We have public ips (all of them)
Router is X.X.X.1
and servers are X.X.X.1 to 255
where X.X.X. are publicly routable ips (we do bgp for these)
My question is how do we do ip forwarding ?
We want all traffic for ips X.X.X.54 and X.X.X.69 port 25 to goto server X.X.X.15 . This server is an AV mailserver which routes back internally.
The servers on the internet will simply talk to x.x.x.15 port 25 and NOT have access to x.x.x.54 OR x.x.x.69 port 25 .
I know this is possible using port forwarding in IPtables and FreeBSD IPFW but how to do this in MT ?
We want all traffic for ips X.X.X.54 and X.X.X.69 port 25 to goto server X.X.X.15
Code: Select all
/ip firewall nat add chain=dstnat action=dst-nat protocol=tcp dst-port=25 dst-address=X.X.X.54 to-addresses=X.X.X.15 to-ports=25
I know this is possible using port forwarding in IPtables and FreeBSD IPFW but how to do this in MT ?
You are using public IPs, but when you want to do 'port forwarding' you are natting... you are performing 'network address translation' when you tell a packet to change its destination address in the headers. NAT doesn't have to be from public -> private, etc - it can be public -> public as well.Tried it doesnt work eugene. Please note my ips are all PUBLIC IPS . The router does only routing no NAT.
Sam
My nat rule does not get ANY hits . I dont use the router for firewall at all.
There is nothing in my config below . I below has the ip nat rule removed ...
/ ip firewall connection tracking
set enabled=no tcp-syn-sent-timeout=5s tcp-syn-received-timeout=5s tcp-established-timeout=1d tcp-fin-wait-timeout=10s \
tcp-close-wait-timeout=10s tcp-last-ack-timeout=10s tcp-time-wait-timeout=10s tcp-close-timeout=10s udp-timeout=10s \
udp-stream-timeout=3m icmp-timeout=10s generic-timeout=10m tcp-syncookie=no
/ ip firewall service-port
set ftp ports=210 disabled=no
set tftp ports=69 disabled=no
set irc ports=6667 disabled=no
set h323 disabled=yes
set quake3 disabled=yes
set gre disabled=yes
set pptp disabled=yes
what do I do ?
There is nothing in my config below . I below has the ip nat rule removed ...
/ ip firewall connection tracking
set enabled=no tcp-syn-sent-timeout=5s tcp-syn-received-timeout=5s tcp-established-timeout=1d tcp-fin-wait-timeout=10s \
tcp-close-wait-timeout=10s tcp-last-ack-timeout=10s tcp-time-wait-timeout=10s tcp-close-timeout=10s udp-timeout=10s \
udp-stream-timeout=3m icmp-timeout=10s generic-timeout=10m tcp-syncookie=no
/ ip firewall service-port
set ftp ports=210 disabled=no
set tftp ports=69 disabled=no
set irc ports=6667 disabled=no
set h323 disabled=yes
set quake3 disabled=yes
set gre disabled=yes
set pptp disabled=yes
what do I do ?
after putting the rule here is what it looks like, but there are no hits to the rule !
/ ip firewall nat
add chain=dstnat dst-address=X.X.X.54 protocol=tcp dst-port=25 action=dst-nat to-addresses=X.X.X.3 to-ports=25 \
comment="" disabled=no
/ ip firewall connection tracking
set enabled=no tcp-syn-sent-timeout=5s tcp-syn-received-timeout=5s tcp-established-timeout=1d tcp-fin-wait-timeout=10s \
tcp-close-wait-timeout=10s tcp-last-ack-timeout=10s tcp-time-wait-timeout=10s tcp-close-timeout=10s udp-timeout=10s \
udp-stream-timeout=3m icmp-timeout=10s generic-timeout=10m tcp-syncookie=no
/ ip firewall service-port
set ftp ports=210 disabled=no
set tftp ports=69 disabled=no
set irc ports=6667 disabled=no
set h323 disabled=yes
set quake3 disabled=yes
set gre disabled=yes
set pptp disabled=yes
/ ip firewall nat
add chain=dstnat dst-address=X.X.X.54 protocol=tcp dst-port=25 action=dst-nat to-addresses=X.X.X.3 to-ports=25 \
comment="" disabled=no
/ ip firewall connection tracking
set enabled=no tcp-syn-sent-timeout=5s tcp-syn-received-timeout=5s tcp-established-timeout=1d tcp-fin-wait-timeout=10s \
tcp-close-wait-timeout=10s tcp-last-ack-timeout=10s tcp-time-wait-timeout=10s tcp-close-timeout=10s udp-timeout=10s \
udp-stream-timeout=3m icmp-timeout=10s generic-timeout=10m tcp-syncookie=no
/ ip firewall service-port
set ftp ports=210 disabled=no
set tftp ports=69 disabled=no
set irc ports=6667 disabled=no
set h323 disabled=yes
set quake3 disabled=yes
set gre disabled=yes
set pptp disabled=yes
Is it possible to use this technique to do some kind of load balancing / round robin ?
Lets say Router is X.X.X.1
3 Servers X.X.X.24 , 54 , 74
We want to anything coming to X.X.X.10 port 25 go randomly to 24,54,74
ALL ips remain public ips
I hope this will help somebody else in the near future and I will post our solution to the back on the board so ot will benefit other people
Lets say Router is X.X.X.1
3 Servers X.X.X.24 , 54 , 74
We want to anything coming to X.X.X.10 port 25 go randomly to 24,54,74
ALL ips remain public ips
I hope this will help somebody else in the near future and I will post our solution to the back on the board so ot will benefit other people