Hello friends
I am using a language translator, because I do not speak English very well, I hope you can understand this post.
I require that a host (SIP SERVER) can have direct connection with the ISP, I will explain them immediately:
Network scenario
[ISP] 189.xxx.xxx.xxx/21 ---- [MK GATEWAY] 11.11.11.0/24 ---- 11.11.11.252 [MK LAN] 192.168.0.0/23 ---- 192.168.0.1 [SIP] SERVER]
The problem is that I receive daily attacks on port 5060 (SIP), and the SIP SERVER blocks my network 192.168.1.253 (GATEWAY) instead of blocking the IP of the attacker.
I have made a NAT rule for the port forwarding and I can communicate successfully from the INTERNET to the SIP SERVER.
How can I realize that the SIP SERVER can see the IP from the INTERNET attackers, and not block the IP of the GATEWAY?
I thank you very much if you can help me
I share my FIREWALL rules.}
Gateway Rules
/ip firewall address-list
add address=11.11.11.0/24 list="LAN HMI"
add address=10.10.10.0/24 list="LAN DHCP"
add address=11.11.11.0/24 list=DNS_Accept
add address=10.10.10.0/24 list=DNS_Accept
add address=8.8.8.8 comment="Add DNS Server to this List" list=DNS_Accept
add address=8.8.4.4 comment="Add DNS Server to this List" list=DNS_Accept
add address=208.67.222.222 comment="Add DNS Server to this List" list=\
DNS_Accept
add address=208.67.220.220 comment="Add DNS Server to this List" list=\
DNS_Accept
/ip firewall filter
add action=accept chain=input comment="Accept PINGS" disabled=yes protocol=\
icmp
add action=accept chain=input comment="Port SIP Open" dst-port=5060 protocol=\
udp
add action=accept chain=forward comment="Port SIP Open" dst-port=5060 \
protocol=udp
add action=add-src-to-address-list address-list="0 IP SIP Request" \
address-list-timeout=none-dynamic chain=forward comment=\
"Port SIP Open LOG" dst-port=5060 protocol=udp
add action=accept chain=input comment=IN_CONN_Establecidas connection-state=\
established
add action=accept chain=input comment=IN_CONN_Relacionadas connection-state=\
related
add action=drop chain=input comment="IN_CONN_Drop Invalidas" \
connection-state=invalid
add action=accept chain=input comment="IN_CONN_Acept DHCP" src-address=\
10.10.10.0/24
add action=accept chain=input comment="IN_CONN_Accept Router" src-address=\
11.11.11.252
add action=jump chain=input comment="Jump to DNS_DDoS Chain" jump-target=\
DNS_DDoS
add action=accept chain=DNS_DDoS comment="Make exceptions for DNS" port=53 \
protocol=udp src-address-list=DNS_Accept
add action=accept chain=DNS_DDoS comment="Make exceptions for DNS" \
dst-address-list=DNS_Accept port=53 protocol=udp
add action=add-src-to-address-list address-list=DNS_DDoS \
address-list-timeout=none-dynamic chain=DNS_DDoS comment=\
"Add DNS_DDoS Offenders to Blacklist" port=53 protocol=udp \
src-address-list=!DNS_Accept
add action=drop chain=DNS_DDoS comment="Drop DNS_DDoS Offenders" \
src-address-list=DNS_DDoS
add action=return chain=DNS_DDoS comment="Return from DNS_DDoS Chain"
add action=drop chain=input comment="Drop External DNS" dst-port=53 \
in-interface=ether1-ISPMetrocarrier protocol=tcp
add action=drop chain=input dst-port=53 in-interface=ether1-ISPMetrocarrier \
protocol=udp
add action=drop chain=input dst-port=53 in-interface=ether2-ISPMegacable \
protocol=tcp
add action=drop chain=input dst-port=53 in-interface=ether2-ISPMegacable \
protocol=udp
add action=drop chain=input dst-port=53 in-interface=ether3-ISPTelmex \
protocol=tcp
add action=drop chain=input dst-port=53 in-interface=ether3-ISPTelmex \
protocol=udp
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="Port scanners to list " \
log-prefix=Port_Scanner protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=\
tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" log-prefix=\
PORTSCANNER src-address-list="port scanners"
add action=add-src-to-address-list address-list=1-Knocking \
