Ok, removing the in-interface from the first and second dstnat rule now lets me use the dynamic DNS name to access the cameras. Which makes sense, I guess.
I guess I'll have to leave the in-interface specification for the port 80 and 443 though. Keeping me from using the dynamic DNS name? Casey On Sun, Jun 8, 2014 at 6:44 PM, Casey Mills <[email protected]> wrote: > I added the in-interface=ether1-gateway per the beginning of this thread. > > Everything wired runs to a switched, then one port of that switch connects > to ether3 on the rb2011. The WAN port on the rb2011 is ether1. > > > add action=dst-nat chain=dstnat comment=Foscam-1 dst-port=8080 > in-interface=ether1-gateway protocol=tcp to-addresses=192.168.55.200 > to-ports=8080 > add action=dst-nat chain=dstnat comment=Foscam-2 dst-port=8081 > in-interface=ether1-gateway protocol=tcp to-addresses=192.168.55.201 > to-ports=8081 > add action=dst-nat chain=dstnat comment=IX2 dst-address-type="" > dst-port=80 in-interface=ether1-gateway protocol=tcp > to-addresses=192.168.55.54 to-ports=80 > add action=dst-nat chain=dstnat comment=IX2 dst-address-type="" > dst-port=443 in-interface=ether1-gateway protocol=tcp > to-addresses=192.168.55.54 to-ports=443 > add action=dst-nat chain=dstnat comment=IX2 dst-port=50500 > in-interface=ether1-gateway protocol=tcp to-addresses=192.168.55.54 > to-ports=50500 > add action=dst-nat chain=dstnat comment=Casey7-RDP dst-port=3389 > in-interface=ether1-gateway protocol=tcp to-addresses=192.168.55.52 > to-ports=3389 > add action=dst-nat chain=dstnat comment=HTPC7-Plex dst-port=32400 > in-interface=ether1-gateway protocol=tcp to-addresses=192.168.55.50 > to-ports=32400 > add action=dst-nat chain=dstnat comment=HTPC7-CetonApp dst-port=5832 > in-interface=ether1-gateway protocol=tcp to-addresses=192.168.55.50 > to-ports=5832 > > > On Sun, Jun 8, 2014 at 6:25 PM, Josh Luthman <[email protected]> > wrote: > >> You're masquerading it right. Dstnat rules have to be to blame. Did you >> change them? >> >> Josh Luthman >> Office: 937-552-2340 >> Direct: 937-552-2343 >> 1100 Wayne St >> Suite 1337 >> Troy, OH 45373 >> On Jun 8, 2014 6:23 PM, "Casey Mills" <[email protected]> wrote: >> >> > I really appreciate your help Josh. But still not working. Any other >> > ideas? >> > >> > Here are my firewall rules. I disabled the last input rule that drops >> > input traffic but didn't make a difference. >> > >> > /ip firewall filter >> > add chain=input comment="Allow all local traffic in" >> > in-interface=bridge-local >> > add chain=input protocol=icmp >> > add chain=input connection-state=established >> > add chain=input connection-state=related >> > add action=drop chain=input in-interface=ether1-gateway >> > add chain=forward connection-state=established >> > add chain=forward connection-state=related >> > add chain=forward >> > >> > >> > This is my only NAT rule now, other than the port forwarding rules. >> > >> > chain=srcnat action=masquerade src-address=192.168.55.0/24 >> > >> > Thanks, >> > Casey >> > >> > >> > On Sun, Jun 8, 2014 at 6:05 PM, Josh Luthman < >> [email protected]> >> > wrote: >> > >> > > Drop the first rule. >> > > >> > > Second rule, drop the protocol. >> > > >> > > The latter rules won't apply because you're not coming from that >> > interface. >> > > >> > > Josh Luthman >> > > Office: 937-552-2340 >> > > Direct: 937-552-2343 >> > > 1100 Wayne St >> > > Suite 1337 >> > > Troy, OH 45373 >> > > On Jun 8, 2014 5:58 PM, "Casey Mills" <[email protected]> wrote: >> > > >> > > > Hmm, that didn't do the trick. Here is what my NAT table looks >> like. >> > > > >> > > > add action=masquerade chain=srcnat comment="default configuration" >> > > > out-interface=ether1-gateway to-addresses=0.0.0.0 >> > > > add action=masquerade chain=srcnat comment=Hairpin-Test protocol=tcp >> > > > src-address=192.168.55.0/24 >> > > > add action=dst-nat chain=dstnat comment=Foscam-1 dst-port=8080 >> > > > in-interface=ether1-gateway protocol=tcp to-addresses=192.168.55.200 >> > > > to-ports=8080 >> > > > add action=dst-nat chain=dstnat comment=Foscam-2 dst-port=8081 >> > > > in-interface=ether1-gateway protocol=tcp to-addresses=192.168.55.201 >> > > > to-ports=8081 >> > > > >> > > > I loaded up Torch and can see when trying to access my dynamic DNS >> name >> > > > with the port it is translated to the external IP address on my >> router. >> > > So >> > > > the router is seeing the request? The router's response is likely >> > coming >> > > > from the inside IP address and not being masqueraded? >> > > > >> > > > Casey >> > > > >> > > > >> > > > On Sun, Jun 8, 2014 at 2:47 PM, Josh Luthman < >> > > [email protected]> >> > > > wrote: >> > > > >> > > > > Drop the last two arguments. >> > > > > >> > > > > Josh Luthman >> > > > > Office: 937-552-2340 >> > > > > Direct: 937-552-2343 >> > > > > 1100 Wayne St >> > > > > Suite 1337 >> > > > > Troy, OH 45373 >> > > > > On Jun 8, 2014 2:27 PM, "Casey Mills" <[email protected]> wrote: >> > > > > >> > > > > > I started with that but no luck. Here is what I tried. >> > > > > > >> > > > > > chain=srcnat action=masquerade protocol=tcp src-address= >> > > > 192.168.55.0/24 >> > > > > > dst-address=192.168.55.0/24 out-interface=bridge-local >> > > > > > >> > > > > > Casey >> > > > > > On Jun 8, 2014 11:54 AM, "Josh Luthman" < >> > [email protected] >> > > > >> > > > > > wrote: >> > > > > > >> > > > > > > Just blanket masquerade the local subnet and you're done. So >> > much >> > > > less >> > > > > > > pain and the downsides don't generally apply to small >> home/office >> > > > > > networks. >> > > > > > > >> > > > > > > >> > > > > > > Josh Luthman >> > > > > > > Office: 937-552-2340 >> > > > > > > Direct: 937-552-2343 >> > > > > > > 1100 Wayne St >> > > > > > > Suite 1337 >> > > > > > > Troy, OH 45373 >> > > > > > > >> > > > > > > >> > > > > > > On Sun, Jun 8, 2014 at 11:50 AM, Casey Mills < >> [email protected]> >> > > > wrote: >> > > > > > > >> > > > > > > > Thanks everyone! Adding in-interface=ether1-gateway made >> > > > everything >> > > > > > work >> > > > > > > > as expected. >> > > > > > > > >> > > > > > > > Funny that you mention hairpin, I was going to tackle that >> > next. >> > > > Not >> > > > > > > > having any luck so far. Trying to get it working for one >> > device, >> > > > > then >> > > > > > > > hopefully expanding the rule to cover all hairpin traffic. >> > > > > > > > >> > > > > > > > Any thoughts on ports 2-5 being part of bridge-local on a >> > rb2011? >> > > > > > > > >> > > > > > > > So far neither of these have worked. >> > > > > > > > chain=srcnat action=masquerade protocol=tcp src-address= >> > > > > > 192.168.55.0/24 >> > > > > > > > dst-address=192.168.55.200 out-interface=bridge-local >> > > dst-port=8080 >> > > > > > > > >> > > > > > > > chain=srcnat action=masquerade protocol=tcp src-address= >> > > > > > 192.168.55.0/24 >> > > > > > > > dst-address=192.168.55.200 out-interface=ether3 >> dst-port=8080 >> > > > > > > > >> > > > > > > > Casey >> > > > > > > > >> > > > > > > > >> > > > > > > > On Sat, Jun 7, 2014 at 5:38 PM, Alexander Neilson < >> > > > > > > > [email protected]> >> > > > > > > > wrote: >> > > > > > > > >> > > > > > > > > Josh has hit the target >> > > > > > > > > >> > > > > > > > > Your port 80 rule doesn’t specify the interface so >> anything >> > > > defined >> > > > > > for >> > > > > > > > > port 80 is being redirected to your internal box. >> > > > > > > > > >> > > > > > > > > This includes standard website requests, which will be >> > > preventing >> > > > > > your >> > > > > > > > > internet surfing. >> > > > > > > > > >> > > > > > > > > Just add in-interface=ether1-gateway