Hi.
I'm trying to setup dst-nat on hotspot interface to be able connect to local computer with RDP and using Emule. I've added local ip to wich dst-nat-ing to ip wallen-garden in hotspot. And added this rules:
[admin@MikroTik] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Emule tcp
chain=dstnat in-interface=External protocol=tcp dst-port=4662 action=dst-nat to-addresses=10.1.1.17 to-ports=4662
1 ;;; Emule udp
chain=dstnat in-interface=External protocol=udp dst-port=4662 action=dst-nat to-addresses=10.1.1.17 to-ports=4662
2 ;;; masquerade hotspot network
chain=srcnat src-address=10.1.1.0/24 action=masquerade
3 ;;; MSTSC
chain=dstnat in-interface=External protocol=tcp dst-port=7777 action=dst-nat to-addresses=10.1.1.17 to-ports=3389
[admin@MikroTik] > ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Drop Invalid connections
chain=input connection-state=invalid action=drop
1 ;;; Allow Established connections
chain=input connection-state=established action=accept
2 ;;; Allow UDP DNS
chain=input protocol=udp src-port=53 action=accept
3 ;;; Allow ICMP
chain=input protocol=icmp action=accept
4 ;;; Allow inbound SSH
chain=input protocol=tcp dst-port=22 action=accept
5 ;;; Emule
chain=input in-interface=External protocol=tcp dst-port=4662 action=accept
6 chain=input in-interface=External protocol=udp dst-port=4662 action=accept
7 ;;; MSTSC
chain=input in-interface=External protocol=tcp dst-port=7777 action=accept
8 chain=input in-interface=External action=drop
9 ;;; drop invalid connections
chain=forward protocol=tcp connection-state=invalid action=drop
10 ;;; allow already established connections
chain=forward connection-state=established action=accept
11 ;;; allow related connections
chain=forward connection-state=related action=accept
12 chain=forward in-interface=External action=drop
With this setup I'm not able to connect to local computer through RDP and Emule rules also don't work. It gets low ID. When I trying telneting to 7777 port of external interface nothing happened. The only rule that work is SSH inbound rule. What I doing wrong?
Re: Dst-nat on hotspot interface?
----
yes,
this my RDP and default port: 3389 working fine with mikrotik from local or public network access.
first. i created policy ip-binding [16.16.16.5] on hotspot interface than i used this code, on firewall nat with my public router address xxx.xxx.xxx.x second created like this bellow:
regards
Hasbullah.com
----
yes,
this my RDP and default port: 3389 working fine with mikrotik from local or public network access.
first. i created policy ip-binding [16.16.16.5] on hotspot interface than i used this code, on firewall nat with my public router address xxx.xxx.xxx.x second created like this bellow:
Code: Select all
/ip fi nat add chain=dstnat action=dst-nat to-addresses=16.16.16.5 to-ports=3389
dst-address=xxx.xxx.xxx.x dst-port=3389 protocol=tcpHasbullah.com
----
Re: Dst-nat on hotspot interface?
Thank you balimore for reply.
I've changed my rule
chain=dstnat in-interface=External protocol=tcp dst-port=7777 action=dst-nat to-addresses=10.1.1.17 to-ports=3389
as you suggest and now it looks like:
chain=dstnat dst-address=xxx.25.199.xxx protocol=tcp dst-port=7777 action=dst-nat to-addresses=10.1.1.17 to-ports=3389
but no luck.
Can you tell a bit more about ip-binding policy you have created in hotspot?
What parameters you have set there? Have you set "to address" there? And what type have you select?
I've changed my rule
chain=dstnat in-interface=External protocol=tcp dst-port=7777 action=dst-nat to-addresses=10.1.1.17 to-ports=3389
as you suggest and now it looks like:
chain=dstnat dst-address=xxx.25.199.xxx protocol=tcp dst-port=7777 action=dst-nat to-addresses=10.1.1.17 to-ports=3389
but no luck.
Can you tell a bit more about ip-binding policy you have created in hotspot?
What parameters you have set there? Have you set "to address" there? And what type have you select?
Re: Dst-nat on hotspot interface?
----
ya.
this single address:
or subnet like this:
regards
Hasbullah.com
---
ya.
this single address:
Code: Select all
/ip ho ip- add address=xxx.xxx.xxx.x/32 type=bypaCode: Select all
/ip ho ip- add address=xxx.xxx.xxx.x/24 type=byparegards
Hasbullah.com
---
Re: Dst-nat on hotspot interface?
I did the same but no luck again. 
Re: Dst-nat on hotspot interface?
----
so sorry man, my RDP under Hotspot interface working fine and every nigth i used it over dialup modem
regards
Hasbullah.com
----
so sorry man, my RDP under Hotspot interface working fine and every nigth i used it over dialup modem
regards
Hasbullah.com
----
Re: Dst-nat on hotspot interface?
I have found problem finally.
The problem was in firewall rules:
5 ;;; Emule
chain=input in-interface=External protocol=tcp dst-port=4662 action=accept
6 chain=input in-interface=External protocol=udp dst-port=4662 action=accept
7 ;;; MSTSC
chain=input in-interface=External protocol=tcp dst-port=7777 action=accept
It should allow traffic for dst-nat rules but it doesn't.
As I found experimentally the chain should be forward for firewall rules to allow dst-nat traffic.
The problem was in firewall rules:
5 ;;; Emule
chain=input in-interface=External protocol=tcp dst-port=4662 action=accept
6 chain=input in-interface=External protocol=udp dst-port=4662 action=accept
7 ;;; MSTSC
chain=input in-interface=External protocol=tcp dst-port=7777 action=accept
It should allow traffic for dst-nat rules but it doesn't.
As I found experimentally the chain should be forward for firewall rules to allow dst-nat traffic.