MikroTik

Community discussions
https://forum.mikrotik.com/

Setting up DMZ on an IP address

https://forum.mikrotik.com/viewtopic.php?t=121069

Page 1 of 1

Setting up DMZ on an IP address

Posted: Tue Apr 25, 2017 12:48 am
by Zero3K
How do I do that? I have a Uverse modem, Powerline Adapter, SamKnows WhiteBox and a Raspberry Pi connected to it. The IP address I want to be DMZ'd is 10.0.1.4 and the IP address of the RB951G-2HnD is 192.168.1.3 on the WAN side and 10.0.1.1 on the LAN side.

EDIT: Here is its config:
Code: Select all
# apr/24/2017 20:09:05 by RouterOS 6.39rc79
# software id = 1K0I-0HHR
#
/interface bridge
add admin-mac=E4:8D:8C:75:E2:25 auto-mac=no fast-forward=no name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] master-port=ether2-master-local name=\
    ether3-slave-local
set [ find default-name=ether4 ] master-port=ether2-master-local name=\
    ether4-slave-local
set [ find default-name=ether5 ] master-port=ether2-master-local name=\
    ether5-slave-local
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik-75E229 \
    wireless-protocol=802.11
/ip neighbor discovery
set ether1-gateway discover=no
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=default-dhcp ranges=10.0.1.2-10.0.1.21
/ip dhcp-server
add address-pool=default-dhcp authoritative=after-2sec-delay disabled=no \
    interface=bridge-local name=default
/tool user-manager customer
set admin access=\
    own-routers,own-users,own-profiles,own-limits,config-payment-gw
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1
/interface l2tp-server server
set caller-id-type=ip-address
/ip address
add address=10.0.1.1/24 comment="default configuration" interface=\
    ether2-master-local network=10.0.1.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=\
    no interface=ether1-gateway
/ip dhcp-server network
add address=192.168.88.0/24 comment="default configuration" gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes servers=10.0.1.85
/ip dns static
add address=10.0.1.1 name=router
/ip firewall filter
add action=accept chain=input comment="default configuration" protocol=icmp
add action=accept chain=input comment="default configuration" \
    connection-state=established,related
add action=drop chain=input comment="default configuration" in-interface=\
    ether1-gateway
add action=fasttrack-connection chain=forward comment="default configuration" \
    connection-state=established,related
add action=accept chain=forward comment="default configuration" \
    connection-state=established,related
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid
add action=drop chain=forward comment="default configuration" \
    connection-nat-state=!dstnat connection-state=new in-interface=\
    ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat
/system clock
set time-zone-name=America/Kentucky/Louisville
/system lcd
set contrast=0 enabled=no port=parallel type=24x4
/system lcd page
set time disabled=yes display-time=5s
set resources disabled=yes display-time=5s
set uptime disabled=yes display-time=5s
set packets disabled=yes display-time=5s
set bits disabled=yes display-time=5s
set version disabled=yes display-time=5s
set identity disabled=yes display-time=5s
set bridge-local disabled=yes display-time=5s
set wlan1 disabled=yes display-time=5s
set ether1-gateway disabled=yes display-time=5s
set ether2-master-local disabled=yes display-time=5s
set ether3-slave-local disabled=yes display-time=5s
set ether4-slave-local disabled=yes display-time=5s
set ether5-slave-local disabled=yes display-time=5s
/system leds
set 0 interface=wlan1
/system routerboard settings
set init-delay=0s
/system scheduler
add interval=1h name="Update FreeDNS IP Automatically" on-event=\
    "/system script run FreeDNS" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive start-time=\
    startup
/system script
add name=FreeDNS owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive source="#######\
    #######   Script FreeDNS.afraid.org   ##################\r\
    \n##############   PARSER EDITION   ##################\r\
    \n##############   CREATED LESHIY_ODESSA   ##################\r\
    \n   \r\
    \n# Specify the \"Direct URL\", which is https://freedns.afraid.org/dynami\
    c/\r\
    \n# If RouterOS version 5.xx, then remove from the URL encryption - \"http\
    s\" change this to \"http\". Also see below.\r\
    \n# In front of the sign \"\?\" put a backslash \"\\\".\r\
    \n:global \"direct-url\" \"http://freedns.afraid.org/dynamic/update.php\\\
    \?cWpIUk9oZ1UzQWNhRFZkZ1VWMzRsUjd3OjEwMDk3ODc3\"\r\
    \n\r\