address-list-timeout=20s chain=input comment="PortKnocking " dst-port=\
2222 protocol=tcp
add action=add-src-to-address-list address-list=2-Knocking \
address-list-timeout=10m chain=input dst-port=1111 protocol=tcp \
src-address-list=1-Knocking
add action=add-src-to-address-list address-list=3SecureKnockingAccess \
address-list-timeout=none-dynamic chain=input src-address-list=2-Knocking
add action=accept chain=input comment="PortKnocking Accept" src-address-list=\
2-Knocking
add action=drop chain=input comment="Poxy To Internet" dst-port=8080 \
in-interface=ether1-ISPMetrocarrier protocol=tcp
add action=drop chain=input dst-port=8080 in-interface=ether2-ISPMegacable \
protocol=tcp
add action=drop chain=input dst-port=8080 in-interface=ether3-ISPTelmex \
protocol=tcp
add action=drop chain=input comment="FIltra ICMP Redirect" icmp-options=\
5:0-255 protocol=icmp
add action=drop chain=input comment="Filtro ataque SSH" connection-state=new \
dst-port=22 protocol=tcp src-address-list=SSH_Rompepelotas
add action=add-src-to-address-list address-list=SSH_Rompepelotas \
address-list-timeout=10m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=SSH_TercerIntento
add action=add-src-to-address-list address-list=SSH_TercerIntento \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=SSH_SegundoIntento
add action=add-src-to-address-list address-list=SSH_SegundoIntento \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=SSH_PrimerIntento
add action=add-src-to-address-list address-list=SSH_PrimerIntento \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=!SSH_PrimerIntento
add action=drop chain=input comment="IN_CONN_Drop el resto"
add action=add-src-to-address-list address-list=ConnRemote_21 \
address-list-timeout=none-dynamic chain=forward disabled=yes dst-port=21 \
protocol=tcp
add action=add-src-to-address-list address-list=1-Knocking \
address-list-timeout=20s chain=forward comment="PortKnocking " dst-port=\
2222 protocol=tcp
add action=add-src-to-address-list address-list=2-Knocking \
address-list-timeout=1m chain=forward dst-port=1111 protocol=tcp \
src-address-list=1-Knocking
add action=add-src-to-address-list address-list=3SecureKnockingAccess \
address-list-timeout=none-dynamic chain=forward src-address-list=\
2-Knocking
add action=accept chain=forward comment="PortKnocking Accept" \
src-address-list=2-Knocking
add action=fasttrack-connection chain=forward comment=FastTrack \
connection-state=established,related
add action=accept chain=forward comment=FWD_CONN_Establecidas \
connection-state=established
add action=accept chain=forward comment=FWD_CONN_Relacionadas \
connection-state=related
add action=drop chain=forward comment=FWD_CONN_Invalidas connection-state=\
invalid
add action=accept chain=forward comment="FWD_CONN_Lan DHCP" out-interface=\
ether1-ISPMetrocarrier src-address=10.10.10.0/24 src-address-list=\
"LAN DHCP"
add action=accept chain=forward comment="FWD_CONN_Lan HMI" out-interface=\
ether1-ISPMetrocarrier src-address=11.11.11.252
add action=drop chain=forward comment="FWD_CONN_Drop Bogon Forward" \
connection-nat-state="" in-interface=ether1-ISPMetrocarrier log=yes \
log-prefix="Bogon Forward Drop" src-address-list=Bogon
add action=drop chain=forward comment="FWD_CONN_Drop Bogon Forward" \
connection-nat-state="" in-interface=ether2-ISPMegacable log=yes \
log-prefix="Bogon Forward Drop" src-address-list=Bogon
add action=drop chain=forward comment="FWD_CONN_Drop Bogon Forward" \
connection-nat-state="" in-interface=ether3-ISPTelmex log=yes log-prefix=\
"Bogon Forward Drop" src-address-list=Bogon
add action=accept chain=forward comment="FWD_CONN_Lan HMI" out-interface=\
ether2-ISPMegacable src-address=11.11.11.252
add action=accept chain=forward comment="FWD_CONN_Lan DHCP" out-interface=\
ether2-ISPMegacable src-address=10.10.10.0/24 src-address-list="LAN DHCP"
add action=drop chain=forward comment="Drop Internal DNS" dst-port=53 \
