-
-
stefanelul2000
newbie
- Posts: 29
- Joined:
2 NAT masquerade
Recently I've bought a second ip from my ISP. Both ip's that I own at this moment are provided via a PPPoE connection. I only have one LAN network, I kept it the default 192.168.88.0/24. I have a server with the static ip 192.168.88.5. The server hosts a website and because of it I want the server to use the 2 PPPoE connection. So the idea is that 192.168.88.5 should ONLY use PPPoE connection 2 while the rest of the devices should use PPPoE connection 1. I've tried to NAT masquerade 192.168.88.5 to PPPoE 2 but that didn't work. I am not so keen on making a separate LAN just for the server, I would like to keep it on the same network that it is right now. Do you have any suggestions on how I can solve my problem? Thanks
Re: 2 NAT masquerade
Have a look at this thread: viewtopic.php?f=2&t=142614&p=703175#p703175
You'll need:
* separate routing table for the other pppoe
* mangle (be careful with fasttrack in that case, as in the linked thread) or routing rule to push traffic over it
You'll need:
* separate routing table for the other pppoe
* mangle (be careful with fasttrack in that case, as in the linked thread) or routing rule to push traffic over it
-
-
stefanelul2000
newbie
- Posts: 29
- Joined:
Re: 2 NAT masquerade
I managed to mangle the 2nd pppoe connection to the required device, both inbound and outbound connections use the right path. There is still one issure. On that device I have a webserver, I port forwarded with dst-nat but it doesn't work, it works if I try and access my website from my phone on mobile data it works but not from a local device (same network as the webserver. Before I got the 2nd pppoe connection I used hairpin NAT and it worked, now it doesn't. What can I do ?Have a look at this thread: viewtopic.php?f=2&t=142614&p=703175#p703175
You'll need:
* separate routing table for the other pppoe
* mangle (be careful with fasttrack in that case, as in the linked thread) or routing rule to push traffic over it
Re: 2 NAT masquerade
Is your server addressable using the isp1 ip, then setup hairpin for that ip. If through second, then hairpin for second. If both, then for both.
-
-
stefanelul2000
newbie
- Posts: 29
- Joined:
Re: 2 NAT masquerade
Well is accessible just using the 2nd ip, pppoe 2.Is your server addressable using the isp1 ip, then setup hairpin for that ip. If through second, then hairpin for second. If both, then for both.
My current Hairpin NAT looks like this.
Code: Select all
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=192.168.88.0/24 src-address=192.168.88.0/24
add action=dst-nat chain=dstnat comment="Forward port 80 to Organizr" dst-address=!192.168.88.1 dst-address-type=local dst-port=80 protocol=tcp \
to-addresses=192.168.88.5 to-ports=81
add action=dst-nat chain=dstnat comment="Forward port 443 to Organizr" dst-address=!192.168.88.1 dst-address-type=local dst-port=443 protocol=tcp \
to-addresses=192.168.88.5 to-ports=444
add action=dst-nat chain=dstnat comment="Forward port 6881-6999 to rTorrent" dst-address=!192.168.88.1 dst-address-type=local dst-port=6881-6999 \
protocol=tcp to-addresses=192.168.88.5 to-ports=6881-6999
Re: 2 NAT masquerade
Not sure what that is supposed to do? Lan-to-lan doesn't (normally) pass through firewall.
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=192.168.88.0/24 src-address=192.168.88.0/24
With "dst-address=!192.168.88.1 dst-address-type=local" you're trying to dynamically determine the wan ip?
I think these rules should be enough:
* external traffic going to yourserver.org -> <external_ip:80>: is going to local ip of firewall and not the internal ip -> rule applies
* internal traffic going to yourserver.org -> <external_ip:80>: is going to local ip of firewall and not the internal ip -> rule applies
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=192.168.88.0/24 src-address=192.168.88.0/24
With "dst-address=!192.168.88.1 dst-address-type=local" you're trying to dynamically determine the wan ip?
