Just blanket masquerade the local subnet and you're done. So much less pain and the downsides don't generally apply to small home/office networks.
Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Sun, Jun 8, 2014 at 11:50 AM, Casey Mills <[email protected]> wrote: > Thanks everyone! Adding in-interface=ether1-gateway made everything work > as expected. > > Funny that you mention hairpin, I was going to tackle that next. Not > having any luck so far. Trying to get it working for one device, then > hopefully expanding the rule to cover all hairpin traffic. > > Any thoughts on ports 2-5 being part of bridge-local on a rb2011? > > So far neither of these have worked. > chain=srcnat action=masquerade protocol=tcp src-address=192.168.55.0/24 > dst-address=192.168.55.200 out-interface=bridge-local dst-port=8080 > > chain=srcnat action=masquerade protocol=tcp src-address=192.168.55.0/24 > dst-address=192.168.55.200 out-interface=ether3 dst-port=8080 > > Casey > > > On Sat, Jun 7, 2014 at 5:38 PM, Alexander Neilson < > [email protected]> > wrote: > > > Josh has hit the target > > > > Your port 80 rule doesn’t specify the interface so anything defined for > > port 80 is being redirected to your internal box. > > > > This includes standard website requests, which will be preventing your > > internet surfing. > > > > Just add in-interface=ether1-gateway and things should work. > > > > Regards > > Alexander > > > > Alexander Neilson > > Neilson Productions Limited > > > > [email protected] > > 021 329 681 > > 022 456 2326 > > > > On 8/06/2014, at 9:04 am, Grand Avenue Broadband < > > [email protected]> wrote: > > > > > I'm assuming you mean "it kills my ability to browse TO THE WAN IP > using > > a device on the inside of my network." If that is accurate, see here: > > > > > > http://wiki.mikrotik.com/wiki/Hairpin_NAT > > > > > > If you mean "it kills my ability to browse TO THE LAN IP using a device > > on the inside of my network," Joshs advice has already hit the target. > > > > > > On Jun 7, 2014, at 1:15 PM, Casey Mills <[email protected]> wrote: > > > > > >> I was pretty big into Mikrotik in years past, but haven't been active > in > > >> some time. > > >> > > >> I just picked up a RB2011 and want to forward ports 80, 443, and 50500 > > for > > >> my network storage device. When I dstnat those ports below it kills > my > > >> ability to browse using a device on the inside of my network. This > has > > to > > >> be something simple, please help. > > >> > > >> I'm not sure how traffic originating from the outside and destined for > > my > > >> network storage is treated. Ideally it should be handled by the > forward > > >> chain, but it will have a destination IP of the WAN side of the > router. > > So > > >> that makes me think imput chain. > > >> > > >> > > >> /ip firewall filter > > >> add chain=input protocol=icmp > > >> add chain=input connection-state=established > > >> add chain=input connection-state=related > > >> add action=drop chain=input in-interface=ether1-gateway > > >> add chain=forward connection-state=established > > >> add chain=forward connection-state=related > > >> add action=drop chain=forward connection-state=invalid > > >> > > >> > > >> /ip firewall nat > > >> add action=masquerade chain=srcnat out-interface=ether1-gateway > > >> to-addresses=0.0.0.0 > > >> add action=dst-nat chain=dstnat comment=Foscam-1 dst-port=8080 > > protocol=tcp > > >> to-addresses=192.168.55.200 to-ports=8080 > > >> add action=dst-nat chain=dstnat comment=Foscam-2 dst-port=8081 > > protocol=tcp > > >> to-addresses=192.168.55.201 to-ports=8081 > > >> add action=dst-nat chain=dstnat comment=IX2 disabled=yes > > >> dst-address-type="" dst-port=80 protocol=tcp > to-addresses=192.168.55.54 > > >> to-ports=80 > > >> add action=dst-nat chain=dstnat comment=IX2 disabled=yes > > >> dst-address-type="" dst-port=443 protocol=tcp > to-addresses=192.168.55.54 > > >> to-ports=443 > > >> add action=dst-nat chain=dstnat comment=IX2 disabled=yes > dst-port=50500 > > >> protocol=tcp to-addresses=192.168.55.54 to-ports=50500 > > >> add action=dst-nat chain=dstnat comment=Casey7-RDP dst-port=3389 > > >> protocol=tcp to-addresses=192.168.55.52 to-ports=3389 > > >> add action=dst-nat chain=dstnat comment=HTPC7-Plex dst-port=32400 > > >> protocol=tcp to-addresses=192.168.55.50 to-ports=32400 > > >> add action=dst-nat chain=dstnat comment=HTPC7-CetonApp dst-port=5832 > > >> protocol=tcp to-addresses=192.168.55.50 to-ports=5832 > > >> > > >> > > >> Thanks, > > >> Casey > > >> -------------- next part -------------- > > >> An HTML attachment was scrubbed... > > >> URL: < > > > http://mail.butchevans.com/pipermail/mikrotik/attachments/20140607/7f0955d3/attachment.html > > > > > >> _______________________________________________ > > >> Mikrotik mailing list > > >> [email protected] > > >> http://mail.butchevans.com/mailman/listinfo/mikrotik > > >> > > >> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik > > RouterOS > > > > > > _______________________________________________ > > > Mikrotik mailing list > > > [email protected] > > > http://mail.butchevans.com/mailman/listinfo/mikrotik > > > > > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik > > RouterOS > > > > -------------- next part -------------- > > A non-text attachment was scrubbed... > > Name: smime.p7s > > Type: application/pkcs7-signature > > Size: 4127 bytes > > Desc: not available > > URL: < > > > http://mail.butchevans.com/pipermail/mikrotik/attachments/20140608/9821d202/attachment.bin > > > > > _______________________________________________ > > Mikrotik mailing list > > [email protected] > > http://mail.butchevans.com/mailman/listinfo/mikrotik > > > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik > > RouterOS > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://mail.butchevans.com/pipermail/mikrotik/attachments/20140608/bba86333/attachment.html > > > _______________________________________________ > Mikrotik mailing list > [email protected] > http://mail.butchevans.com/mailman/listinfo/mikrotik > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik > RouterOS > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.butchevans.com/pipermail/mikrotik/attachments/20140608/4b2343c0/attachment.html> _______________________________________________ Mikrotik mailing list [email protected] http://mail.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