out-interface=!ether1-ISPMetrocarrier protocol=tcp
add action=drop chain=forward dst-port=53 out-interface=\
!ether1-ISPMetrocarrier protocol=udp
add action=drop chain=forward dst-port=53 out-interface=!ether2-ISPMegacable \
protocol=tcp
add action=drop chain=forward dst-port=53 out-interface=!ether2-ISPMegacable \
protocol=udp
add action=drop chain=forward comment="Drop Anything Else"
/ip firewall nat
add action=masquerade chain=srcnat comment="ISP Out"
add action=redirect chain=dstnat comment="DNS Redirection" dst-port=53 \
in-interface=!ether1-ISPMetrocarrier protocol=tcp
add action=redirect chain=dstnat dst-port=53 in-interface=\
!ether1-ISPMetrocarrier protocol=udp
add action=redirect chain=dstnat dst-port=53 in-interface=\
!ether2-ISPMegacable protocol=tcp
add action=redirect chain=dstnat dst-port=53 in-interface=\
!ether2-ISPMegacable protocol=udp
add action=redirect chain=dstnat dst-port=53 in-interface=!ether3-ISPTelmex \
protocol=tcp
add action=redirect chain=dstnat dst-port=53 in-interface=!ether3-ISPTelmex \
protocol=udp
add action=dst-nat chain=dstnat comment="Remote SIP Connection" dst-port=5060 \
in-interface=ether1-ISPMetrocarrier protocol=udp to-addresses=\
11.11.11.252 to-ports=5060
LAN Rules
/ip firewall address-list
add address=10.0.0.0-10.0.13.252 list="IP Hotspot"
add address=192.168.1.0/24 list="IP Admon"
add address=10.10.10.0/24 list="IP DHCP"
add address=10.10.10.0/24 list=DNS_Accept
add address=10.0.0.0/20 list=DNS_Accept
add address=192.168.1.0/24 list=DNS_Accept
add address=8.8.8.8 comment="Add DNS Server to this List" list=DNS_Accept
add address=8.8.4.4 comment="Add DNS Server to this List" list=DNS_Accept
add address=208.67.222.222 comment="Add DNS Server to this List" list=\
DNS_Accept
add address=208.67.220.220 comment="Add DNS Server to this List" list=\
DNS_Accept
add address=11.11.11.0/24 list=DNS_Accept
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=drop chain=input comment="Drop Ping from Hotspot" protocol=icmp \
src-address-list="IP Hotspot"
add action=drop chain=forward comment="Drop Ping from Hotspot to Gateway" \
dst-address=11.11.11.253 protocol=icmp src-address-list="IP Hotspot"
add action=accept chain=input comment=IN_CONN_Establecidas connection-state=\
established
add action=accept chain=input comment=IN_CONN_Relacionadas connection-state=\
related
add action=drop chain=input comment=IN_CONN_Invalidas connection-state=\
invalid
add action=jump chain=input comment="Jump to DNS_DDoS Chain" jump-target=\
DNS_DDoS
add action=accept chain=DNS_DDoS comment="Make exceptions for DNS" port=53 \
protocol=udp src-address-list=DNS_Accept
add action=accept chain=DNS_DDoS comment="Make exceptions for DNS" \
dst-address-list=DNS_Accept port=53 protocol=udp
add action=add-src-to-address-list address-list=DNS_DDoS \
address-list-timeout=none-dynamic chain=DNS_DDoS comment=\
"Add DNS_DDoS Offenders to Blacklist" port=53 protocol=udp \
src-address-list=!DNS_Accept
add action=drop chain=DNS_DDoS comment="Drop DNS_DDoS Offenders" \
src-address-list=DNS_DDoS
add action=return chain=DNS_DDoS comment="Return from DNS_DDoS Chain"
add action=accept chain=input comment="IN_CONN_Lan ADMON" disabled=yes \
src-address-list="IP Admon"
add action=accept chain=input comment="IN_CONN_Lan DHCP" disabled=yes \
src-address-list="IP DHCP"
add action=accept chain=input comment="IN_CONN_Lan HOTSPOT" disabled=yes \
src-address-list="IP Hotspot"
add action=drop chain=input comment="IN_CONN_Drop Lan" connection-nat-state=\
!dstnat disabled=yes
add action=drop chain=input comment="IN_CONN_Drop el resto" \
connection-nat-state="" disabled=yes
add action=fasttrack-connection chain=forward comment=FastTrack \
connection-state=established,related disabled=yes
add action=accept chain=forward comment=FWD_CONN_Establecidas \
connection-state=established disabled=yes