I think these rules should be enough:
* external traffic going to yourserver.org -> <external_ip:80>: is going to local ip of firewall and not the internal ip -> rule applies
* internal traffic going to yourserver.org -> <external_ip:80>: is going to local ip of firewall and not the internal ip -> rule applies
-
-
stefanelul2000
newbie
- Posts: 29
- Joined:
Re: 2 NAT masquerade
Yeah, I'm not getting exact what you are trying to say. I don't know what rules I should use or modify
Re: 2 NAT masquerade
In short: disable that rule "add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=192.168.88.0/24 src-address=192.168.88.0/24" and try
-
-
stefanelul2000
newbie
- Posts: 29
- Joined:
Re: 2 NAT masquerade
I've disabled the first masquerade rule but still no luck. I have the following rules now but with no luck.
The mangle rule works, so the server at 192.168.88.5 gets the ip from the 2nd internet connection, that being 86.125.104.111.
In NAT i have this rules but they don't work, I specified my external IP and that type of port forward worked before.
I've also added this rules to the routes tab. Am I missing anything?
Code: Select all
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=WAN2 passthrough=no src-address=192.168.88.5
add action=accept chain=prerouting dst-address=86.125.104.111
Code: Select all
/ip firewall nat
add action=masquerade chain=srcnat comment="WAN RDS SERVER NAT" out-interface="PPPoE Server" routing-mark=WAN2
add action=masquerade chain=srcnat comment="WAN RDS NAT" out-interface="PPPoE RDS" src-address=192.168.88.0/24
add action=masquerade chain=srcnat comment="WAN VDF NAT" out-interface=ETH2-VDF
add action=masquerade chain=srcnat comment="VPN NAT" out-interface="PPPoE RDS" src-address=192.168.50.1-192.168.50.254
add action=dst-nat chain=dstnat comment="Forward port 80 to Organizr" dst-address=86.125.104.111 dst-port=80 in-interface="PPPoE Server" protocol=tcp \
to-addresses=192.168.88.5 to-ports=81
add action=dst-nat chain=dstnat comment="Forward port 443 to Organizr" dst-address=86.125.104.111 dst-address-type=local dst-port=443 in-interface=\
"PPPoE Server" protocol=tcp to-addresses=192.168.88.5 to-ports=444
Code: Select all
/ip route rule
add action=lookup-only-in-table src-address=192.168.88.5/32 table=WAN2
add action=lookup-only-in-table dst-address=192.168.88.0/24 table=main
add src-address=86.125.104.111/32 table=WAN2
Re: 2 NAT masquerade
Would you mind listing your config "/export hide-sensitive compact"?
-
-
stefanelul2000
newbie
- Posts: 29
- Joined:
Re: 2 NAT masquerade
This is my config.
Code: Select all
/interface bridge
add arp=proxy-arp fast-forward=no name="LAN Bridge"
/interface ethernet
set [ find default-name=ether1 ] name=ETH1-RDS speed=100Mbps
set [ find default-name=ether2 ] name=ETH2-VDF speed=100Mbps
set [ find default-name=ether3 ] arp=proxy-arp name=ETH3-LAN speed=100Mbps
set [ find default-name=ether4 ] name=ETH4-SRV speed=100Mbps
set [ find default-name=ether5 ] arp=proxy-arp name=ETH5-PowerLine speed=100Mbps
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=ether8 ] speed=100Mbps
set [ find default-name=ether9 ] speed=100Mbps
set [ find default-name=ether10 ] speed=100Mbps
set [ find default-name=sfp1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=ETH1-RDS max-mtu=1480 name="PPPoE RDS" use-peer-dns=yes user=CRPBV260179184
add disabled=no interface=ETH1-RDS max-mtu=1480 name="PPPoE Server" use-peer-dns=yes user=CRPBV262029189
/interface gre
add allow-fast-path=no !keepalive local-address=86.123.175.221 name=GRE-Office remote-address=217.10.195.122
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=WAN
add name=LAN
add name=local
add name=internet
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip firewall layer7-protocol
add name=dc-contab.root regexp=dc-contab.root
