I added the in-interface=ether1-gateway per the beginning of this thread. Everything wired runs to a switched, then one port of that switch connects to ether3 on the rb2011. The WAN port on the rb2011 is ether1.
add action=dst-nat chain=dstnat comment=Foscam-1 dst-port=8080 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.55.200 to-ports=8080 add action=dst-nat chain=dstnat comment=Foscam-2 dst-port=8081 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.55.201 to-ports=8081 add action=dst-nat chain=dstnat comment=IX2 dst-address-type="" dst-port=80 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.55.54 to-ports=80 add action=dst-nat chain=dstnat comment=IX2 dst-address-type="" dst-port=443 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.55.54 to-ports=443 add action=dst-nat chain=dstnat comment=IX2 dst-port=50500 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.55.54 to-ports=50500 add action=dst-nat chain=dstnat comment=Casey7-RDP dst-port=3389 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.55.52 to-ports=3389 add action=dst-nat chain=dstnat comment=HTPC7-Plex dst-port=32400 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.55.50 to-ports=32400 add action=dst-nat chain=dstnat comment=HTPC7-CetonApp dst-port=5832 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.55.50 to-ports=5832 On Sun, Jun 8, 2014 at 6:25 PM, Josh Luthman <[email protected]> wrote: > You're masquerading it right. Dstnat rules have to be to blame. Did you > change them? > > Josh Luthman > Office: 937-552-2340 > Direct: 937-552-2343 > 1100 Wayne St > Suite 1337 > Troy, OH 45373 > On Jun 8, 2014 6:23 PM, "Casey Mills" <[email protected]> wrote: > > > I really appreciate your help Josh. But still not working. Any other > > ideas? > > > > Here are my firewall rules. I disabled the last input rule that drops > > input traffic but didn't make a difference. > > > > /ip firewall filter > > add chain=input comment="Allow all local traffic in" > > in-interface=bridge-local > > add chain=input protocol=icmp > > add chain=input connection-state=established > > add chain=input connection-state=related > > add action=drop chain=input in-interface=ether1-gateway > > add chain=forward connection-state=established > > add chain=forward connection-state=related > > add chain=forward > > > > > > This is my only NAT rule now, other than the port forwarding rules. > > > > chain=srcnat action=masquerade src-address=192.168.55.0/24 > > > > Thanks, > > Casey > > > > > > On Sun, Jun 8, 2014 at 6:05 PM, Josh Luthman < > [email protected]> > > wrote: > > > > > Drop the first rule. > > > > > > Second rule, drop the protocol. > > > > > > The latter rules won't apply because you're not coming from that > > interface. > > > > > > Josh Luthman > > > Office: 937-552-2340 > > > Direct: 937-552-2343 > > > 1100 Wayne St > > > Suite 1337 > > > Troy, OH 45373 > > > On Jun 8, 2014 5:58 PM, "Casey Mills" <[email protected]> wrote: > > > > > > > Hmm, that didn't do the trick. Here is what my NAT table looks like. > > > > > > > > add action=masquerade chain=srcnat comment="default configuration" > > > > out-interface=ether1-gateway to-addresses=0.0.0.0 > > > > add action=masquerade chain=srcnat comment=Hairpin-Test protocol=tcp > > > > src-address=192.168.55.0/24 > > > > add action=dst-nat chain=dstnat comment=Foscam-1 dst-port=8080 > > > > in-interface=ether1-gateway protocol=tcp to-addresses=192.168.55.200 > > > > to-ports=8080 > > > > add action=dst-nat chain=dstnat comment=Foscam-2 dst-port=8081 > > > > in-interface=ether1-gateway protocol=tcp to-addresses=192.168.55.201 > > > > to-ports=8081 > > > > > > > > I loaded up Torch and can see when trying to access my dynamic DNS > name > > > > with the port it is translated to the external IP address on my > router. > > > So > > > > the router is seeing the request? The router's response is likely > > coming > > > > from the inside IP address and not being masqueraded? > > > > > > > > Casey > > > > > > > > > > > > On Sun, Jun 8, 2014 at 2:47 PM, Josh Luthman < > > > [email protected]> > > > > wrote: > > > > > > > > > Drop the last two arguments. > > > > > > > > > > Josh Luthman > > > > > Office: 937-552-2340 > > > > > Direct: 937-552-2343 > > > > > 1100 Wayne St > > > > > Suite 1337 > > > > > Troy, OH 45373 > > > > > On Jun 8, 2014 2:27 PM, "Casey Mills" <[email protected]> wrote: > > > > > > > > > > > I started with that but no luck. Here is what I