging action
set memory name="memory" target=memory memory-lines=100 memory-stop-on-full=no
set disk name="disk" target=disk disk-lines=100 disk-stop-on-full=no
set echo name="echo" target=echo remember=yes
set remote name="remote" target=remote remote=192.168.65.175:514
/ system upgrade mirror
set enabled=no primary-server=0.0.0.0 secondary-server=0.0.0.0 \
check-interval=1d user=""
/ system clock dst
set dst-delta=+00:00 dst-start="jan/01/1970 00:00:00" dst-end="jan/01/1970 \
00:00:00"
/ system watchdog
set reboot-on-failure=yes watch-address=none watchdog-timer=yes \
no-ping-delay=5m automatic-supout=yes auto-send-supout=no
/ system console
add port=serial0 term="" disabled=no
/ system identity
set name="SleepInn"
/ system note
set show-at-login=yes note=""
/ system routerboard settings
set baud-rate=115200 boot-delay=1s boot-device=nand-if-fail-then-ethernet \
enter-setup-on=any-key cpu-mode=power-save memory-test=no \
cpu-frequency=264MHz boot-protocol=bootp enable-jumper-reset=yes
/ system ntp server
set enabled=no broadcast=no multicast=no manycast=yes
/ system ntp client
set enabled=yes mode=unicast primary-ntp=204.152.184.72 secondary-ntp=0.0.0.0
/ port
set serial0 name="serial0" baud-rate=auto data-bits=8 parity=none stop-bits=1 \
flow-control=hardware
/ ppp profile
set default name="default" use-compression=default use-vj-compression=default \
use-encryption=default only-one=default change-tcp-mss=yes comment=""
set default-encryption name="default-encryption" use-compression=default \
use-vj-compression=default use-encryption=yes only-one=default \
change-tcp-mss=yes comment=""
/ ppp aaa
set use-radius=no accounting=yes interim-update=0s
/ queue type
set default name="default" kind=pfifo pfifo-limit=50
set ethernet-default name="ethernet-default" kind=pfifo pfifo-limit=50
set wireless-default name="wireless-default" kind=sfq sfq-perturb=5 \
sfq-allot=1514
set synchronous-default name="synchronous-default" kind=red red-limit=60 \
red-min-threshold=10 red-max-threshold=50 red-burst=20 red-avg-packet=1000
set hotspot-default name="hotspot-default" kind=sfq sfq-perturb=5 \
sfq-allot=1514
add name="default-small" kind=pfifo pfifo-limit=10
/ queue simple
/ user
add name="admin" group=full address=0.0.0.0/0 comment="system default user" \
disabled=no
/ user group
add name="read" policy=local,telnet,ssh,reboot,read,test,winbox,password,web,!f\
tp,!write,!policy
add name="write" policy=local,telnet,ssh,reboot,read,write,test,winbox,password\
,web,!ftp,!policy
add name="full" policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbo\
x,password,web
/ user aaa
set use-radius=no accounting=yes interim-update=0s default-group=read
/ radius incoming
set accept=no port=1700
/ snmp
set enabled=no contact="" location=""
/ snmp community
set public name="public" address=0.0.0.0/0 read-access=yes
/ tool bandwidth-server
set enabled=yes authenticate=yes allocate-udp-ports-from=2000 max-sessions=10
/ tool mac-server ping
set enabled=yes
/ tool e-mail
set server=0.0.0.0 from="<>"
/ tool sniffer
set interface=ether1 only-headers=no memory-limit=10 file-name="" \
file-limit=10 streaming-enabled=no streaming-server=0.0.0.0 \
filter-stream=yes filter-protocol=ip-only \
filter-address1=216.110.199.114/32:8080 filter-address2=0.0.0.0/0:0-65535
/ tool traffic-monitor
add name="tmon1" interface=ether1 traffic=received trigger=above threshold=0 \
on-event="" comment="" disabled=no
/ tool graphing
set store-every=5min
/ tool graphing interface
add interface=all allow-address=0.0.0.0/0 store-on-disk=yes disabled=no
/ routing ospf
set router-id=0.0.0.0 distribute-default=never redistribute-connected=no \
redistribute-static=no redistribute-rip=no redistribute-bgp=no \
metric-default=1 metric-connected=20 metric-static=20 metric-rip=20 \
metric-bgp=20
/ routing ospf area
set backbone area-id=0.0.0.0 type=default translator-role=translate-candidate \
authentication=none disabled=no
/ routing bgp instance
set default name="default" as=1 router-id=0.0.0.0 redistribute-static=no \
redistribute-connected=no redistribute-rip=no redistribute-ospf=no \
redistribute-other-bgp=no out-filter="" client-to-client-reflection=yes \
comment="" disabled=no
/ routing rip
set redistribute-static=no redistribute-connected=no redistribute-ospf=no \
redistribute-bgp=no metric-static=1 metric-connected=1 metric-ospf=1 \
metric-bgp=1 update-timer=30s timeout-timer=3m garbage-timer=2m
/ routing rip interface
add interface=all receive=v2 send=v2 authentication=none authentication-key="" \
key-chain="" in-filter="" out-filter="" disabled=no
It is strange because I have no problem getting to the router from the outside, just can't get it to translate to the inside. Is it possible that the reason it is not working is because I am trying to go to the hotspot interface?