and things should >> work. >> > > > > > > > > >> > > > > > > > > Regards >> > > > > > > > > Alexander >> > > > > > > > > >> > > > > > > > > Alexander Neilson >> > > > > > > > > Neilson Productions Limited >> > > > > > > > > >> > > > > > > > > [email protected] >> > > > > > > > > 021 329 681 >> > > > > > > > > 022 456 2326 >> > > > > > > > > >> > > > > > > > > On 8/06/2014, at 9:04 am, Grand Avenue Broadband < >> > > > > > > > > [email protected]> wrote: >> > > > > > > > > >> > > > > > > > > > I'm assuming you mean "it kills my ability to browse TO >> THE >> > > WAN >> > > > > IP >> > > > > > > > using >> > > > > > > > > a device on the inside of my network." If that is >> accurate, >> > > see >> > > > > > here: >> > > > > > > > > > >> > > > > > > > > > http://wiki.mikrotik.com/wiki/Hairpin_NAT >> > > > > > > > > > >> > > > > > > > > > If you mean "it kills my ability to browse TO THE LAN IP >> > > using >> > > > a >> > > > > > > device >> > > > > > > > > on the inside of my network," Joshs advice has already hit >> > the >> > > > > > target. >> > > > > > > > > > >> > > > > > > > > > On Jun 7, 2014, at 1:15 PM, Casey Mills < >> [email protected]> >> > > > > wrote: >> > > > > > > > > > >> > > > > > > > > >> I was pretty big into Mikrotik in years past, but >> haven't >> > > been >> > > > > > > active >> > > > > > > > in >> > > > > > > > > >> some time. >> > > > > > > > > >> >> > > > > > > > > >> I just picked up a RB2011 and want to forward ports 80, >> > 443, >> > > > and >> > > > > > > 50500 >> > > > > > > > > for >> > > > > > > > > >> my network storage device. When I dstnat those ports >> > below >> > > it >> > > > > > kills >> > > > > > > > my >> > > > > > > > > >> ability to browse using a device on the inside of my >> > > network. >> > > > > > This >> > > > > > > > has >> > > > > > > > > to >> > > > > > > > > >> be something simple, please help. >> > > > > > > > > >> >> > > > > > > > > >> I'm not sure how traffic originating from the outside >> and >> > > > > destined >> > > > > > > for >> > > > > > > > > my >> > > > > > > > > >> network storage is treated. Ideally it should be >> handled >> > by >> > > > the >> > > > > > > > forward >> > > > > > > > > >> chain, but it will have a destination IP of the WAN >> side >> > of >> > > > the >> > > > > > > > router. >> > > > > > > > > So >> > > > > > > > > >> that makes me think imput chain. >> > > > > > > > > >> >> > > > > > > > > >> >> > > > > > > > > >> /ip firewall filter >> > > > > > > > > >> add chain=input protocol=icmp >> > > > > > > > > >> add chain=input connection-state=established >> > > > > > > > > >> add chain=input connection-state=related >> > > > > > > > > >> add action=drop chain=input in-interface=ether1-gateway >> > > > > > > > > >> add chain=forward connection-state=established >> > > > > > > > > >> add chain=forward connection-state=related >> > > > > > > > > >> add action=drop chain=forward connection-state=invalid >> > > > > > > > > >> >> > > > > > > > > >> >> > > > > > > > > >> /ip firewall nat >> > > > > > > > > >> add action=masquerade chain=srcnat >> > > > out-interface=ether1-gateway >> > > > > > > > > >> to-addresses=0.0.0.0 >> > > > > > > > > >> add action=dst-nat chain=dstnat comment=Foscam-1 >> > > dst-port=8080 >> > > > > > > > > protocol=tcp >> > > > > > > > > >> to-addresses=192.168.55.200 to-ports=8080 >> > > > > > > > > >> add action=dst-nat chain=dstnat comment=Foscam-2 >> > > dst-port=8081 >> > > > > > > > > protocol=tcp >> > > > > > > > > >> to-addresses=192.168.55.201 to-ports=8081 >> > > > > > > > > >> add action=dst-nat chain=dstnat comment=IX2 >> disabled=yes >> > > > > > > > > >> dst-address-type="" dst-port=80 protocol=tcp >> > > > > > > > to-addresses=192.168.55.54 >> > > > > > > > > >> to-ports=80 >> > > > > > > > > >> add action=dst-nat chain=dstnat