Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > More for Less: MikroTik Talk
 
  • Post
  • Reply
Thoom
Jan 12, 2004

LUIGI SMASH!
I just picked up a RB1000 from SAMart for my home network and I'm pretty happy with it so far, but I'm having a bit of trouble getting port forwarding working quite right.

Here are the NAT rules in question (for forwarding ssh, http, and svn to an internal server):

code:
/ip firewall nat
add action=masquerade chain=srcnat disabled=no
add action=dst-nat chain=dstnat disabled=no dst-port=22 in-interface=ether2 \
    protocol=tcp to-addresses=192.168.29.100 to-ports=22
add action=dst-nat chain=dstnat disabled=no dst-port=80 in-interface=ether2 \
    protocol=tcp to-addresses=192.168.29.100 to-ports=80
add action=dst-nat chain=dstnat disabled=no dst-port=3690 in-interface=ether2 \
    protocol=tcp to-addresses=192.168.29.100 to-ports=3690
The problem is that it won't forward traffic that originates inside the network, because of the requirement that the traffic be coming over the WAN port (ether2). If I get rid of the requirement for in-interface=ether2, then it forwards outbound traffic to that internal machine.

Earlier in the thread, I saw someone suggest specifying a dst-address, but my external IP address is dynamic, so that won't work unless I want to update the rules every time my IP changes.

Suggestions?

Edit: Oh, and while I'm at it, is there a way to tell the dhcp server to reserve address X for MAC address Y and always assign that way? I know I can just set static IPs on all of the machines I want to have them, but it would be easier to have the router do it, especially in the case of laptops that get used on another network sometimes.

Thoom fucked around with this message at 06:31 on Nov 20, 2011

* # ¿ Nov 20, 2011 06:21
  • Quote
Adbot
ADBOT LOVES YOU

# ¿ Apr 24, 2024 19:47
  • Quote
Thoom
Jan 12, 2004

LUIGI SMASH!

falz posted:

I've only ever dealt with static IPs. It's possible that your router may have to run a script to figure out your new IP or use a dyndns type of service.

I've got a script checking my public IP every minute and updating the dyndns service if necessary. Is there a way to introduce a variable to the NAT rules, or would I need to have the script delete and re-create them each time?

quote:

In my example below 1.2.3.4 is the public IP here. I'm also a fan of address lists hence the use of them:
code:
 add action=src-nat chain=srcnat src-address-list=SUBNET-INSIDE to-addresses=1.2.3.4

What does this rule do?

quote:

I always have a default deny rule at the end of my filter rules. If you have this then you must also have a matching firewall rule to allow the NAT'd traffic. I pretty much always use something like this:

It looks like I'm going to have to read up on what these chain things are and how they work.

* # ¿ Nov 20, 2011 19:31
  • Quote
Thoom
Jan 12, 2004

LUIGI SMASH!
I figured it out. A successful port forwarding rule with a dynamic IP looks like this:

code:
add action=dst-nat chain=dstnat disabled=no dst-address-type=local dst-port=80 \
    protocol=tcp to-addresses=192.168.29.100 to-ports=80
The key being dst-address-type=local, which specifies that the packet should be headed for an IP bound to one of the router's interfaces.

I have some more questions, if you don't mind. Is it the case that the drop rule flags the packet for being dropped, but it still continues down the chain in case there's a later accept rule? Or do both drop and accept end the chain immediately? The documentation isn't very clear on this.

Also, the 'customer' chain looks like it continues from the 'forward' chain, but wouldn't packets bound for an internal server be pointed at the router's WAN IP and thus get dropped by the 'input' chain?

code:
 ; allow internal stuff to reach the internet
 add action=accept chain=customer connection-state=established
 add action=accept chain=customer connection-state=related
I notice those lines don't mention connection-state=new. How do new connections get established under these rules?

faiz posted:

That rule is the 'general outbound NAT' rule.

How does that rule differ from

code:
add action=masquerade chain=srcnat disabled=no
?

I very much appreciate all the help. I'm new to doing networking at this kind of low level.

* # ¿ Nov 21, 2011 06:08
  • Quote
Thoom
Jan 12, 2004

LUIGI SMASH!

Weird Uncle Dave posted:

Since Mikrotik is, internally, Linux, it helps to know a bit about how Linux does its firewalling. The "input" chain is for traffic destined for the router itself, and nothing else; the "output" chain is for traffic leaving the router itself. Anything you want to do for traffic going through the router, you have to add to the "forward" chain.

So let's say you have computer A outside your network, and computer B inside your network. If A wants to open a connection to B, is that request handled by the input chain or the forward chain? If the latter, how does that work, since the packet is technically bound for the router's public IP?

* # ¿ Dec 18, 2011 22:45
  • Quote
Thoom
Jan 12, 2004

LUIGI SMASH!

Weird Uncle Dave posted:

Assuming you have the usual home NAT rule - technically a "source" NAT rule (as opposed to "destination" NAT) - the router will already know that B requested to talk with A on port X, and when traffic from A on port X comes in, it'll rewrite it and send it on to B.
I was actually thinking of dstnat rules, but...

Weird Uncle Dave posted:

I think NAT rules are in the "prerouting" chain, which is (as the name implies) rules that are applied before the traffic hits the "forward" chain and is routed to wherever it's going.
...if NAT rules are applied before filter rules, then everything makes sense. By the time the incoming packet hits the filters, it's tagged as going to the internal IP and would naturally be processed by the forwarding chain.

* # ¿ Dec 18, 2011 23:32
  • Quote
Adbot
ADBOT LOVES YOU

# ¿ Apr 24, 2024 19:47
  • Quote
Thoom
Jan 12, 2004

LUIGI SMASH!
Suppose I wanted the following setup (RB1000):

ether1 is hooked up to my gigabit fiber line
ether2 is hooked up to my local subnet'
ether3 is hooked up to my 640k DSL line, which has 12 static IP addresses with access to all sorts of useful scientific and medical journals

2 VPNs. One that I can connect to from the outside world to access the local subnet.

One that I can connect to from either the inside or outside to connect to the outside via the DSL line (to access said useful scientific and medical journals).

My operating theory is that I want these VPNs to be L2TP over IPSec, but I have no idea how much work that entails and have heard some scary words like "SSL certificate" associated with IPSec.

Can someone point me in the right general direction, please?

* # ¿ Jan 11, 2012 00:19
  • Quote
  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > More for Less: MikroTik Talk