Ether1 = Outside (public)
Ether2 = Private Lan (192.168.1.x)
Ether3 = Hotspot (10.20.40.x)
I think the problem might be deeper though. If I am sitting inside the router, and try to ping the internal IP on the 10.20.40 network, it never returns an answer. Telnet to the 8080 port also returns nothing. So maybe I can not talk to that network from inside the router?
Here is the working configuration I have in place:
/ interface ethernet
set ether1 name="ether1" mtu=1500 mac-address=00:0C:42:06:3D:FE arp=enabled \
disable-running-check=yes auto-negotiation=yes full-duplex=yes \
cable-settings=default mdix-enable=yes speed=100Mbps comment="" \
disabled=no
set ether2 name="ether2" mtu=1500 mac-address=00:0C:42:06:3D:FF arp=enabled \
disable-running-check=yes auto-negotiation=yes full-duplex=yes \
cable-settings=default speed=100Mbps comment="" disabled=no
set ether3 name="ether3" mtu=1500 mac-address=00:0C:42:06:3E:00 arp=enabled \
disable-running-check=yes auto-negotiation=yes full-duplex=yes \
cable-settings=default speed=100Mbps comment="" disabled=no
/ interface l2tp-server server
set enabled=no max-mtu=1460 max-mru=1460 \
authentication=pap,chap,mschap1,mschap2 default-profile=default-encryption
/ interface pptp-server server
set enabled=no max-mtu=1460 max-mru=1460 authentication=mschap1,mschap2 \
keepalive-timeout=30 default-profile=default-encryption
/ ip pool
add name="dhcp_pool1" ranges=192.168.0.100-192.168.1.240
add name="dhcp_pool2" ranges=10.20.40.50-10.20.40.200
/ ip accounting
set enabled=no account-local-traffic=no threshold=256
/ ip accounting web-access
set accessible-via-web=yes address=0.0.0.0/0
/ ip service
set telnet port=23 address=0.0.0.0/0 disabled=no
set ftp port=21 address=0.0.0.0/0 disabled=no
set www port=80 address=0.0.0.0/0 disabled=no
set ssh port=22 address=0.0.0.0/0 disabled=no
set www-ssl port=443 address=0.0.0.0/0 certificate=none disabled=no
/ ip socks
set enabled=no port=1080 connection-idle-timeout=2m max-connections=200
/ ip arp
/ ip upnp
set enabled=yes allow-disable-external-interface=no show-dummy-rule=yes
/ ip upnp interfaces
add interface=ether1 type=external disabled=no
add interface=ether2 type=internal disabled=no
add interface=ether3 type=internal disabled=no
/ ip traffic-flow
set enabled=no interfaces=all cache-entries=4k active-flow-timeout=30m \
inactive-flow-timeout=15s
/ ip dns
set primary-dns=000.000.000.2 secondary-dns=000.000.000.3 \
allow-remote-requests=no cache-size=2048KiB cache-max-ttl=1w
/ ip address
add address=000.000.000.000/25 network=000.000.000.0 broadcast=000.000.000.127 \
interface=ether1 comment="Outside" disabled=no
add address=192.168.1.1/24 network=192.168.1.0 broadcast=192.168.1.255 \
interface=ether2 comment="Inside" disabled=no
add address=10.20.40.1/24 network=10.20.40.0 broadcast=10.20.40.255 \
interface=ether3 comment="Hotspot" disabled=no
/ ip proxy
set enabled=no src-address=0.0.0.0 port=8080 parent-proxy=0.0.0.0:0 \
cache-administrator="webmaster" max-disk-cache-size=none \
max-ram-cache-size=8000KiB cache-only-on-disk=no \
maximal-client-connections=1000 maximal-server-connections=1000 \
max-object-size=4000KiB max-fresh-time=3d
/ ip neighbor discovery
set ether1 discover=yes
set ether2 discover=yes
set ether3 discover=yes
/ ip route
add dst-address=0.0.0.0/0 gateway=000.000.000.1 distance=1 scope=255 \
target-scope=10 comment="" disabled=no
/ ip firewall nat
add chain=srcnat out-interface=ether1 action=masquerade comment="" disabled=no
add chain=srcnat src-address=10.20.40.0/24 action=masquerade \
comment="masquerade hotspot network" disabled=no
add chain=dstnat in-interface=ether1 dst-address=000.000.000.000 protocol=tcp \
dst-port=8080 action=dst-nat to-addresses=10.20.40.254 to-ports=8080 \
comment="" disabled=no
add chain=dstnat in-interface=ether1 dst-address=000.000.000.000 protocol=tcp \
dst-port=3223 action=dst-nat to-addresses=10.20.40.254 to-ports=3223 \
comment="" disabled=no
/ ip firewall connection tracking
set enabled=yes tcp-syn-sent-timeout=5s tcp-syn-received-timeout=5s \
tcp-established-timeout=1d tcp-fin-wait-timeout=10s \