tried. > > > > > > > > > > > > chain=srcnat action=masquerade protocol=tcp src-address= > > > > 192.168.55.0/24 > > > > > > dst-address=192.168.55.0/24 out-interface=bridge-local > > > > > > > > > > > > Casey > > > > > > On Jun 8, 2014 11:54 AM, "Josh Luthman" < > > [email protected] > > > > > > > > > > wrote: > > > > > > > > > > > > > Just blanket masquerade the local subnet and you're done. So > > much > > > > less > > > > > > > pain and the downsides don't generally apply to small > home/office > > > > > > networks. > > > > > > > > > > > > > > > > > > > > > Josh Luthman > > > > > > > Office: 937-552-2340 > > > > > > > Direct: 937-552-2343 > > > > > > > 1100 Wayne St > > > > > > > Suite 1337 > > > > > > > Troy, OH 45373 > > > > > > > > > > > > > > > > > > > > > On Sun, Jun 8, 2014 at 11:50 AM, Casey Mills <[email protected] > > > > > > wrote: > > > > > > > > > > > > > > > Thanks everyone! Adding in-interface=ether1-gateway made > > > > everything > > > > > > work > > > > > > > > as expected. > > > > > > > > > > > > > > > > Funny that you mention hairpin, I was going to tackle that > > next. > > > > Not > > > > > > > > having any luck so far. Trying to get it working for one > > device, > > > > > then > > > > > > > > hopefully expanding the rule to cover all hairpin traffic. > > > > > > > > > > > > > > > > Any thoughts on ports 2-5 being part of bridge-local on a > > rb2011? > > > > > > > > > > > > > > > > So far neither of these have worked. > > > > > > > > chain=srcnat action=masquerade protocol=tcp src-address= > > > > > > 192.168.55.0/24 > > > > > > > > dst-address=192.168.55.200 out-interface=bridge-local > > > dst-port=8080 > > > > > > > > > > > > > > > > chain=srcnat action=masquerade protocol=tcp src-address= > > > > > > 192.168.55.0/24 > > > > > > > > dst-address=192.168.55.200 out-interface=ether3 dst-port=8080 > > > > > > > > > > > > > > > > Casey > > > > > > > > > > > > > > > > > > > > > > > > On Sat, Jun 7, 2014 at 5:38 PM, Alexander Neilson < > > > > > > > > [email protected]> > > > > > > > > wrote: > > > > > > > > > > > > > > > > > Josh has hit the target > > > > > > > > > > > > > > > > > > Your port 80 rule doesn’t specify the interface so anything > > > > defined > > > > > > for > > > > > > > > > port 80 is being redirected to your internal box. > > > > > > > > > > > > > > > > > > This includes standard website requests, which will be > > > preventing > > > > > > your > > > > > > > > > internet surfing. > > > > > > > > > > > > > > > > > > Just add in-interface=ether1-gateway and things should > work. > > > > > > > > > > > > > > > > > > Regards > > > > > > > > > Alexander > > > > > > > > > > > > > > > > > > Alexander Neilson > > > > > > > > > Neilson Productions Limited > > > > > > > > > > > > > > > > > > [email protected] > > > > > > > > > 021 329 681 > > > > > > > > > 022 456 2326 > > > > > > > > > > > > > > > > > > On 8/06/2014, at 9:04 am, Grand Avenue Broadband < > > > > > > > > > [email protected]> wrote: > > > > > > > > > > > > > > > > > > > I'm assuming you mean "it kills my ability to browse TO > THE > > > WAN > > > > > IP > > > > > > > > using > > > > > > > > > a device on the inside of my network." If that is > accurate, > > > see > > > > > > here: > > > > > > > > > > > > > > > > > > > > http://wiki.mikrotik.com/wiki/Hairpin_NAT > > > > > > > > > > > > > > > > > > > > If you mean "it kills my ability to browse TO THE LAN IP > > > using > > > > a > > > > > > > device > > > > > > > > > on the inside of my network," Joshs advice has already hit > > the > > > > > > target. > > > > > > > > > > > > > > > > > > > > On Jun 7, 2014, at 1:15 PM, Casey Mills < > [email protected]> > > > > > wrote: > > > > > > > > > > > > > > > > > > > >> I was pretty big into Mikrotik in years past, but > haven't > > > been > > > > > > > active > > > > > > > > in > > > > > > > > > >> some time. > > > > > > > > > >> > > > > > > > > > >> I just picked up a RB2011 and want to forward ports 80, > > 443, > > > > and > > > > > > > 50500 > > > > > > > > > for > > > > > > > > > >> my network storage device. When I dstnat those ports > > below > > > it > > > > > > kills > > > > > > > > my > > > > > > > > > >> ability to browse using a device on the inside of my > > > network. > > > > > > This > > > > > > > > has > > > > > > > > > to > > > > > > > > > >> be something simple, please help. > > > > > > > > > >> > > > > > > > > > >> I'm not sure how traffic originating from the outside > and > > > > > destined > > > > > > > for > > > > > > > > > my > > > > > > > > > >> network storage is treated. Ideally it should be > handled > > by > > > > the > > > > > > > > forward > > > > > > > > > >> chain, but it will have a destination IP of the WAN side > > of > > > > the > > > > > > > > router. > > > > > > > > > So > > > > > > > > > >> that makes me think imput chain. > > > > > > > > > >> > > > > > > > > > >> > > > > > > > > > >> /ip firewall filter > > > > > > > > > >> add chain=input protocol=icmp > > > > > > > > > >> add chain=input connection-state=established > > > > > > > > > >> add chain=input connection-state=related > > > > > > > > > >> add action=drop chain=input in-interface=ether1-gateway > > > > > > > > > >> add chain=forward connection-state=established > > > > > > > > > >> add chain=forward connection-state=related > > > > > > > > > >> add action=drop chain=forward connection-state=invalid > > > > > > > > > >> > > > > > > > > > >> > > > > > > > > > >> /ip firewall nat > > > > > > > > > >> add action=masquerade chain=srcnat > > > > out-interface=ether1-gateway > > > > > > > > > >> to-addresses=0.0.0.0 > > > > > > > > > >> add action=dst-nat chain=dstnat comment=Foscam-1 > > > dst-port=8080 > > > > > > > > > protocol=tcp > > > > > > > > > >> to-addresses=192.168.55.200 to-ports=8080 > > > > > > > > > >> add action=dst-nat chain=dstnat comment=Foscam-2 > > > dst-port=8081 > > > > > > > > > protocol=tcp > > > > > > > > > >> to-addresses=192.168.55.201 to-ports=8081 > > > > > > > > > >> add action=dst-nat chain=dstnat comment=IX2 disabled=yes > > > > > > > > > >> dst-address-type="" dst-port=80 protocol=tcp > > > > > > > > to-addresses=192.168.55.54 > > > > > > > > > >> to-ports=80 > > > > > > > > > >> add action=dst-nat chain=dstnat comment=IX2 disabled=yes > > > > > > > > > >> dst-address-type="" dst-port=443 protocol=tcp > > > > > > > > to-addresses=192.168.55.54 > > > > > > > > > >> to-ports=443 > > > > > > > > > >> add action=dst-nat chain=dstnat comment=IX2 disabled=yes > > > > > > > > dst-port=50500 > > > > > > > > > >> protocol=tcp to-addresses=192.168.55.54 to-ports=50500 > > > > > > > > > >> add action=dst-nat chain=dstnat comment=Casey7-RDP > > > > dst-port=3389 > > > > > > > > > >> protocol=tcp to-addresses=192.168.55.52 to-ports=3389 > > > > > > > > > >> add action=dst-nat chain=dstnat comment=HTPC7-Plex > > > > > dst-port=32400 > > > > > > > > > >> protocol=tcp to-addresses=192.168.55.50 to-ports=32400 > > > > > > > > > >> add action=dst-nat chain=dstnat comment=HTPC7-CetonApp > > > > > > dst-port=5832 > > > > > > > > > >> protocol=tcp to-addresses=192.168.55.50 to-ports=5832 > > > > > > > > > >> > > > > > > > > > >> > > > > > > > > > >> Thanks, > > > > > > > > > >> Casey > > > > > > > > > >> -------------- next part -------------- > > > > > > > > > >> An HTML attachment was scrubbed... > > > > > > > > > >> URL: < > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > http://mail.butchevans.com/pipermail/mikrotik/attachments/20140607/7f0955d3/attachment.html > > > > > > > > > > > > > > > > > > > >> _______________________________________________ > > > > > > > > > >> Mikrotik mailing list > > > > > > > > > >> [email protected] > > > > > > > > > >> http://mail.butchevans.com/mailman/listinfo/mikrotik > > > > > > > > > >> > > > > > > > > > >> Visit http://blog.butchevans.com/ for tutorials related > > to > > > > > > Mikrotik > > > > > > > > > RouterOS > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > > > Mikrotik mailing list > > > > > > > > > > [email protected] > > > > > > > > > > http://mail.butchevans.com/mailman/listinfo/mikrotik > > > > > > > > > > > > > > > > > > > > Visit http://blog.butchevans.com/ for tutorials related > to > > > > > > Mikrotik > > > > > > > > > RouterOS > > > > > > > > > > > > > > > > > > -------------- next part -------------- > > > > > > > > > A non-text attachment was scrubbed... > > > > > > > > > Name: smime.p7s > > > > > > > > > Type: application/pkcs7-signature > > > > > > > > > Size: 4127 bytes > > > > > > > > > Desc: not available > > > > > > > > > URL: < > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > http://mail.butchevans.com/pipermail/mikrotik/attachments/20140608/9821d202/attachment.bin > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > > Mikrotik mailing list > > > > > > > > > [email protected] > > > > > > > > > http://mail.butchevans.com/mailman/listinfo/mikrotik > > > > > > > > > > > > > > > > > > Visit