add action=accept chain=forward comment=FWD_CONN_Relacionadas \
connection-state=related disabled=yes
add action=drop chain=forward comment=FWD_CONN_Invalidas connection-state=\
invalid disabled=yes
add action=accept chain=forward comment="FWD_CONN_Lan ADMON" disabled=yes \
src-address-list="IP Admon"
add action=accept chain=forward comment="FWD_CONN_Lan DHCP" disabled=yes \
src-address-list="IP DHCP"
add action=accept chain=forward comment="FWD_CONN_Lan HOTSPOT" disabled=yes \
src-address-list="IP Hotspot"
add action=drop chain=forward comment="FWD_CONN_Drop Lan" \
connection-nat-state=!dstnat disabled=yes
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=135-139 \
protocol=tcp
add action=drop chain=virus comment="Drop Messenger Worm" dst-port=135-139 \
protocol=udp
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=445 \
protocol=tcp
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=445 \
protocol=udp
add action=drop chain=virus comment=________ dst-port=593 protocol=tcp
add action=drop chain=virus comment="Drop MyDoom" dst-port=1080 protocol=tcp
add action=drop chain=virus comment=________ dst-port=1214 protocol=tcp
add action=drop chain=virus comment="ndm requester" dst-port=1363 protocol=\
tcp
add action=drop chain=virus comment="ndm server" dst-port=1364 protocol=tcp
add action=drop chain=virus comment="screen cast" dst-port=1368 protocol=tcp
add action=drop chain=virus comment=hromgrafx dst-port=1373 protocol=tcp
add action=drop chain=virus comment=cichlid dst-port=1377 protocol=tcp
add action=drop chain=virus comment=Worm dst-port=1433-1434 protocol=tcp
add action=drop chain=virus comment="Bagle Virus" dst-port=2745 protocol=tcp
add action=drop chain=virus comment="Drop Dumaru.Y" dst-port=2283 protocol=\
tcp
add action=drop chain=virus comment="Drop Beagle" dst-port=2535 protocol=tcp
add action=drop chain=virus comment="Drop Beagle.C-K" dst-port=2745 protocol=\
tcp
add action=drop chain=virus comment="Drop MyDoom" dst-port=3127-3128 \
protocol=tcp
add action=drop chain=virus comment="Drop Backdoor OptixPro" dst-port=3410 \
protocol=tcp
add action=drop chain=virus comment=Worm dst-port=4444 protocol=tcp
add action=drop chain=virus comment=Worm dst-port=4444 protocol=udp
add action=drop chain=virus comment="Drop Sasser" dst-port=5554 protocol=tcp
add action=drop chain=virus comment="Drop Beagle.B" dst-port=8866 protocol=\
tcp
add action=drop chain=virus comment="Drop Dabber.A-B" dst-port=9898 protocol=\
tcp
add action=drop chain=virus comment="Drop Dumaru.Y" dst-port=10000 protocol=\
tcp
add action=drop chain=virus comment="Drop MyDoom.B" dst-port=10080 protocol=\
tcp
add action=drop chain=virus comment="Drop NetBus" dst-port=12345 protocol=tcp
add action=drop chain=virus comment="Drop Kuang2" dst-port=17300 protocol=tcp
add action=drop chain=virus comment="Drop SubSeven" dst-port=27374 protocol=\
tcp
add action=drop chain=virus comment="Drop PhatBot, Agobot, Gaobot" dst-port=\
65506 protocol=tcp
add action=jump chain=forward comment="jump to the virus chain" jump-target=\
virus
add action=drop chain=forward comment=\
"Drop tries to reach not public addresses from LAN" dst-address-list=\
not_in_internet in-interface=ether1-ISPMetrocarrier log=yes log-prefix=\
!public_from_LAN out-interface=!ether1-ISPMetrocarrier
add action=drop chain=forward comment=\
"Drop incoming packets that are not NATted" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1-ISPMetrocarrier log=yes \
log-prefix=!NAT
add action=drop chain=forward comment=\
"Drop incoming from internet which is not public IP" in-interface=\
ether1-ISPMetrocarrier log=yes log-prefix=!public src-address-list=\
not_in_internet
add action=drop chain=input comment="Drop External DNS" dst-port=53 \
in-interface=ether1-ISPMetrocarrier protocol=tcp
add action=drop chain=input dst-port=53 in-interface=ether1-ISPMetrocarrier \
protocol=udp
