Should correct this to say "forward chain" rule.
Rory McCann
MKAP Technology Solutions
Web: www.mkap.net
On 1/27/2014 9:19 AM, Rory McCann wrote:
This caught me before as well - has to do with packet flow.
First of all, you need a forward input chain rule for the switch.
Second, NAT happens in prerouting, so you need to specify the NAT'd
address of the switch for the packets to apply to. You'll probably
need a corresponding deny rule to block traffic you don't want.
I usually just create one deny rule with a NOT (!) specified. If the
src address is not from where I want it to be, the traffic is dropped.
Rory McCann
MKAP Technology Solutions
Web: www.mkap.net
On 1/24/2014 6:42 PM, Jerry Roy wrote:
Can someone point out what I did wrong? Long week and I am tired.
I only want to allow access to a switch sitting on the lan side of the
Mikrotik from defined networks (via wan interface of MT on port 8443) .
Right now anyone can get to it.
/ip firewall filter
add action=accept chain=input comment="default configuration"
disabled=no
protocol=icmp
add action=accept chain=input comment="default configuration"
connection-state=established disabled=no
add action=accept chain=input comment="default configuration"
connection-state=related disabled=no
add action=accept chain=input comment="Allow Management from MNS"
disabled=no dst-port=161 protocol=udp src-address=\
10.94.64.16/29
add action=accept chain=input disabled=no dst-port=22,80,443,8291
protocol=tcp src-address=10.94.64.16/29
add action=accept chain=input disabled=no dst-port=22,80,443,8291
protocol=tcp src-address=68.106.72.0/26
add action=accept chain=input disabled=no dst-port=22,80,443,8291
protocol=tcp src-address=68.106.76.203
add action=accept chain=input disabled=no dst-port=22,80,443,8291
protocol=tcp src-address=68.167.154.0/24
add action=accept chain=input disabled=no dst-port=22,80,443,8291,8443
protocol=tcp src-address=162.93.0.0/16
add action=accept chain=input disabled=no dst-port=22,80,443,8291,8443
protocol=tcp src-address=216.231.198.0/24
add action=accept chain=input disabled=no dst-port=22,80,443,8291
protocol=tcp src-address=216.231.207.0/24
add action=accept chain=input comment=\
"Used for VoIP Phone TS with Access Line VoIP provider. Must Be
DISABLED at ALL times unless TS." disabled=yes dst-port=\
80,443 protocol=tcp
add action=drop chain=input comment="default configuration" disabled=no
in-interface=ether1-gateway-static
/ip firewall nat
add action=accept chain=srcnat disabled=no
dst-address=10.94.64.16/29src-address=
192.168.225.0/24
add action=dst-nat chain=dstnat comment=\
"Used for VoIP Phone TS with Access Line VoIP provider. Must Be
DISABLED at ALL times unless TS." disabled=yes dst-port=\
80,443 protocol=tcp src-port="" to-addresses=192.168.115.252
to-ports=443
add action=dst-nat chain=dstnat comment="Netgear GS110TP switch access"
disabled=no dst-port=8443 protocol=tcp to-addresses=\
192.168.225.2 to-ports=80
add action=masquerade chain=srcnat comment="default configuration"
disabled=no out-interface=ether1-gateway-static src-address=\
192.168.225.0/24 to-addresses=0.0.0.0
Thanks,
*Jerry Roy*
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://mail.butchevans.com/pipermail/mikrotik/attachments/20140124/a2d2421c/attachment.html>
_______________________________________________
Mikrotik mailing list
[email protected]
http://mail.butchevans.com/mailman/listinfo/mikrotik
Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
RouterOS
_______________________________________________
Mikrotik mailing list
[email protected]
http://mail.butchevans.com/mailman/listinfo/mikrotik
Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