/ip ipsec peer profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256,aes-128 hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc lifetime=0s pfs-group=modp2048
/ip kid-control
add name=kid1
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn ranges=192.168.50.2-192.168.50.50
add name=dhcp-srv ranges=192.168.200.2-192.168.200.5
/ip dhcp-server
add add-arp=yes address-pool=dhcp disabled=no interface="LAN Bridge" lease-time=3d name=LANv4
/ipv6 dhcp-server
add address-pool=ipv6 disabled=yes interface="LAN Bridge" name=LANv6
/ppp profile
add dns-server=192.168.88.1 local-address=192.168.50.1 name=VPN remote-address=vpn use-encryption=required use-ipv6=no
/interface bridge port
add bridge="LAN Bridge" interface=ETH3-LAN
add bridge="LAN Bridge" interface=ETH4-SRV
add bridge="LAN Bridge" interface=ETH5-PowerLine
add bridge="LAN Bridge" interface=ether6
add interface=ether7
add interface=ether8
add interface=ether9
add interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all lan-interface-list=LAN wan-interface-list=WAN
/interface l2tp-server server
set default-profile=VPN use-ipsec=yes
/interface list member
add list=discover
add interface=ETH3-LAN list=discover
add interface=ETH4-SRV list=discover
add interface=ETH5-PowerLine list=discover
add interface=sfp1 list=discover
add list=discover
add interface=ether7 list=discover
add interface=ether8 list=discover
add interface=ether9 list=discover
add interface=ether10 list=discover
add list=discover
add list=mactel
add list=mac-winbox
add interface=ETH1-RDS list=WAN
add interface="LAN Bridge" list=LAN
add interface="PPPoE RDS" list=WAN
add interface=ETH2-VDF list=WAN
/interface pptp-server server
set authentication=mschap2 default-profile=VPN enabled=yes max-mru=1460 max-mtu=1460
/ip address
add address=192.168.88.1/24 interface="LAN Bridge" network=192.168.88.0
add address=172.22.22.2/30 interface=GRE-Office network=172.22.22.0
add address=192.168.1.20/24 interface=ETH2-VDF network=192.168.1.0
/ip dhcp-server lease
add address=192.168.88.2 mac-address=CC:2D:E0:2E:77:4D server=LANv4
add address=192.168.88.5 mac-address=50:E5:49:5C:5E:E7 server=LANv4
add address=192.168.88.6 mac-address=2C:56:DC:D6:A1:AE server=LANv4
add address=192.168.88.3 mac-address=E0:CB:BC:34:F1:EA server=LANv4
add address=192.168.88.4 mac-address=E0:CB:BC:48:A2:7C server=LANv4
add address=192.168.88.7 mac-address=84:AA:9C:87:7C:73 server=LANv4
add address=192.168.88.9 always-broadcast=yes mac-address=00:20:6B:E1:4A:05 server=LANv4
add address=192.168.88.10 mac-address=02:42:C0:A8:58:0A server=LANv4
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 domain=Ciubi.local gateway=192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-size=10240KiB servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.1.1 name=router
add address=192.168.88.9 name=printer.ciubi.net
add address=192.168.88.5 name=server.ciubi.net
add address=192.168.88.3 name=ap1.ciubi.net
add address=192.168.88.4 name=ap2.ciubi.net
/ip firewall address-list
add address=217.10.195.122 list="WinBox Access"
add address=192.168.50.1-192.168.50.50 list="WinBox Access"
add address=192.168.100.0/24 list="WinBox Access"
/ip firewall filter
add action=drop chain=forward comment="Drop Invalid Connections RDS" connection-state=invalid in-interface="PPPoE RDS"
add action=drop chain=input connection-state=invalid in-interface="PPPoE RDS"
add action=drop chain=forward comment="Drop Invalid Connections VDF" connection-state=invalid in-interface=ETH2-VDF
add action=drop chain=input connection-state=invalid in-interface=ETH2-VDF
add action=drop chain=input comment="Drop DNS Requests" dst-port=53 in-interface="PPPoE RDS" protocol=tcp
add action=drop chain=input dst-port=53 in-interface="PPPoE RDS" protocol=udp
add action=accept chain=input comment="Allow VPN Connection" dst-port=1723 protocol=tcp