add action=drop chain=input dst-port=53 in-interface=ether2-ISPMegacable \
protocol=tcp
add action=drop chain=input dst-port=53 in-interface=ether2-ISPMegacable \
protocol=udp
add action=drop chain=input dst-port=53 in-interface=ether3-ISPTelmex \
protocol=tcp
add action=drop chain=input dst-port=53 in-interface=ether3-ISPTelmex \
protocol=udp
add action=drop chain=input dst-port=53 in-interface=ether11-Gateway \
protocol=udp
add action=drop chain=input dst-port=53 in-interface=ether11-Gateway \
protocol=tcp
add action=drop chain=input comment="Poxy To Internet" dst-port=8080 \
in-interface=ether1-ISPMetrocarrier protocol=tcp
add action=drop chain=input dst-port=8080 in-interface=ether2-ISPMegacable \
protocol=tcp
add action=drop chain=input dst-port=8080 in-interface=ether3-ISPTelmex \
protocol=tcp
add action=drop chain=input dst-port=8080 in-interface=ether11-Gateway \
protocol=tcp
add action=drop chain=input comment="FIltra ICMP Redirect" icmp-options=\
5:0-255 protocol=icmp
add action=drop chain=input comment="Filtro ataque SSH" connection-state=new \
dst-port=22 protocol=tcp src-address-list=SSH_Rompepelotas
add action=add-src-to-address-list address-list=SSH_Rompepelotas \
address-list-timeout=10m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=SSH_TercerIntento
add action=add-src-to-address-list address-list=SSH_TercerIntento \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=SSH_SegundoIntento
add action=add-src-to-address-list address-list=SSH_SegundoIntento \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=SSH_PrimerIntento
add action=add-src-to-address-list address-list=SSH_PrimerIntento \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=!SSH_PrimerIntento
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="Port scanners to list " \
protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=\
tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" log-prefix=\
PORTSCANNER src-address-list="port scanners"
add action=drop chain=forward comment="Drop Internal DNS" dst-port=53 \
out-interface=!ether1-ISPMetrocarrier protocol=tcp
add action=drop chain=forward dst-port=53 out-interface=\
!ether1-ISPMetrocarrier protocol=udp
add action=drop chain=forward dst-port=53 out-interface=!ether2-ISPMegacable \
protocol=tcp
add action=drop chain=forward dst-port=53 out-interface=!ether2-ISPMegacable \
protocol=udp
add action=drop chain=forward dst-port=53 out-interface=!ether3-ISPTelmex \
protocol=tcp
add action=drop chain=forward dst-port=53 out-interface=!ether3-ISPTelmex \
protocol=udp
add action=drop chain=forward dst-port=53 out-interface=!ether11-Gateway \
protocol=tcp
add action=drop chain=forward dst-port=53 out-interface=!ether11-Gateway \
protocol=udp
add action=drop chain=forward comment="Block Admon a Hotspot" dst-address=\
10.0.0.0/20 src-address=192.168.0.0/23
add action=drop chain=forward comment="Block Hotspot a Admon" dst-address=\
192.168.0.0/23 src-address=10.0.0.0/20
add action=drop chain=forward comment="Block Hotspot a Hotspot" dst-address=\
10.0.0.0/20 src-address=10.0.0.0/20
add action=drop chain=forward comment="Block Hotspot a Gateway" dst-address=\
11.11.11.0/24 src-address=10.0.0.0/20
add action=drop chain=forward comment="Block Hotspot a DHCP" dst-address=\
10.10.10.0/24 src-address=10.0.0.0/20
add action=drop chain=forward comment="Block Hotspot a Telmex" dst-address=\
192.168.11.0/24 src-address=10.0.0.0/20
add action=drop chain=forward comment="Block Hotspot a Megacable" \
dst-address=192.168.10.0/24 src-address=10.0.0.0/20
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="ISP Out"
add action=redirect chain=dstnat comment="DNS Redirection" dst-port=53 \
in-interface=!ether1-ISPMetrocarrier protocol=tcp
add action=redirect chain=dstnat dst-port=53 in-interface=\
!ether1-ISPMetrocarrier protocol=udp
add action=redirect chain=dstnat dst-port=53 in-interface=\