tcp-close-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-time-wait-timeout=10s tcp-close-timeout=10s udp-timeout=10s \
udp-stream-timeout=3m icmp-timeout=10s generic-timeout=10m \
tcp-syncookie=no
/ ip firewall filter
add chain=input connection-state=invalid action=drop comment="Drop invalid \
connections" disabled=yes
add chain=input connection-state=established action=accept comment="Allow \
esatblished connections" disabled=yes
add chain=input connection-state=related action=accept comment="Allow related \
connections" disabled=yes
add chain=input protocol=udp action=accept comment="Allow UDP" disabled=yes
add chain=input protocol=icmp action=accept comment="Allow ICMP" disabled=yes
add chain=input in-interface=!ether1 action=accept comment="Allow connection \
to router from local network" disabled=yes
add chain=input action=drop comment="Drop everything else" disabled=yes
add chain=forward in-interface=ether1 action=jump jump-target=customer \
comment="" disabled=yes
add chain=customer connection-state=invalid action=drop comment="Drop invalid \
connection packets" disabled=yes
add chain=customer connection-state=established action=accept comment="Allow \
established connections" disabled=yes
add chain=customer connection-state=related action=accept comment="Allow \
related connections" disabled=yes
add chain=customer action=log log-prefix="customer_drop" comment="Log dropped \
connections" disabled=yes
add chain=customer action=drop comment="Drop and log everything else" \
disabled=yes
/ ip firewall service-port
set ftp ports=21 disabled=no
set tftp ports=69 disabled=no
set irc ports=6667 disabled=no
set h323 disabled=no
set quake3 disabled=no
set mms disabled=no
set gre disabled=no
set pptp disabled=no
/ ip hotspot
add name="hotspot1" interface=ether3 address-pool=dhcp_pool2 profile=default \
idle-timeout=5m keepalive-timeout=none addresses-per-mac=2 disabled=no
/ ip hotspot service-port
set ftp ports=21 disabled=no
/ ip hotspot ip-binding
add mac-address=00:0A:80:00:07:A6 type=bypassed comment="" disabled=no
/ ip hotspot profile
set default name="default" hotspot-address=0.0.0.0 dns-name="" \
html-directory=hotspot rate-limit="" http-proxy=0.0.0.0:0 \
smtp-server=0.0.0.0 login-by=cookie,http-chap http-cookie-lifetime=3d \
split-user-domain=no use-radius=no
add name="hosprof1" hotspot-address=10.20.40.1 dns-name="something.com" \
html-directory=hotspot rate-limit="" http-proxy=0.0.0.0:0 \
smtp-server=216.110.195.7 login-by=cookie,http-chap \
http-cookie-lifetime=12h split-user-domain=no use-radius=no
/ ip hotspot user
add name="admin" password="xxxx" profile=default comment="" disabled=no
add server=hotspot1 name="101" password="" profile=default comment="" \
disabled=no
/ ip hotspot user profile
set default name="default" address-pool=dhcp_pool2 idle-timeout=none \
keepalive-timeout=2m status-autorefresh=1m shared-users=2 \
transparent-proxy=yes open-status-page=always advertise=no
add name="lobby" address-pool=dhcp_pool2 session-timeout=1h idle-timeout=none \
keepalive-timeout=2m status-autorefresh=1m shared-users=1 \
transparent-proxy=yes open-status-page=always advertise=no
/ ip dhcp-server
add name="dhcp1" interface=ether2 lease-time=3d address-pool=dhcp_pool1 \
bootp-support=static authoritative=after-2sec-delay disabled=no
add name="dhcp2" interface=ether3 lease-time=12h address-pool=dhcp_pool2 \
bootp-support=static authoritative=after-2sec-delay disabled=no
/ ip dhcp-server config
set store-leases-disk=5m
/ ip dhcp-server lease
/ ip dhcp-server network
add address=10.20.40.0/24 gateway=10.20.40.1 \
dns-server=216.110.195.2,216.110.195.3 comment=""
add address=192.168.1.0/24 gateway=192.168.1.1 \
dns-server=216.110.195.2,216.110.195.3 comment=""
/ ip ipsec proposal
add name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m \
lifebytes=0 pfs-group=modp1024 disabled=no
/ system logging
add topics=info prefix="" action=memory disabled=no
add topics=error prefix="" action=memory disabled=no
add topics=warning prefix="" action=memory disabled=no
add topics=critical prefix="" action=echo disabled=no
/ system logging action
set memory name="memory" target=memory memory-lines=100 memory-stop-on-full=no