http://blog.butchevans.com/ for tutorials related to > > > > > Mikrotik > > > > > > > > > RouterOS > > > > > > > > > > > > > > > > > -------------- next part -------------- > > > > > > > > An HTML attachment was scrubbed... > > > > > > > > URL: < > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > http://mail.butchevans.com/pipermail/mikrotik/attachments/20140608/bba86333/attachment.html > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > Mikrotik mailing list > > > > > > > > [email protected] > > > > > > > > http://mail.butchevans.com/mailman/listinfo/mikrotik > > > > > > > > > > > > > > > > Visit http://blog.butchevans.com/ for tutorials related to > > > > Mikrotik > > > > > > > > RouterOS > > > > > > > > > > > > > > > -------------- next part -------------- > > > > > > > An HTML attachment was scrubbed... > > > > > > > URL: < > > > > > > > > > > > > > > > > > > > > > > > > > > > > http://mail.butchevans.com/pipermail/mikrotik/attachments/20140608/4b2343c0/attachment.html > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > Mikrotik mailing list > > > > > > > [email protected] > > > > > > > http://mail.butchevans.com/mailman/listinfo/mikrotik > > > > > > > > > > > > > > Visit http://blog.butchevans.com/ for tutorials related to > > > Mikrotik > > > > > > > RouterOS > > > > > > -------------- next part -------------- > > > > > > An HTML attachment was scrubbed... > > > > > > URL: < > > > > > > > > > > > > > > > > > > > > > http://mail.butchevans.com/pipermail/mikrotik/attachments/20140608/a16411c4/attachment.html > > > > > > > > > > > > > _______________________________________________ > > > > > > Mikrotik mailing list > > > > > > [email protected] > > > > > > http://mail.butchevans.com/mailman/listinfo/mikrotik > > > > > > > > > > > > Visit http://blog.butchevans.com/ for tutorials related to > > Mikrotik > > > > > > RouterOS > > > > > -------------- next part -------------- > > > > > An HTML attachment was scrubbed... > > > > > URL: < > > > > > > > > > > > > > > > http://mail.butchevans.com/pipermail/mikrotik/attachments/20140608/6d777f8d/attachment.html > > > > > > > > > > > _______________________________________________ > > > > > Mikrotik mailing list > > > > > [email protected] > > > > > http://mail.butchevans.com/mailman/listinfo/mikrotik > > > > > > > > > > Visit http://blog.butchevans.com/ for tutorials related to > Mikrotik > > > > > RouterOS > > > > > > > > > -------------- next part -------------- > > > > An HTML attachment was scrubbed... > > > > URL: < > > > > > > > > > > http://mail.butchevans.com/pipermail/mikrotik/attachments/20140608/0b5859ac/attachment.html > > > > > > > > > _______________________________________________ > > > > Mikrotik mailing list > > > > [email protected] > > > > http://mail.butchevans.com/mailman/listinfo/mikrotik > > > > > > > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik > > > > RouterOS > > > -------------- next part -------------- > > > An HTML attachment was scrubbed... > > > URL: < > > > > > > http://mail.butchevans.com/pipermail/mikrotik/attachments/20140608/82a7c3e3/attachment.html > > > > > > > _______________________________________________ > > > Mikrotik mailing list > > > [email protected] > > > http://mail.butchevans.com/mailman/listinfo/mikrotik > > > > > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik > > > RouterOS > > > > > -------------- next part -------------- > > An HTML attachment was scrubbed... > > URL: < > > > http://mail.butchevans.com/pipermail/mikrotik/attachments/20140608/0a0521c8/attachment.html > > > > > _______________________________________________ > > Mikrotik mailing list > > [email protected] > > http://mail.butchevans.com/mailman/listinfo/mikrotik > > > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik > > RouterOS > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://mail.butchevans.com/pipermail/mikrotik/attachments/20140608/4dcc31a4/attachment.html > > > _______________________________________________ > Mikrotik mailing list > [email protected] > http://mail.butchevans.com/mailman/listinfo/mikrotik > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik > RouterOS > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.butchevans.com/pipermail/mikrotik/attachments/20140608/93c86748/attachment.html> _______________________________________________ Mikrotik mailing list [email protected] http://mail.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