!ether2-ISPMegacable protocol=tcp
add action=redirect chain=dstnat dst-port=53 in-interface=\
!ether2-ISPMegacable protocol=udp
add action=redirect chain=dstnat dst-port=53 in-interface=!ether3-ISPTelmex \
protocol=tcp
add action=redirect chain=dstnat dst-port=53 in-interface=!ether3-ISPTelmex \
protocol=udp
add action=redirect chain=dstnat dst-port=53 in-interface=!ether11-Gateway \
protocol=tcp
add action=redirect chain=dstnat dst-port=53 in-interface=!ether11-Gateway \
protocol=udp
add action=dst-nat chain=dstnat comment="Remote SIP Connection" dst-port=5060 \
in-interface=ether11-Gateway protocol=udp to-addresses=192.168.0.1 \
to-ports=5060
Re: Transparent Connection on SIP SERVER, its possible? [SOLVED]
Your default masquerade rule is too ambigious.
With your current setting everything will be NATed.
It looks like you have multiple ISPs and a bunch of local networks attached.
Try to narrow down your masquerade rule.
Add all your local subnets to another address list "localnetworks"
Adjust your masquerade rule to the this:
And it should work. This will only masquerade traffic from local networks that is not going to other local networks (i.e. WAN). All other traffic (all from WAN to LAN and from one local network to another local network) will carry the original src-addresses.
This is just a quick'n'dirty adjustment for getting what you want right away.
I'm almost certain that you have static addresses on all your WAN-facing interfaces - so you'd be better off with action=srcnat and defining out-interfaces but that would need more configuration to keep your lan-wan mapping, load balancing, failover working.
Good luck,
-Chris
With your current setting everything will be NATed.
It looks like you have multiple ISPs and a bunch of local networks attached.
Try to narrow down your masquerade rule.
Add all your local subnets to another address list "localnetworks"
Adjust your masquerade rule to the this:
Code: Select all
/ip firewall nat
add chain=srcnat action=masquerade src-address-list=localnetworks dst-address-list=!localnetworksThis is just a quick'n'dirty adjustment for getting what you want right away.
I'm almost certain that you have static addresses on all your WAN-facing interfaces - so you'd be better off with action=srcnat and defining out-interfaces but that would need more configuration to keep your lan-wan mapping, load balancing, failover working.
Good luck,
-Chris
Re: Transparent Connection on SIP SERVER, its possible?
Your default masquerade rule is too ambigious.
With your current setting everything will be NATed.
It looks like you have multiple ISPs and a bunch of local networks attached.
Try to narrow down your masquerade rule.
Add all your local subnets to another address list "localnetworks"
Adjust your masquerade rule to the this:
And it should work. This will only masquerade traffic from local networks that is not going to other local networks (i.e. WAN). All other traffic (all from WAN to LAN and from one local network to another local network) will carry the original src-addresses.Code: Select all/ip firewall nat add chain=srcnat action=masquerade src-address-list=localnetworks dst-address-list=!localnetworks
This is just a quick'n'dirty adjustment for getting what you want right away.
I'm almost certain that you have static addresses on all your WAN-facing interfaces - so you'd be better off with action=srcnat and defining out-interfaces but that would need more configuration to keep your lan-wan mapping, load balancing, failover working.
Good luck,
-Chris
Thank you very much Chris!
It work perfectly, I only have one question, can this expose the security of my network, the fact that my local networks do not have NAT?
-Grettings
-Andrés
Re: Transparent Connection on SIP SERVER, its possible?
Great to hear it works.
I wouldn't say so security-wise.
-Chris
I wouldn't say so security-wise.
-Chris