add action=accept chain=input protocol=gre
add action=accept chain=forward dst-port=50,68,123,320,500,6000,6006,7547,7548,4500 protocol=tcp
add action=accept chain=forward comment="Allow connections from LAN" in-interface="LAN Bridge"
add action=fasttrack-connection chain=forward comment="Allow established connections" connection-state=established
add action=accept chain=forward comment="Allow related connections" connection-state=related
add action=accept chain=input comment="Allow Ping from WAN RDS" in-interface="PPPoE RDS" protocol=icmp
add action=accept chain=input comment="Allow Ping from WAN VDF" in-interface=ETH2-VDF protocol=icmp
add action=accept chain=input comment="Allow access to the router from WinBox Address List" src-address-list="WinBox Access"
add action=accept chain=input comment="Allow established connections to the router RDS" connection-state=established in-interface="PPPoE RDS"
add action=accept chain=input comment="Allow related connections to the router RDS" connection-state=related in-interface="PPPoE RDS"
add action=accept chain=input comment="Allow established connections to the router VDF" connection-state=established in-interface=ETH2-VDF
add action=accept chain=input comment="Allow related connections to the router VDF" connection-state=related in-interface=ETH2-VDF
add action=drop chain=input in-interface-list=!LAN
/ip firewall mangle
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=WAN2 passthrough=no src-address=192.168.88.5
add action=accept chain=prerouting disabled=yes dst-address=86.125.104.111
add action=mark-connection chain=prerouting dst-address=192.168.88.1 dst-port=53 layer7-protocol=dc-contab.root new-connection-mark=dc-contab.root-forward protocol=tcp
add action=mark-connection chain=prerouting dst-address=192.168.88.1 dst-port=53 layer7-protocol=dc-contab.root new-connection-mark=dc-contab.root-forward protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat comment="WAN RDS SERVER NAT" out-interface="PPPoE Server" routing-mark=WAN2
add action=masquerade chain=srcnat comment="WAN RDS NAT" out-interface="PPPoE RDS" src-address=192.168.88.0/24
add action=masquerade chain=srcnat comment="WAN VDF NAT" out-interface=ETH2-VDF
add action=masquerade chain=srcnat comment="VPN NAT" out-interface="PPPoE RDS" src-address=192.168.50.1-192.168.50.254
add action=dst-nat chain=dstnat dst-address=86.123.175.221 dst-port=50,68,320,500,4500,6000,6006,7547,7548 in-interface="PPPoE RDS" protocol=tcp to-addresses=192.168.88.7 \
to-ports=0-65535
add action=src-nat chain=srcnat comment="Forward port 80 to Organizr" disabled=yes dst-address=192.168.88.1 dst-port=80 protocol=tcp src-address=!192.168.88.0/24 \
to-addresses=192.168.88.5 to-ports=81
add action=dst-nat chain=dstnat comment="Forward port 80 to Organizr" disabled=yes dst-address=86.125.104.111 dst-port=80 in-interface="PPPoE Server" protocol=tcp \
routing-mark=WAN2 to-addresses=192.168.88.5 to-ports=81
add action=dst-nat chain=dstnat comment="Forward port 443 to Organizr" disabled=yes dst-address=86.125.104.111 dst-address-type=local dst-port=443 in-interface="PPPoE Server" \
protocol=tcp routing-mark=WAN2 to-addresses=192.168.88.5 to-ports=444
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=192.168.88.0/24 src-address=192.168.88.0/24
add action=dst-nat chain=dstnat comment="Forward port 80 to Organizr" dst-address=!192.168.88.1 dst-address-type=local dst-port=80 protocol=tcp to-addresses=192.168.88.5 \
to-ports=81
add action=dst-nat chain=dstnat comment="Forward port 443 to Organizr" dst-address=!192.168.88.1 dst-address-type=local dst-port=443 protocol=tcp to-addresses=192.168.88.5 \
to-ports=444
add action=dst-nat chain=dstnat comment="Forward port 6881-6999 to rTorrent" dst-address=!192.168.88.1 dst-address-type=local dst-port=6881-6999 protocol=tcp to-addresses=\
