Thanks everyone! Adding in-interface=ether1-gateway made everything work as expected.
Funny that you mention hairpin, I was going to tackle that next. Not having any luck so far. Trying to get it working for one device, then hopefully expanding the rule to cover all hairpin traffic. Any thoughts on ports 2-5 being part of bridge-local on a rb2011? So far neither of these have worked. chain=srcnat action=masquerade protocol=tcp src-address=192.168.55.0/24 dst-address=192.168.55.200 out-interface=bridge-local dst-port=8080 chain=srcnat action=masquerade protocol=tcp src-address=192.168.55.0/24 dst-address=192.168.55.200 out-interface=ether3 dst-port=8080 Casey On Sat, Jun 7, 2014 at 5:38 PM, Alexander Neilson <[email protected]> wrote: > Josh has hit the target > > Your port 80 rule doesn’t specify the interface so anything defined for > port 80 is being redirected to your internal box. > > This includes standard website requests, which will be preventing your > internet surfing. > > Just add in-interface=ether1-gateway and things should work. > > Regards > Alexander > > Alexander Neilson > Neilson Productions Limited > > [email protected] > 021 329 681 > 022 456 2326 > > On 8/06/2014, at 9:04 am, Grand Avenue Broadband < > [email protected]> wrote: > > > I'm assuming you mean "it kills my ability to browse TO THE WAN IP using > a device on the inside of my network." If that is accurate, see here: > > > > http://wiki.mikrotik.com/wiki/Hairpin_NAT > > > > If you mean "it kills my ability to browse TO THE LAN IP using a device > on the inside of my network," Joshs advice has already hit the target. > > > > On Jun 7, 2014, at 1:15 PM, Casey Mills <[email protected]> wrote: > > > >> I was pretty big into Mikrotik in years past, but haven't been active in > >> some time. > >> > >> I just picked up a RB2011 and want to forward ports 80, 443, and 50500 > for > >> my network storage device. When I dstnat those ports below it kills my > >> ability to browse using a device on the inside of my network. This has > to > >> be something simple, please help. > >> > >> I'm not sure how traffic originating from the outside and destined for > my > >> network storage is treated. Ideally it should be handled by the forward > >> chain, but it will have a destination IP of the WAN side of the router. > So > >> that makes me think imput chain. > >> > >> > >> /ip firewall filter > >> add chain=input protocol=icmp > >> add chain=input connection-state=established > >> add chain=input connection-state=related > >> add action=drop chain=input in-interface=ether1-gateway > >> add chain=forward connection-state=established > >> add chain=forward connection-state=related > >> add action=drop chain=forward connection-state=invalid > >> > >> > >> /ip firewall nat > >> add action=masquerade chain=srcnat out-interface=ether1-gateway > >> to-addresses=0.0.0.0 > >> add action=dst-nat chain=dstnat comment=Foscam-1 dst-port=8080 > protocol=tcp > >> to-addresses=192.168.55.200 to-ports=8080 > >> add action=dst-nat chain=dstnat comment=Foscam-2 dst-port=8081 > protocol=tcp > >> to-addresses=192.168.55.201 to-ports=8081 > >> add action=dst-nat chain=dstnat comment=IX2 disabled=yes > >> dst-address-type="" dst-port=80 protocol=tcp to-addresses=192.168.55.54 > >> to-ports=80 > >> add action=dst-nat chain=dstnat comment=IX2 disabled=yes > >> dst-address-type="" dst-port=443 protocol=tcp to-addresses=192.168.55.54 > >> to-ports=443 > >> add action=dst-nat chain=dstnat comment=IX2 disabled=yes dst-port=50500 > >> protocol=tcp to-addresses=192.168.55.54 to-ports=50500 > >> add action=dst-nat chain=dstnat comment=Casey7-RDP dst-port=3389 > >> protocol=tcp to-addresses=192.168.55.52 to-ports=3389 > >> add action=dst-nat chain=dstnat comment=HTPC7-Plex dst-port=32400 > >> protocol=tcp to-addresses=192.168.55.50 to-ports=32400 > >> add action=dst-nat chain=dstnat comment=HTPC7-CetonApp dst-port=5832 > >> protocol=tcp to-addresses=192.168.55.50 to-ports=5832 > >> > >> > >> Thanks, > >> Casey > >> -------------- next part -------------- > >> An HTML attachment was scrubbed... > >> URL: < > http://mail.butchevans.com/pipermail/mikrotik/attachments/20140607/7f0955d3/attachment.html > > > >> _______________________________________________ > >> Mikrotik mailing list > >> [email protected] > >> http://mail.butchevans.com/mailman/listinfo/mikrotik > >> > >> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik > RouterOS > > > > _______________________________________________ > > Mikrotik mailing list > > [email protected] > > http://mail.butchevans.com/mailman/listinfo/mikrotik > > > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik > RouterOS > > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: smime.p7s > Type: application/pkcs7-signature > Size: 4127 bytes > Desc: not available > URL: < > http://mail.butchevans.com/pipermail/mikrotik/attachments/20140608/9821d202/attachment.bin > > > _______________________________________________ > Mikrotik mailing list > [email protected] > http://mail.butchevans.com/mailman/listinfo/mikrotik > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik > RouterOS > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.butchevans.com/pipermail/mikrotik/attachments/20140608/bba86333/attachment.html> _______________________________________________ Mikrotik mailing list [email protected] http://mail.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