comment=IX2 >> disabled=yes >> > > > > > > > > >> dst-address-type="" dst-port=443 protocol=tcp >> > > > > > > > to-addresses=192.168.55.54 >> > > > > > > > > >> to-ports=443 >> > > > > > > > > >> add action=dst-nat chain=dstnat comment=IX2 >> disabled=yes >> > > > > > > > dst-port=50500 >> > > > > > > > > >> protocol=tcp to-addresses=192.168.55.54 to-ports=50500 >> > > > > > > > > >> add action=dst-nat chain=dstnat comment=Casey7-RDP >> > > > dst-port=3389 >> > > > > > > > > >> protocol=tcp to-addresses=192.168.55.52 to-ports=3389 >> > > > > > > > > >> add action=dst-nat chain=dstnat comment=HTPC7-Plex >> > > > > dst-port=32400 >> > > > > > > > > >> protocol=tcp to-addresses=192.168.55.50 to-ports=32400 >> > > > > > > > > >> add action=dst-nat chain=dstnat comment=HTPC7-CetonApp >> > > > > > dst-port=5832 >> > > > > > > > > >> protocol=tcp to-addresses=192.168.55.50 to-ports=5832 >> > > > > > > > > >> >> > > > > > > > > >> >> > > > > > > > > >> Thanks, >> > > > > > > > > >> Casey >> > > > > > > > > >> -------------- next part -------------- >> > > > > > > > > >> An HTML attachment was scrubbed... >> > > > > > > > > >> URL: < >> > > > > > > > > >> > > > > > > > >> > > > > > > >> > > > > > >> > > > > >> > > > >> > > >> > >> http://mail.butchevans.com/pipermail/mikrotik/attachments/20140607/7f0955d3/attachment.html >> > > > > > > > > > >> > > > > > > > > >> _______________________________________________ >> > > > > > > > > >> Mikrotik mailing list >> > > > > > > > > >> [email protected] >> > > > > > > > > >> http://mail.butchevans.com/mailman/listinfo/mikrotik >> > > > > > > > > >> >> > > > > > > > > >> Visit http://blog.butchevans.com/ for tutorials >> related >> > to >> > > > > > Mikrotik >> > > > > > > > > RouterOS >> > > > > > > > > > >> > > > > > > > > > _______________________________________________ >> > > > > > > > > > Mikrotik mailing list >> > > > > > > > > > [email protected] >> > > > > > > > > > http://mail.butchevans.com/mailman/listinfo/mikrotik >> > > > > > > > > > >> > > > > > > > > > Visit http://blog.butchevans.com/ for tutorials >> related to >> > > > > > Mikrotik >> > > > > > > > > RouterOS >> > > > > > > > > >> > > > > > > > > -------------- next part -------------- >> > > > > > > > > A non-text attachment was scrubbed... >> > > > > > > > > Name: smime.p7s >> > > > > > > > > Type: application/pkcs7-signature >> > > > > > > > > Size: 4127 bytes >> > > > > > > > > Desc: not available >> > > > > > > > > URL: < >> > > > > > > > > >> > > > > > > > >> > > > > > > >> > > > > > >> > > > > >> > > > >> > > >> > >> http://mail.butchevans.com/pipermail/mikrotik/attachments/20140608/9821d202/attachment.bin >> > > > > > > > > > >> > > > > > > > > _______________________________________________ >> > > > > > > > > Mikrotik mailing list >> > > > > > > > > [email protected] >> > > > > > > > > http://mail.butchevans.com/mailman/listinfo/mikrotik >> > > > > > > > > >> > > > > > > > > Visit http://blog.butchevans.com/ for tutorials related >> to >> > > > > Mikrotik >> > > > > > > > > RouterOS >> > > > > > > > > >> > > > > > > > -------------- next part -------------- >> > > > > > > > An HTML attachment was scrubbed... >> > > > > > > > URL: < >> > > > > > > > >> > > > > > > >> > > > > > >> > > > > >> > > > >> > > >> > >> http://mail.butchevans.com/pipermail/mikrotik/attachments/20140608/bba86333/attachment.html >> > > > > > > > > >> > > > > > > > _______________________________________________ >> > > > > > > > Mikrotik mailing list >> > > > > > > > [email protected] >> > > > > > > > http://mail.butchevans.com/mailman/listinfo/mikrotik >> > > > > > > > >> > > > > > > > Visit http://blog.butchevans.com/ for tutorials related to >> > > > Mikrotik >> > > > > > > > RouterOS >> > > > > > > > >> > > > > > > -------------- next part -------------- >> > > > > > > An HTML