set disk name="disk" target=disk disk-lines=100 disk-stop-on-full=no
set echo name="echo" target=echo remember=yes
set remote name="remote" target=remote remote=192.168.65.175:514
/ system upgrade mirror
set enabled=no primary-server=0.0.0.0 secondary-server=0.0.0.0 \
check-interval=1d user=""
/ system clock dst
set dst-delta=+00:00 dst-start="jan/01/1970 00:00:00" dst-end="jan/01/1970 \
00:00:00"
/ system watchdog
set reboot-on-failure=yes watch-address=none watchdog-timer=yes \
no-ping-delay=5m automatic-supout=yes auto-send-supout=no
/ system console
add port=serial0 term="" disabled=no
/ system identity
set name="SleepInn"
/ system note
set show-at-login=yes note=""
/ system routerboard settings
set baud-rate=115200 boot-delay=1s boot-device=nand-if-fail-then-ethernet \
enter-setup-on=any-key cpu-mode=power-save memory-test=no \
cpu-frequency=264MHz boot-protocol=bootp enable-jumper-reset=yes
/ system ntp server
set enabled=no broadcast=no multicast=no manycast=yes
/ system ntp client
set enabled=yes mode=unicast primary-ntp=204.152.184.72 secondary-ntp=0.0.0.0
/ port
set serial0 name="serial0" baud-rate=auto data-bits=8 parity=none stop-bits=1 \
flow-control=hardware
/ ppp profile
set default name="default" use-compression=default use-vj-compression=default \
use-encryption=default only-one=default change-tcp-mss=yes comment=""
set default-encryption name="default-encryption" use-compression=default \
use-vj-compression=default use-encryption=yes only-one=default \
change-tcp-mss=yes comment=""
/ ppp aaa
set use-radius=no accounting=yes interim-update=0s
/ queue type
set default name="default" kind=pfifo pfifo-limit=50
set ethernet-default name="ethernet-default" kind=pfifo pfifo-limit=50
set wireless-default name="wireless-default" kind=sfq sfq-perturb=5 \
sfq-allot=1514
set synchronous-default name="synchronous-default" kind=red red-limit=60 \
red-min-threshold=10 red-max-threshold=50 red-burst=20 red-avg-packet=1000
set hotspot-default name="hotspot-default" kind=sfq sfq-perturb=5 \
sfq-allot=1514
add name="default-small" kind=pfifo pfifo-limit=10
/ queue simple
/ user
add name="admin" group=full address=0.0.0.0/0 comment="system default user" \
disabled=no
/ user group
add name="read" policy=local,telnet,ssh,reboot,read,test,winbox,password,web,!f\
tp,!write,!policy
add name="write" policy=local,telnet,ssh,reboot,read,write,test,winbox,password\
,web,!ftp,!policy
add name="full" policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbo\
x,password,web
/ user aaa
set use-radius=no accounting=yes interim-update=0s default-group=read
/ radius incoming
set accept=no port=1700
/ snmp
set enabled=no contact="" location=""
/ snmp community
set public name="public" address=0.0.0.0/0 read-access=yes
/ tool bandwidth-server
set enabled=yes authenticate=yes allocate-udp-ports-from=2000 max-sessions=10
/ tool mac-server ping
set enabled=yes
/ tool e-mail
set server=0.0.0.0 from="<>"
/ tool sniffer
set interface=ether1 only-headers=no memory-limit=10 file-name="" \
file-limit=10 streaming-enabled=no streaming-server=0.0.0.0 \
filter-stream=yes filter-protocol=ip-only \
filter-address1=216.110.199.114/32:8080 filter-address2=0.0.0.0/0:0-65535
/ tool traffic-monitor
add name="tmon1" interface=ether1 traffic=received trigger=above threshold=0 \
on-event="" comment="" disabled=no
/ tool graphing
set store-every=5min
/ tool graphing interface
add interface=all allow-address=0.0.0.0/0 store-on-disk=yes disabled=no
/ routing ospf
set router-id=0.0.0.0 distribute-default=never redistribute-connected=no \
redistribute-static=no redistribute-rip=no redistribute-bgp=no \
metric-default=1 metric-connected=20 metric-static=20 metric-rip=20 \
metric-bgp=20
/ routing ospf area
set backbone area-id=0.0.0.0 type=default translator-role=translate-candidate \
authentication=none disabled=no
/ routing bgp instance
set default name="default" as=1 router-id=0.0.0.0 redistribute-static=no \
redistribute-connected=no redistribute-rip=no redistribute-ospf=no \
redistribute-other-bgp=no out-filter="" client-to-client-reflection=yes \
comment="" disabled=no
/ routing rip
