|
I just picked up a RB1000 from SAMart for my home network and I'm pretty happy with it so far, but I'm having a bit of trouble getting port forwarding working quite right. Here are the NAT rules in question (for forwarding ssh, http, and svn to an internal server): code:
Earlier in the thread, I saw someone suggest specifying a dst-address, but my external IP address is dynamic, so that won't work unless I want to update the rules every time my IP changes. Suggestions? Edit: Oh, and while I'm at it, is there a way to tell the dhcp server to reserve address X for MAC address Y and always assign that way? I know I can just set static IPs on all of the machines I want to have them, but it would be easier to have the router do it, especially in the case of laptops that get used on another network sometimes. Thoom fucked around with this message at 06:31 on Nov 20, 2011 |
# ¿ Nov 20, 2011 06:21 |
|
|
# ¿ Apr 24, 2024 19:47 |
|
falz posted:I've only ever dealt with static IPs. It's possible that your router may have to run a script to figure out your new IP or use a dyndns type of service. I've got a script checking my public IP every minute and updating the dyndns service if necessary. Is there a way to introduce a variable to the NAT rules, or would I need to have the script delete and re-create them each time? quote:In my example below 1.2.3.4 is the public IP here. I'm also a fan of address lists hence the use of them: What does this rule do? quote:I always have a default deny rule at the end of my filter rules. If you have this then you must also have a matching firewall rule to allow the NAT'd traffic. I pretty much always use something like this: It looks like I'm going to have to read up on what these chain things are and how they work.
|
# ¿ Nov 20, 2011 19:31 |
|
I figured it out. A successful port forwarding rule with a dynamic IP looks like this:code:
I have some more questions, if you don't mind. Is it the case that the drop rule flags the packet for being dropped, but it still continues down the chain in case there's a later accept rule? Or do both drop and accept end the chain immediately? The documentation isn't very clear on this. Also, the 'customer' chain looks like it continues from the 'forward' chain, but wouldn't packets bound for an internal server be pointed at the router's WAN IP and thus get dropped by the 'input' chain? code:
faiz posted:That rule is the 'general outbound NAT' rule. How does that rule differ from code:
I very much appreciate all the help. I'm new to doing networking at this kind of low level.
|
# ¿ Nov 21, 2011 06:08 |
|
Weird Uncle Dave posted:Since Mikrotik is, internally, Linux, it helps to know a bit about how Linux does its firewalling. The "input" chain is for traffic destined for the router itself, and nothing else; the "output" chain is for traffic leaving the router itself. Anything you want to do for traffic going through the router, you have to add to the "forward" chain. So let's say you have computer A outside your network, and computer B inside your network. If A wants to open a connection to B, is that request handled by the input chain or the forward chain? If the latter, how does that work, since the packet is technically bound for the router's public IP?
|
# ¿ Dec 18, 2011 22:45 |
|
Weird Uncle Dave posted:Assuming you have the usual home NAT rule - technically a "source" NAT rule (as opposed to "destination" NAT) - the router will already know that B requested to talk with A on port X, and when traffic from A on port X comes in, it'll rewrite it and send it on to B. Weird Uncle Dave posted:I think NAT rules are in the "prerouting" chain, which is (as the name implies) rules that are applied before the traffic hits the "forward" chain and is routed to wherever it's going.
|
# ¿ Dec 18, 2011 23:32 |
|
|
# ¿ Apr 24, 2024 19:47 |
|
Suppose I wanted the following setup (RB1000): ether1 is hooked up to my gigabit fiber line ether2 is hooked up to my local subnet' ether3 is hooked up to my 640k DSL line, which has 12 static IP addresses with access to all sorts of useful scientific and medical journals 2 VPNs. One that I can connect to from the outside world to access the local subnet. One that I can connect to from either the inside or outside to connect to the outside via the DSL line (to access said useful scientific and medical journals). My operating theory is that I want these VPNs to be L2TP over IPSec, but I have no idea how much work that entails and have heard some scary words like "SSL certificate" associated with IPSec. Can someone point me in the right general direction, please?
|
# ¿ Jan 11, 2012 00:19 |