    \n# Specify the URL API \"ASCII\"\r\
    \n# Log in under your account and open the page https://freedns.afraid.org\
    /api/\r\
    \n# Then copy the URL of your site - Available API Interfaces : ASCII (!!!\
    \_NOT XML !!!)\r\
    \n# ATTENTION!!!! Before the question mark, put a backslash \"\\\".\r\
    \n# If RouterOS version 5.xx, then remove from the URL encryption - \"http\
    s\" change this to \"http\".\r\
    \n:global \"api-url\" \"http://freedns.afraid.org/api/\\\?action=getdyndns\
    &sha=0c1180aab1c3ee45f78da2f2358fbf7e6b2577dd\"\r\
    \n    \r\
    \n# Specify your domain or subdomain.\r\
    \n:global \"dns-domain\" \"zero3k.privatedns.org\"\r\
    \n\r\
    \n# Define variables for the external (WAN) interface\r\
    \n# Case sensitive.\r\
    \n:global \"out-interface\" \"ether1-gateway\"\r\
    \n       \r\
    \n# !!!!!!!!!!!!!!!!! Nothing more do not need to edit!!!!!!!!!!!!!!!!!\r\
    \n       \r\
    \n# Check whether the file with the IP domain - freedns.txt\r\
    \n:if ([:len [/file find name=freedns.txt]] > 0) do={\r\
    \n} else={\r\
    \n/tool fetch url=\$\"api-url\" dst-path=\"/freedns.txt\"\r\
    \n}\r\
    \n# Find out the IP address of the domain using the API and parsing.\r\
    \n# Split the file\r\
    \n:local \"result\" [/file get freedns.txt contents]\r\
    \n:local \"startloc\" ([:find \$\"result\" \$\"dns-domain\"] + ([:len \$\"\
    dns-domain\"] + 1))\r\
    \n:local \"endloc\" ([:find \$\"result\" \$\"direct-url\" -1] -1)\r\
    \n:global \"dns-domain-ip\" [:pick \$\"result\" \$\"startloc\" \$\"endloc\
    \"]\r\
    \n       \r\
    \n# Find the current IP address on the external interface\r\
    \n:global \"current-ip\" [/ip address get [find interface=\$\"out-interfac\
    e\"] address]\r\
    \n    \r\
    \n# Obtained from IP addresses to be excluded subnet mask\r\
    \n:set \"current-ip\" [:pick \$\"current-ip\" 0 ([:len \$\"current-ip\"]-3\
    ) ]\r\
    \n       \r\
    \n# Compare the external IP with the IP address of the DNS domain.\r\
    \n:if (\$\"current-ip\" != \$\"dns-domain-ip\") do={\r\
    \n\r\
    \n# If different, then sent to freedns.afraid.org our external IP by using\
    \_Direct URL\r\
    \n:log info (\"Service Dynamic DNS: old IP address \$\"dns-domain-ip\" for\
    \_\$\"dns-domain\" CHANGED to -> \$\"current-ip\"\")\r\
    \n/tool fetch url=\$\"direct-url\" keep-result=no\r\
    \n# Download the file with the new IP after 5 sec.\r\
    \n:delay 5\r\
    \n/tool fetch url=\$\"api-url\" dst-path=\"/freedns.txt\"\r\
    \n} else={\r\
    \n# Not to clog the log, you need to comment out this line.\r\
    \n:log info (\"IP address is NOT CHANGED, the update is not required\")\r\
    \n}\r\
    \n    \r\
    \n# Since version RouterOS version 6.0rc12 supported encryption /tool fetc\
    h mode=https\r\
    \n# In :global \"direct-url\" need to change to httpS://\r\
    \n# For RouterOS version 6.xx\r\
    \n# /tool fetch mode=https url=\$\"direct url\"\r\
    \n# :global \"direct-url\" \"https://freedns.afraid.org/dynamic/update.php\
    \\\?UVdjU2lzQmQwSkdjZW9aWkNleTdJdXFtOjg2NTI0NzE=\"\r\
    \n\r\
    \n#      http://wiki.mikrotik.com/wiki/Manual:Scripting\r\
    \n#      http://wiki.mikrotik.com/wiki/Manual:Scripting-examples\r\
    \n#      http://wiki.mikrotik.com/wiki/Manual:Tools/Fetch\r\
    \n#      http://forum.ixbt.com/topic.cgi\?id=14:60498-86#2373\r\
    \n\r\
    \n##############Script FreeDNS.afraid.org##################\r\
    \n\r\
    \n\r\
    \n"
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
add interface=wlan1
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
add interface=wlan1
add interface=bridge-local
/tool romon port
add
/tool user-manager database
set db-path=user-manager

Re: Setting up DMZ on an IP address

Posted: Tue Apr 25, 2017 4:42 am
by Zero3K
I tried forwarding all ports to the mentioned IP Address but that didn't work.

Re: Setting up DMZ on an IP address

Posted: Tue Apr 25, 2017 1:27 pm
by p3rad0x
It seems like your modem is handing out a private ip address to your 951.

You should ask if they can supply you with a public ip address, then you will be able to forward the ports.

Re: Setting up DMZ on an IP address

Posted: Thu Apr 27, 2017 4:13 am
by Zero3K
I figured it out. I had to set the UVerse modem to pass-through its IP to the router and add a NAT rule below the default masquerade rule with the following config:

Chain: dstnat
Input Inferface: ether1-gateway
Action: dst-nat
To Addresses: 10.0.1.4
All times are UTC+03:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/