set redistribute-static=no redistribute-connected=no redistribute-ospf=no \
redistribute-bgp=no metric-static=1 metric-connected=1 metric-ospf=1 \
metric-bgp=1 update-timer=30s timeout-timer=3m garbage-timer=2m
/ routing rip interface
add interface=all receive=v2 send=v2 authentication=none authentication-key="" \
key-chain="" in-filter="" out-filter="" disabled=no
Last edited by lscully on Mon Jun 19, 2006 10:41 pm, edited 1 time in total.
You need to add the IP address of the internal device you are dst-natting to to the walled garden. Not sure if you can define both the IP and port, as I've run into problems with specifying a port (although this was on some older versions). The problem is, your traffic is redirecting properly from the outside in, but the response from the internal device isn't getting back out because of the hotspot. Add the IP to the walled garden (under the IP List) and you should be set. Not sure if the dst-address=0.0.0.0/0 is causing any issues, but if you still have problems, set it to the WAN IP of the router or leave it blank.
Note: In the future, posting this type of problem to the General Networking forum will get you better responses as this doesn't really have anything to do with scripting
Note: In the future, posting this type of problem to the General Networking forum will get you better responses as this doesn't really have anything to do with scripting
Yeah after I posted it, I realized I was probably in the wrong forum.
I added this to the walled garden on the hotspot:
src-address=10.20.40.254 dst-address=000.000.000.123 action=allow
Do I have that correct or is it backward? Tried it both ways and it didn't work either way.
Also, is the "dst-address=0.0.0.0/0" that you are talking about the one under the routes? If so, that is what it configured when I set up the interface.
I added this to the walled garden on the hotspot:
src-address=10.20.40.254 dst-address=000.000.000.123 action=allow
Do I have that correct or is it backward? Tried it both ways and it didn't work either way.
Also, is the "dst-address=0.0.0.0/0" that you are talking about the one under the routes? If so, that is what it configured when I set up the interface.
No, the dst-address you are using in your firewall rules. Try both your dst-nat and walled garden rules *without* a dst-address of all zeros. I believe if you leave the dst-address blank, it implies all zeros (0.0.0.0/0).
Just try the walled garden with only a source address=your internal one and the action=accept, without a dst-address or port or anything else.
Just try the walled garden with only a source address=your internal one and the action=accept, without a dst-address or port or anything else.
I must be really dense today. I set up the walled garden with only the src:
src-address=10.20.40.254 action=allow
Still nothing traverses from the outside to the inside. I can see the packets coming in as the counters go up, but it never completes the action.
Something I am missing. Also I guess I don't understand where I am needing to change the dst-nat to be the Public IP. I have tried the walled garden to have the src-address and dst-address defined.
Sorry for the hassle
src-address=10.20.40.254 action=allow
Still nothing traverses from the outside to the inside. I can see the packets coming in as the counters go up, but it never completes the action.
Something I am missing. Also I guess I don't understand where I am needing to change the dst-nat to be the Public IP. I have tried the walled garden to have the src-address and dst-address defined.
Sorry for the hassle
The dst-addresses in bold above are what I'm referring to. You might need to add some log rules in your firewall or just play around with some rules to find out where the connection is getting hung up.add chain=dstnat in-interface=ether1 dst-address=000.000.000.000 protocol=tcp \
dst-port=8080 action=dst-nat to-addresses=10.20.40.254 to-ports=8080 \
comment="" disabled=no
add chain=dstnat in-interface=ether1 dst-address=000.000.000.000 protocol=tcp \
dst-port=3223 action=dst-nat to-addresses=10.20.40.254 to-ports=3223 \
comment="" disabled=no