attachment was scrubbed... >> > > > > > > URL: < >> > > > > > > >> > > > > > >> > > > > >> > > > >> > > >> > >> http://mail.butchevans.com/pipermail/mikrotik/attachments/20140608/4b2343c0/attachment.html >> > > > > > > > >> > > > > > > _______________________________________________ >> > > > > > > Mikrotik mailing list >> > > > > > > [email protected] >> > > > > > > http://mail.butchevans.com/mailman/listinfo/mikrotik >> > > > > > > >> > > > > > > Visit http://blog.butchevans.com/ for tutorials related to >> > > Mikrotik >> > > > > > > RouterOS >> > > > > > -------------- next part -------------- >> > > > > > An HTML attachment was scrubbed... >> > > > > > URL: < >> > > > > > >> > > > > >> > > > >> > > >> > >> http://mail.butchevans.com/pipermail/mikrotik/attachments/20140608/a16411c4/attachment.html >> > > > > > > >> > > > > > _______________________________________________ >> > > > > > Mikrotik mailing list >> > > > > > [email protected] >> > > > > > http://mail.butchevans.com/mailman/listinfo/mikrotik >> > > > > > >> > > > > > Visit http://blog.butchevans.com/ for tutorials related to >> > Mikrotik >> > > > > > RouterOS >> > > > > -------------- next part -------------- >> > > > > An HTML attachment was scrubbed... >> > > > > URL: < >> > > > > >> > > > >> > > >> > >> http://mail.butchevans.com/pipermail/mikrotik/attachments/20140608/6d777f8d/attachment.html >> > > > > > >> > > > > _______________________________________________ >> > > > > Mikrotik mailing list >> > > > > [email protected] >> > > > > http://mail.butchevans.com/mailman/listinfo/mikrotik >> > > > > >> > > > > Visit http://blog.butchevans.com/ for tutorials related to >> Mikrotik >> > > > > RouterOS >> > > > > >> > > > -------------- next part -------------- >> > > > An HTML attachment was scrubbed... >> > > > URL: < >> > > > >> > > >> > >> http://mail.butchevans.com/pipermail/mikrotik/attachments/20140608/0b5859ac/attachment.html >> > > > > >> > > > _______________________________________________ >> > > > Mikrotik mailing list >> > > > [email protected] >> > > > http://mail.butchevans.com/mailman/listinfo/mikrotik >> > > > >> > > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik >> > > > RouterOS >> > > -------------- next part -------------- >> > > An HTML attachment was scrubbed... >> > > URL: < >> > > >> > >> http://mail.butchevans.com/pipermail/mikrotik/attachments/20140608/82a7c3e3/attachment.html >> > > > >> > > _______________________________________________ >> > > Mikrotik mailing list >> > > [email protected] >> > > http://mail.butchevans.com/mailman/listinfo/mikrotik >> > > >> > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik >> > > RouterOS >> > > >> > -------------- next part -------------- >> > An HTML attachment was scrubbed... >> > URL: < >> > >> http://mail.butchevans.com/pipermail/mikrotik/attachments/20140608/0a0521c8/attachment.html >> > > >> > _______________________________________________ >> > Mikrotik mailing list >> > [email protected] >> > http://mail.butchevans.com/mailman/listinfo/mikrotik >> > >> > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik >> > RouterOS >> -------------- next part -------------- >> An HTML attachment was scrubbed... >> URL: < >> http://mail.butchevans.com/pipermail/mikrotik/attachments/20140608/4dcc31a4/attachment.html >> > >> _______________________________________________ >> Mikrotik mailing list >> [email protected] >> http://mail.butchevans.com/mailman/listinfo/mikrotik >> >> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik >> RouterOS >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.butchevans.com/pipermail/mikrotik/attachments/20140608/289ae252/attachment.html> _______________________________________________ Mikrotik mailing list [email protected] http://mail.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
