Hmm, that didn't do the trick. Here is what my NAT table looks like. add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway to-addresses=0.0.0.0 add action=masquerade chain=srcnat comment=Hairpin-Test protocol=tcp src-address=192.168.55.0/24 add action=dst-nat chain=dstnat comment=Foscam-1 dst-port=8080 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.55.200 to-ports=8080 add action=dst-nat chain=dstnat comment=Foscam-2 dst-port=8081 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.55.201 to-ports=8081
I loaded up Torch and can see when trying to access my dynamic DNS name with the port it is translated to the external IP address on my router. So the router is seeing the request? The router's response is likely coming from the inside IP address and not being masqueraded? Casey On Sun, Jun 8, 2014 at 2:47 PM, Josh Luthman <[email protected]> wrote: > Drop the last two arguments. > > Josh Luthman > Office: 937-552-2340 > Direct: 937-552-2343 > 1100 Wayne St > Suite 1337 > Troy, OH 45373 > On Jun 8, 2014 2:27 PM, "Casey Mills" <[email protected]> wrote: > > > I started with that but no luck. Here is what I tried. > > > > chain=srcnat action=masquerade protocol=tcp src-address=192.168.55.0/24 > > dst-address=192.168.55.0/24 out-interface=bridge-local > > > > Casey > > On Jun 8, 2014 11:54 AM, "Josh Luthman" <[email protected]> > > wrote: > > > > > Just blanket masquerade the local subnet and you're done. So much less > > > pain and the downsides don't generally apply to small home/office > > networks. > > > > > > > > > Josh Luthman > > > Office: 937-552-2340 > > > Direct: 937-552-2343 > > > 1100 Wayne St > > > Suite 1337 > > > Troy, OH 45373 > > > > > > > > > On Sun, Jun 8, 2014 at 11:50 AM, Casey Mills <[email protected]> wrote: > > > > > > > Thanks everyone! Adding in-interface=ether1-gateway made everything > > work > > > > as expected. > > > > > > > > Funny that you mention hairpin, I was going to tackle that next. Not > > > > having any luck so far. Trying to get it working for one device, > then > > > > hopefully expanding the rule to cover all hairpin traffic. > > > > > > > > Any thoughts on ports 2-5 being part of bridge-local on a rb2011? > > > > > > > > So far neither of these have worked. > > > > chain=srcnat action=masquerade protocol=tcp src-address= > > 192.168.55.0/24 > > > > dst-address=192.168.55.200 out-interface=bridge-local dst-port=8080 > > > > > > > > chain=srcnat action=masquerade protocol=tcp src-address= > > 192.168.55.0/24 > > > > dst-address=192.168.55.200 out-interface=ether3 dst-port=8080 > > > > > > > > Casey > > > > > > > > > > > > On Sat, Jun 7, 2014 at 5:38 PM, Alexander Neilson < > > > > [email protected]> > > > > wrote: > > > > > > > > > Josh has hit the target > > > > > > > > > > Your port 80 rule doesn’t specify the interface so anything defined > > for > > > > > port 80 is being redirected to your internal box. > > > > > > > > > > This includes standard website requests, which will be preventing > > your > > > > > internet surfing. > > > > > > > > > > Just add in-interface=ether1-gateway and things should work. > > > > > > > > > > Regards > > > > > Alexander > > > > > > > > > > Alexander Neilson > > > > > Neilson Productions Limited > > > > > > > > > > [email protected] > > > > > 021 329 681 > > > > > 022 456 2326 > > > > > > > > > > On 8/06/2014, at 9:04 am, Grand Avenue Broadband < > > > > > [email protected]> wrote: > > > > > > > > > > > I'm assuming you mean "it kills my ability to browse TO THE WAN > IP > > > > using > > > > > a device on the inside of my network." If that is accurate, see > > here: > > > > > > > > > > > > http://wiki.mikrotik.com/wiki/Hairpin_NAT > > > > > > > > > > > > If you mean "it kills my ability to browse TO THE LAN IP using a > > > device > > > > > on the inside of my network," Joshs advice has already hit the > > target. > > > > > > > > > > > > On Jun 7, 2014, at 1:15 PM, Casey Mills <[email protected]> > wrote: > > > > > > > > > > > >> I was pretty big into Mikrotik in years past, but haven't been > > > active > > > > in > > > > > >> some time. > > > > > >> > > > > > >> I just picked up a RB2011 and want to forward ports 80, 443, and > > > 50500 > > > > > for > > > > > >> my network storage device. When I dstnat those ports below it > > kills > > > > my > > > > > >> ability to browse using a device on the inside of my network. > > This > > > > has > > > > > to > > > > > >> be something simple, please help. > > > > > >> > > > > > >> I'm not sure how traffic originating from the outside and > destined > > > for > > > > > my > > > > > >> network storage is treated. Ideally it should be handled by the > > > > forward > > > > > >> chain, but it will have a destination IP of the WAN side of the > > > > router. > > > > > So > > > > > >> that makes me think imput chain. > > > > > >> > > > > > >> > > > > > >> /ip firewall filter > > > > > >> add chain=input protocol=icmp > > > > > >> add chain=input connection-state=established > > > > > >> add chain=input connection-state=related > > > > > >> add action=drop chain=input in-interface=ether1-gateway > > > > > >> add chain=forward connection-state=established > > > > > >> add chain=forward connection-state=related > > > > > >> add action=drop chain=forward connection-state=invalid > > > > > >> > > > > > >> > > > > > >> /ip firewall nat > > > > > >> add action=masquerade chain=srcnat out-interface=ether1-gateway > > > > > >> to-addresses=0.0.0.0 > > > > > >> add action=dst-nat chain=dstnat comment=Foscam-1 dst-port=8080 > > > > > protocol=tcp > > > > > >> to-addresses=192.168.55.200 to-ports=8080 > > > > > >> add action=dst-nat chain=dstnat comment=Foscam-2 dst-port=8081 > > > > > protocol=tcp > > > > > >> to-addresses=192.168.55.201 to-ports=8081 > > > > > >> add action=dst-nat chain=dstnat comment=IX2 disabled=yes > > > > > >> dst-address-type="" dst-port=80 protocol=tcp > > > > to-addresses=192.168.55.54 > > > > > >> to-ports=80 > > > > > >> add action=dst-nat chain=dstnat comment=IX2 disabled=yes > > > > > >> dst-address-type="" dst-port=443 protocol=tcp > > > > to-addresses=192.168.55.54 > > > > > >> to-ports=443 > > > > > >> add action=dst-nat chain=dstnat comment=IX2 disabled=yes > > > > dst-port=50500 > > > > > >> protocol=tcp to-addresses=192.168.55.54 to-ports=50500 > > > > > >> add action=dst-nat chain=dstnat comment=Casey7-RDP dst-port=3389 > > > > > >> protocol=tcp to-addresses=192.168.55.52 to-ports=3389 > > > > > >> add action=dst-nat chain=dstnat comment=HTPC7-Plex > dst-port=32400 > > > > > >> protocol=tcp to-addresses=192.168.55.50 to-ports=32400 > > > > > >> add action=dst-nat chain=dstnat comment=HTPC7-CetonApp > > dst-port=5832 > > > > > >> protocol=tcp to-addresses=192.168.55.50 to-ports=5832 > > > > > >> > > > > > >> > > > > > >> Thanks, > > > > > >> Casey > > > > > >> -------------- next part -------------- > > > > > >> An HTML attachment was scrubbed... > > > > > >> URL: < > > > > > > > > > > > > > > > http://mail.butchevans.com/pipermail/mikrotik/attachments/20140607/7f0955d3/attachment.html > > > > > > > > > > > >> _______________________________________________ > > > > > >> Mikrotik mailing list > > > > > >> [email protected] > > > > > >> http://mail.butchevans.com/mailman/listinfo/mikrotik > > > > > >> > > > > > >> Visit http://blog.butchevans.com/ for tutorials related to > > Mikrotik > > > > > RouterOS > > > > > > > > > > > > _______________________________________________ > > > > > > Mikrotik mailing list > > > > > > [email protected] > > > > > > http://mail.butchevans.com/mailman/listinfo/mikrotik > > > > > > > > > > > > Visit http://blog.butchevans.com/ for tutorials related to > > Mikrotik > > > > > RouterOS > > > > > > > > > > -------------- next part -------------- > > > > > A non-text attachment was scrubbed... > > > > > Name: smime.p7s > > > > > Type: application/pkcs7-signature > > > > > Size: 4127 bytes > > > > > Desc: not available > > > > > URL: < > > > > > > > > > > > > > > > http://mail.butchevans.com/pipermail/mikrotik/attachments/20140608/9821d202/attachment.bin > > > > > > > > > > > _______________________________________________ > > > > > Mikrotik mailing list > > > > > [email protected] > > > > > http://mail.butchevans.com/mailman/listinfo/mikrotik > > > > > > > > > > Visit http://blog.butchevans.com/ for tutorials related to > Mikrotik > > > > > RouterOS > > > > > > > > > -------------- next part -------------- > > > > An HTML attachment was scrubbed... > > > > URL: < > > > > > > > > > > http://mail.butchevans.com/pipermail/mikrotik/attachments/20140608/bba86333/attachment.html > > > > > > > > > _______________________________________________ > > > > Mikrotik mailing list > > > > [email protected] > > > > http://mail.butchevans.com/mailman/listinfo/mikrotik > > > > > > > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik > > > > RouterOS > > > > > > > -------------- next part -------------- > > > An HTML attachment was scrubbed... > > > URL: < > > > > > > http://mail.butchevans.com/pipermail/mikrotik/attachments/20140608/4b2343c0/attachment.html > > > > > > > _______________________________________________ > > > Mikrotik mailing list > > > [email protected] > > > http://mail.butchevans.com/mailman/listinfo/mikrotik > > > > > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik > > > RouterOS > > -------------- next part -------------- > > An HTML attachment was scrubbed... > > URL: < > > > http://mail.butchevans.com/pipermail/mikrotik/attachments/20140608/a16411c4/attachment.html > > > > > _______________________________________________ > > Mikrotik mailing list > > [email protected] > > http://mail.butchevans.com/mailman/listinfo/mikrotik > > > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik > > RouterOS > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://mail.butchevans.com/pipermail/mikrotik/attachments/20140608/6d777f8d/attachment.html > > > _______________________________________________ > Mikrotik mailing list > [email protected] > http://mail.butchevans.com/mailman/listinfo/mikrotik > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik > RouterOS > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.butchevans.com/pipermail/mikrotik/attachments/20140608/0b5859ac/attachment.html> _______________________________________________ Mikrotik mailing list [email protected] http://mail.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
