I've just recently upgraded to a lv 4 license, and am trying my hands on setting NATs. Any help would be appreciated.
Anyway, I want to set my clients to be able to host a Warcraft III game on BattleNet. I'm going to go and assume that some (only some, a very small "some"
) of you are not familiar with this, so basically it's just allowing a computer to become a temporary server for other users to connect to and play games.Here's my firewall filter settings:
0 ;;; Drop invalid connections
chain=input connection-state=invalid action=drop
1 ;;; Allow esatblished connections
chain=input connection-state=established action=accept
2 ;;; Allow related connections
chain=input connection-state=related action=accept
3 ;;; Allow UDP
chain=input protocol=udp action=accept
4 ;;; Allow ICMP
chain=input protocol=icmp action=accept
5 ;;; Allow connection to router from local network
chain=input in-interface=!PUBLIC action=accept
6 ;;; Drop everything else
chain=input action=drop
7 chain=forward in-interface=PUBLIC action=jump jump-target=customer
8 ;;; Drop invalid connection packets
chain=customer connection-state=invalid action=drop
9 ;;; Allow established connections
chain=customer connection-state=established action=accept
10 ;;; Allow related connections
chain=customer connection-state=related action=accept
11 ;;; Log dropped connections
chain=customer action=log log-prefix="customer_drop"
12 ;;; Drop and log everything else
chain=customer dst-address=!192.168.1.117 action=drop
Just your basic firewall rules. I got them from checking the "protect router" and "protect customer" checkboxes in the webbox. I just edited number 12 and added a dst-address clause. Without that, the game hosting (for some reason) failed.
And here's the NAT:
0 chain=srcnat out-interface=DLINK action=masquerade
1 chain=dstnat dst-address=xxx.xxx.xxx.xxx protocol=!encap src-port=6161
action=dst-nat to-addresses=192.168.1.117 to-ports=6117
2 chain=srcnat src-address=192.168.1.0/24 action=masquerade
Again, number 0 is the basic from webbox, and number 1 and 2 are the ones I added for this hosting purposes. The !encap protocol is added because the hosting require both TCP and UDP. Should I just make 2 separate rules for this? Or maybe I should put something else in there?
What do you think? With these rules, the hosting would work, and other players can connect and play in the games I hosted.
The problem is, I would get tons of log entries about dropped firewall hits. It goes something like this:
customer_drop customer: in:PUBLIC out:LOCAL, src-mac:aa:bb:cc:dd:ee:ff, proto TCP(SYN), 124.81.146.48:4509->192.168.1.117:445, len 48
The only protocols I see most often are TCP and UDP, and sometimes ICMP. The source IP, source port, and destination port changes in each entry. The acronym in the brackets can be SYN, ACK, PSH, and FIN. Every 1 or 2 seconds there would be another entry, and sometimes it can get up to 5 in one second. Sometimes, after several minutes of these entries, it would cool down for several minutes, and then it would continue.
Is this amount of activity normal? Should I worry about this? Anything I should change or add to my rules?
Any help on this matter would be greatly appreciated.
Thanks all.
-Ted-
P.S: Does anyone know how I can contact the Mikrotik cust. service rep? Just in case...
Thanks again.
