Community discussions

MikroTik App
  4. RouterOS
  5. General

information on src-nat

Post Reply
 
User avatar
pnajm
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 94
Joined: Thu Nov 21, 2013 6:54 pm

information on src-nat

Thu Mar 06, 2014 11:54 pm

Hello,
Can anyone please explain what "chain src-nat with action accept" does and what do they use it for.

Thanks :) :D
Top
 
SurferTim
Forum Guru
Forum Guru
Posts: 4636
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: information on src-nat

Fri Mar 07, 2014 1:04 am

The action=accept is used to exclude something from a specific rule. I used this recently. The example below excludes 192.168.0.2 from the redirect because it is a separate proxy server that you do not want going through the router's transparent proxy. All other 192.168.0.x ips will go through the router's proxy. edit: It is actually a dstnat, but the theory is the same.
Code: Select all
/ip firewall nat
add chain=dstnat action=accept src-address=192.168.0.2 dst-port=80 protocol=tcp
add chain=dstnat action=redirect src-address=192.168.0.0/24 dst-port=80 to-ports=8080 protocol=tcp
Top
 
efaden
Forum Guru
Forum Guru
Posts: 1708
Joined: Sat Mar 30, 2013 1:55 am
Location: New York, USA

Re: information on src-nat

Fri Mar 07, 2014 1:56 am

The action=accept is used to exclude something from a specific rule. I used this recently. The example below excludes 192.168.0.2 from the redirect because it is a separate proxy server that you do not want going through the router's transparent proxy. All other 192.168.0.x ips will go through the router's proxy. edit: It is actually a dstnat, but the theory is the same.
Code: Select all
/ip firewall nat
add chain=dstnat action=accept src-address=192.168.0.2 dst-port=80 protocol=tcp
add chain=dstnat action=redirect src-address=192.168.0.0/24 dst-port=80 to-ports=8080 protocol=tcp

You can actually do similar tricks in all of the nat and mangle chains. Very useful.
Top
 
User avatar
pnajm
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 94
Joined: Thu Nov 21, 2013 6:54 pm

Re: information on src-nat

Sat Mar 15, 2014 4:25 pm

The action=accept is used to exclude something from a specific rule. I used this recently. The example below excludes 192.168.0.2 from the redirect because it is a separate proxy server that you do not want going through the router's transparent proxy. All other 192.168.0.x ips will go through the router's proxy. edit: It is actually a dstnat, but the theory is the same.
Code: Select all
/ip firewall nat
add chain=dstnat action=accept src-address=192.168.0.2 dst-port=80 protocol=tcp
add chain=dstnat action=redirect src-address=192.168.0.0/24 dst-port=80 to-ports=8080 protocol=tcp
Thanks SurferTim,
can you please explain the following configuration and what it does :)
add chain=src-nat action=accept src-address=192.168.1.0/24 dst-address=192.168.2.0/24
add chain=src-nat action=accept src-address=192.168.2.0/24 dst-address=192.168.1.0/24

these are two subnets on 2 different interfaces but same router .

Thanks :)
Top
 
SurferTim
Forum Guru
Forum Guru
Posts: 4636
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: information on src-nat

Sat Mar 15, 2014 4:30 pm

can you please explain the following configuration and what it does :)
add chain=src-nat action=accept src-address=192.168.1.0/24 dst-address=192.168.2.0/24
add chain=src-nat action=accept src-address=192.168.2.0/24 dst-address=192.168.1.0/24
That keeps any srcnat rules from applying to those src and dst ip ranges. Normally the way I set up srcnats and masquerades, I don't need those rules. However, if you have a rule like this, you would need that.
Code: Select all
/ip firewall nat
add chain=srcnat action=masquerade
If you used an out-interface on that rule, you wouldn't need the accept rules.
Top
Post Reply
  4. RouterOS
  5. General