when use-ip-firewall=yes, DNAT from LAN to LAN not work
Posted: Sun Jun 30, 2013 4:19 pm
Hardware : RB2011UAS-2HnD
OS: ROS 6.0 & 6.1
Scenario:
use-ip-firewall set to "no":
1. A firewall address-list named "ISP" is created to store the WAN IP (ip address: A)
2. A bridge is created in LAN side with member ports.
3. A FTP server (ip address: B) is hosted on LAN
4. A DNAT firewall rule is created to NAT the destination address from A to B for all connection.
(A corresponding Hairpin NAT is created for completing the loopback NAT for LAN to A:21)
5. Another PC (say ip address C) inside LAN access to A:21 successful. View the firewall statistic, the two related firewall rules do have hit.
However, the DNAT firewall rule don't work if "user-ip-firewall" set to yes... (WAN to LAN DNAT still works)
Findings:
a. the firewall rule as specified in 4 do have hit, but the hairpin firewall rule don't record any hit. I replace the hairpin rule with the following relaxed rule, no hit was recorded too.
b. from the built-in packet sniffer, router do receive the FTP sync packet (C to A:21), but no packet is transmitted from router afterwards, the router seems drops the packet.[/color]
I suspect there might be a software bug in the bridging firewall which cannot re-transmit the packet back to the LAN bridge after DNAT the packet from bridge.
Anyone could help to solve this issue? Or is there anything I missed in the setup? Thanks in advance!
OS: ROS 6.0 & 6.1
Scenario:
use-ip-firewall set to "no":
1. A firewall address-list named "ISP" is created to store the WAN IP (ip address: A)
Code: Select all
/ip firewall address-list add address=A list=ISP3. A FTP server (ip address: B) is hosted on LAN
4. A DNAT firewall rule is created to NAT the destination address from A to B for all connection.
Code: Select all
/ip firewall chain=dstnat add action=dst-nat to-addresses=B protocol=tcp dst-address-list=GW dst-port=215. Another PC (say ip address C) inside LAN access to A:21 successful. View the firewall statistic, the two related firewall rules do have hit.
However, the DNAT firewall rule don't work if "user-ip-firewall" set to yes... (WAN to LAN DNAT still works)
Findings:
a. the firewall rule as specified in 4 do have hit, but the hairpin firewall rule don't record any hit. I replace the hairpin rule with the following relaxed rule, no hit was recorded too.
Code: Select all
/ip firewall chain=dstnat add action=accept protocol=tcp dst-port=21I suspect there might be a software bug in the bridging firewall which cannot re-transmit the packet back to the LAN bridge after DNAT the packet from bridge.
Anyone could help to solve this issue? Or is there anything I missed in the setup? Thanks in advance!