192.168.88.5 to-ports=6881-6999
add action=dst-nat chain=dstnat comment="RDP SRV" disabled=yes dst-address=86.123.175.221 dst-port=3389 in-interface="PPPoE RDS" protocol=tcp to-addresses=192.168.88.5 \
to-ports=3389
add action=dst-nat chain=dstnat comment="NAT dc-contab.root zone" connection-mark=dc-contab.root-forward to-addresses=192.168.100.100
add action=masquerade chain=srcnat connection-mark=dc-contab.root-forward
/ip route
add distance=1 gateway="PPPoE Server" routing-mark=WAN2
add distance=10 gateway=192.168.1.1
add distance=1 dst-address=192.168.100.0/24 gateway=172.22.22.1
/ip route rule
add action=lookup-only-in-table disabled=yes src-address=192.168.88.5/32 table=WAN2
add action=lookup-only-in-table disabled=yes dst-address=192.168.88.0/24 table=main
add disabled=yes src-address=86.125.104.111/32 table=WAN2
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.88.6/32 disabled=yes
set ssh disabled=yes
/ip upnp
set allow-disable-external-interface=yes enabled=yes
/ip upnp interfaces
add interface="LAN Bridge" type=internal
add interface="PPPoE RDS" type=external
add interface=ETH2-VDF type=external
/ipv6 dhcp-client
add add-default-route=yes interface="PPPoE RDS" pool-name=ipv6 request=address,prefix
add add-default-route=yes interface="PPPoE Server" pool-name=ipv6-srv request=address,prefix
/ipv6 firewall filter
add action=accept chain=input comment="Allow established connections" connection-state=established
add action=accept chain=input comment="Allow related connections" connection-state=related
add action=accept chain=input comment="Allow ICMP" protocol=icmpv6
add action=reject chain=input comment="Reject invalid packets" connection-state=invalid
add action=accept chain=input comment="Allow local network" in-interface="LAN Bridge"
add action=add-src-to-address-list address-list=trying_to_login address-list-timeout=1d chain=input comment="list IP's who try remote login" dst-port=22 protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1h chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1h chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1h chain=input connection-state=new dst-port=22 protocol=tcp
add action=accept chain=input comment="Allow SSH to router" dst-port=22 protocol=tcp
add action=reject chain=input comment="Reject TCP connections by default" protocol=tcp reject-with=tcp-reset
add action=reject chain=input comment="Reject other protocols by default" reject-with=icmp-admin-prohibited
add action=accept chain=forward comment="Allow established connections" connection-state=established
add action=accept chain=forward comment="Allow related connections" connection-state=related
add action=accept chain=forward comment="Allow ICMP" protocol=icmpv6
add action=reject chain=forward comment="Reject invalid packets" connection-state=invalid
add action=reject chain=forward comment="Reject TCP connections by default" protocol=tcp reject-with=tcp-reset
/ipv6 nd
set [ find default=yes ] hop-limit=64 interface="PPPoE RDS"
add advertise-dns=yes hop-limit=64 interface="LAN Bridge"
add hop-limit=64 interface="PPPoE Server"
/ipv6 nd prefix
add interface="PPPoE RDS" prefix=2a02:2f04:c:550a::/64
/lcd
set default-screen=stat-slideshow
/lcd interface pages
set 0 interfaces=ETH1-RDS,*2,ETH3-LAN,ETH4-SRV,ETH5-PowerLine,sfp1,*7,ether7,ether8,ether9,ether10
/ppp secret
add name=stefan profile=VPN
add name=catalin profile=VPN
add name=delia profile=VPN
/snmp
set contact=stefan@ciubi.net enabled=yes location=Brasov
/system clock
set time-zone-name=Europe/Bucharest
/system identity
set name="MikroTik Home"
/system ntp client
set enabled=yes primary-ntp=93.190.114.3 secondary-ntp=89.149.54.18
/system routerboard settings
set auto-upgrade=yes
/tool graphing interface
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox