I really appreciate your help Josh. But still not working. Any other ideas?
Here are my firewall rules. I disabled the last input rule that drops input traffic but didn't make a difference. /ip firewall filter add chain=input comment="Allow all local traffic in" in-interface=bridge-local add chain=input protocol=icmp add chain=input connection-state=established add chain=input connection-state=related add action=drop chain=input in-interface=ether1-gateway add chain=forward connection-state=established add chain=forward connection-state=related add chain=forward This is my only NAT rule now, other than the port forwarding rules. chain=srcnat action=masquerade src-address=192.168.55.0/24 Thanks, Casey On Sun, Jun 8, 2014 at 6:05 PM, Josh Luthman <[email protected]> wrote: > Drop the first rule. > > Second rule, drop the protocol. > > The latter rules won't apply because you're not coming from that interface. > > Josh Luthman > Office: 937-552-2340 > Direct: 937-552-2343 > 1100 Wayne St > Suite 1337 > Troy, OH 45373 > On Jun 8, 2014 5:58 PM, "Casey Mills" <[email protected]> wrote: > > > Hmm, that didn't do the trick. Here is what my NAT table looks like. > > > > add action=masquerade chain=srcnat comment="default configuration" > > out-interface=ether1-gateway to-addresses=0.0.0.0 > > add action=masquerade chain=srcnat comment=Hairpin-Test protocol=tcp > > src-address=192.168.55.0/24 > > add action=dst-nat chain=dstnat comment=Foscam-1 dst-port=8080 > > in-interface=ether1-gateway protocol=tcp to-addresses=192.168.55.200 > > to-ports=8080 > > add action=dst-nat chain=dstnat comment=Foscam-2 dst-port=8081 > > in-interface=ether1-gateway protocol=tcp to-addresses=192.168.55.201 > > to-ports=8081 > > > > I loaded up Torch and can see when trying to access my dynamic DNS name > > with the port it is translated to the external IP address on my router. > So > > the router is seeing the request? The router's response is likely coming > > from the inside IP address and not being masqueraded? > > > > Casey > > > > > > On Sun, Jun 8, 2014 at 2:47 PM, Josh Luthman < > [email protected]> > > wrote: > > > > > Drop the last two arguments. > > > > > > Josh Luthman > > > Office: 937-552-2340 > > > Direct: 937-552-2343 > > > 1100 Wayne St > > > Suite 1337 > > > Troy, OH 45373 > > > On Jun 8, 2014 2:27 PM, "Casey Mills" <[email protected]> wrote: > > > > > > > I started with that but no luck. Here is what I tried. > > > > > > > > chain=srcnat action=masquerade protocol=tcp src-address= > > 192.168.55.0/24 > > > > dst-address=192.168.55.0/24 out-interface=bridge-local > > > > > > > > Casey > > > > On Jun 8, 2014 11:54 AM, "Josh Luthman" <[email protected] > > > > > > wrote: > > > > > > > > > Just blanket masquerade the local subnet and you're done. So much > > less > > > > > pain and the downsides don't generally apply to small home/office > > > > networks. > > > > > > > > > > > > > > > Josh Luthman > > > > > Office: 937-552-2340 > > > > > Direct: 937-552-2343 > > > > > 1100 Wayne St > > > > > Suite 1337 > > > > > Troy, OH 45373 > > > > > > > > > > > > > > > On Sun, Jun 8, 2014 at 11:50 AM, Casey Mills <[email protected]> > > wrote: > > > > > > > > > > > Thanks everyone! Adding in-interface=ether1-gateway made > > everything > > > > work > > > > > > as expected. > > > > > > > > > > > > Funny that you mention hairpin, I was going to tackle that next. > > Not > > > > > > having any luck so far. Trying to get it working for one device, > > > then > > > > > > hopefully expanding the rule to cover all hairpin traffic. > > > > > > > > > > > > Any thoughts on ports 2-5 being part of bridge-local on a rb2011? > > > > > > > > > > > > So far neither of these have worked. > > > > > > chain=srcnat action=masquerade protocol=tcp src-address= > > > > 192.168.55.0/24 > > > > > > dst-address=192.168.55.200 out-interface=bridge-local > dst-port=8080 > > > > > > > > > > > > chain=srcnat action=masquerade protocol=tcp src-address= > > > > 192.168.55.0/24 > > > > > > dst-address=192.168.55.200 out-interface=ether3 dst-port=8080 > > > > > > > > > > > > Casey > > > > > > > > > > > > > > > > > > On Sat, Jun 7, 2014 at 5:38 PM, Alexander Neilson < > > > > > > [email protected]> > > > > > > wrote: > > > > > > > > > > > > > Josh has hit the target > > > > > > > > > > > > > > Your port 80 rule doesn’t specify the interface so anything > > defined > > > > for > > > > > > > port 80 is being redirected to your internal box. > > > > > > > > > > > > > > This includes standard website requests, which will be > preventing > > > > your > > > > > > > internet surfing. > > > > > > > > > > > > > > Just add in-interface=ether1-gateway and things should work. > > > > > > > > > > > > > > Regards > > > > > > > Alexander > > > > > > > > > > > > > > Alexander Neilson > > > > > > > Neilson Productions Limited > > > > > > > > > > > > > > [email protected] > > > > > > > 021 329 681 > > > > > > > 022 456 2326 > > > > > > > > > > > > > > On 8/06/2014, at 9:04 am, Grand Avenue Broadband < > > > > > > > [email protected]> wrote: > > > > > > > > > > > > > > > I'm assuming you mean "it kills my ability to browse TO THE > WAN > > > IP > > > > > > using > > > > > > > a device on the inside of my network." If that is accurate, > see > > > > here: > > > > > > > > > > > > > > > > http://wiki.mikrotik.com/wiki/Hairpin_NAT > > > > > > > > > > > > > > > > If you mean "it kills my ability to browse TO THE LAN IP > using > > a > > > > > device > > > > > > > on the inside of my network," Joshs advice has already hit the > > > > target. > > > > > > > > > > > > > > > > On Jun 7, 2014, at 1:15 PM, Casey Mills <[email protected]> > > > wrote: > > > > > > > > > > > > > > > >> I was pretty big into Mikrotik in years past, but haven't > been > > > > > active > > > > > > in > > > > > > > >> some time. > > > > > > > >> > > > > > > > >> I just picked up a RB2011 and want to forward ports 80, 443, > > and > > > > > 50500 > > > > > > > for > > > > > > > >> my network storage device. When I dstnat those ports below > it > > > > kills > > > > > > my > > > > > > > >> ability to browse using a device on the inside of my > network. > > > > This > > > > > > has > > > > > > > to > > > > > > > >> be something simple, please help. > > > > > > > >> > > > > > > > >> I'm not sure how traffic originating from the outside and > > > destined > > > > > for > > > > > > > my > > > > > > > >> network storage is treated. Ideally it should be handled by > > the > > > > > > forward > > > > > > > >> chain, but it will have a destination IP of the WAN side of > > the > > > > > > router. > > > > > > > So > > > > > > > >> that makes me think imput chain. > > > > > > > >> > > > > > > > >> > > > > > > > >> /ip firewall filter > > > > > > > >> add chain=input protocol=icmp > > > > > > > >> add chain=input connection-state=established > > > > > > > >> add chain=input connection-state=related > > > > > > > >> add action=drop chain=input in-interface=ether1-gateway > > > > > > > >> add chain=forward connection-state=established > > > > > > > >> add chain=forward connection-state=related > > > > > > > >> add action=drop chain=forward connection-state=invalid > > > > > > > >> > > > > > > > >> > > > > > > > >> /ip firewall nat > > > > > > > >> add action=masquerade chain=srcnat > > out-interface=ether1-gateway > > > > > > > >> to-addresses=0.0.0.0 > > > > > > > >> add action=dst-nat chain=dstnat comment=Foscam-1 > dst-port=8080 > > > > > > > protocol=tcp > > > > > > > >> to-addresses=192.168.55.200 to-ports=8080 > > > > > > > >> add action=dst-nat chain=dstnat comment=Foscam-2 > dst-port=8081 > > > > > > > protocol=tcp > > > > > > > >> to-addresses=192.168.55.201 to-ports=8081 > > > > > > > >> add action=dst-nat chain=dstnat comment=IX2 disabled=yes > > > > > > > >> dst-address-type="" dst-port=80 protocol=tcp > > > > > > to-addresses=192.168.55.54 > > > > > > > >> to-ports=80 > > > > > > > >> add action=dst-nat chain=dstnat comment=IX2 disabled=yes > > > > > > > >> dst-address-type="" dst-port=443 protocol=tcp > > > > > > to-addresses=192.168.55.54 > > > > > > > >> to-ports=443 > > > > > > > >> add action=dst-nat chain=dstnat comment=IX2 disabled=yes > > > > > > dst-port=50500 > > > > > > > >> protocol=tcp to-addresses=192.168.55.54 to-ports=50500 > > > > > > > >> add action=dst-nat chain=dstnat comment=Casey7-RDP > > dst-port=3389 > > > > > > > >> protocol=tcp to-addresses=192.168.55.52 to-ports=3389 > > > > > > > >> add action=dst-nat chain=dstnat comment=HTPC7-Plex > > > dst-port=32400 > > > > > > > >> protocol=tcp to-addresses=192.168.55.50 to-ports=32400 > > > > > > > >> add action=dst-nat chain=dstnat comment=HTPC7-CetonApp > > > > dst-port=5832 > > > > > > > >> protocol=tcp to-addresses=192.168.55.50 to-ports=5832 > > > > > > > >> > > > > > > > >> > > > > > > > >> Thanks, > > > > > > > >> Casey > > > > > > > >> -------------- next part -------------- > > > > > > > >> An HTML attachment was scrubbed... > > > > > > > >> URL: < > > > > > > > > > > > > > > > > > > > > > > > > > > > > http://mail.butchevans.com/pipermail/mikrotik/attachments/20140607/7f0955d3/attachment.html > > > > > > > > > > > > > > > >> _______________________________________________ > > > > > > > >> Mikrotik mailing list > > > > > > > >> [email protected] > > > > > > > >> http://mail.butchevans.com/mailman/listinfo/mikrotik > > > > > > > >> > > > > > > > >> Visit http://blog.butchevans.com/ for tutorials related to > > > > Mikrotik > > > > > > > RouterOS > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > Mikrotik mailing list > > > > > > > > [email protected] > > > > > > > > http://mail.butchevans.com/mailman/listinfo/mikrotik > > > > > > > > > > > > > > > > Visit http://blog.butchevans.com/ for tutorials related to > > > > Mikrotik > > > > > > > RouterOS > > > > > > > > > > > > > > -------------- next part -------------- > > > > > > > A non-text attachment was scrubbed... > > > > > > > Name: smime.p7s > > > > > > > Type: application/pkcs7-signature > > > > > > > Size: 4127 bytes > > > > > > > Desc: not available > > > > > > > URL: < > > > > > > > > > > > > > > > > > > > > > > > > > > > > http://mail.butchevans.com/pipermail/mikrotik/attachments/20140608/9821d202/attachment.bin > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > Mikrotik mailing list > > > > > > > [email protected] > > > > > > > http://mail.butchevans.com/mailman/listinfo/mikrotik > > > > > > > > > > > > > > Visit http://blog.butchevans.com/ for tutorials related to > > > Mikrotik > > > > > > > RouterOS > > > > > > > > > > > > > -------------- next part -------------- > > > > > > An HTML attachment was scrubbed... > > > > > > URL: < > > > > > > > > > > > > > > > > > > > > > http://mail.butchevans.com/pipermail/mikrotik/attachments/20140608/bba86333/attachment.html > > > > > > > > > > > > > _______________________________________________ > > > > > > Mikrotik mailing list > > > > > > [email protected] > > > > > > http://mail.butchevans.com/mailman/listinfo/mikrotik > > > > > > > > > > > > Visit http://blog.butchevans.com/ for tutorials related to > > Mikrotik > > > > > > RouterOS > > > > > > > > > > > -------------- next part -------------- > > > > > An HTML attachment was scrubbed... > > > > > URL: < > > > > > > > > > > > > > > > http://mail.butchevans.com/pipermail/mikrotik/attachments/20140608/4b2343c0/attachment.html > > > > > > > > > > > _______________________________________________ > > > > > Mikrotik mailing list > > > > > [email protected] > > > > > http://mail.butchevans.com/mailman/listinfo/mikrotik > > > > > > > > > > Visit http://blog.butchevans.com/ for tutorials related to > Mikrotik > > > > > RouterOS > > > > -------------- next part -------------- > > > > An HTML attachment was scrubbed... > > > > URL: < > > > > > > > > > > http://mail.butchevans.com/pipermail/mikrotik/attachments/20140608/a16411c4/attachment.html > > > > > > > > > _______________________________________________ > > > > Mikrotik mailing list > > > > [email protected] > > > > http://mail.butchevans.com/mailman/listinfo/mikrotik > > > > > > > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik > > > > RouterOS > > > -------------- next part -------------- > > > An HTML attachment was scrubbed... > > > URL: < > > > > > > http://mail.butchevans.com/pipermail/mikrotik/attachments/20140608/6d777f8d/attachment.html > > > > > > > _______________________________________________ > > > Mikrotik mailing list > > > [email protected] > > > http://mail.butchevans.com/mailman/listinfo/mikrotik > > > > > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik > > > RouterOS > > > > > -------------- next part -------------- > > An HTML attachment was scrubbed... > > URL: < > > > http://mail.butchevans.com/pipermail/mikrotik/attachments/20140608/0b5859ac/attachment.html > > > > > _______________________________________________ > > Mikrotik mailing list > > [email protected] > > http://mail.butchevans.com/mailman/listinfo/mikrotik > > > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik > > RouterOS > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://mail.butchevans.com/pipermail/mikrotik/attachments/20140608/82a7c3e3/attachment.html > > > _______________________________________________ > Mikrotik mailing list > [email protected] > http://mail.butchevans.com/mailman/listinfo/mikrotik > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik > RouterOS > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.butchevans.com/pipermail/mikrotik/attachments/20140608/0a0521c8/attachment.html> _______________________________________________ Mikrotik mailing list [email protected] http://mail.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
