Mudanças Recentes - Buscar:

Cálculos/ Finanças

Outros / Web

Magento

Importação

Ferramentas

Automação

Redes

NFe

VOIP?

FreeSwitch

Backup/NextCloud

Servidores/Ferramentas

Mikrotik

PmWiki

pmwiki.org

edit SideBar

Mikrotik /

MikrotikWithMultipleWANIP’sAndPortForwarding-HAIRPINNAT

https://learnithowabout.blogspot.com/2013/11/mikrotik-with-multiple-wan-ips-and-port.html

Mikrotik with Multiple WAN IP’s and Port Forwarding / HAIRPIN NAT Unknown mikrotik No comments

CISCO-asa-replacement-diagram Mark my words ! MIKROTIK is the Future & Cisco’s Domination is about to end. For sure CISCO still holds the majority of shares in routers world, but it will going to change very soon . . . CISCO is best, but at higher price. Cisco have edge dueto reliable OS and Hardware. Mikrotik is good for multi purpose in a very cheap price as compared to CISCO and offer more. So very cost effective solution. Its all about personnel preference, choice, budget. But Even if i have high budgeting, I will prefer Mikrotik :) , buts that’s my personnel choice. and you are not bound to agree with it :D Jz ↓ Recently I did some testing at my office for a possible replacement of Cisco ASA 5510 Firewall/Router with Mikrotik Router-board. Following are some short reference on how I did it. I had a /29 public ip pool. Configuration was was pretty straight forward but i was confused on howto route specific LAN server (or ip) traffic with Specific WAN ip. Using src-address I managed to solve it. Following are short reference for future usage. Scenario is as follows We will configure all useable WAN ip addresses in mikrotik wan interface, and we will forward required ports from specific wan ip’s to specific lan servers. we will also configure firewall so that only required ports are open from WAN side for security purposes, all other traffic will be denied on WAN interface. We will also bind local servers with specific WAN ip addresses. Mikrotik have two interfaces. 

    ether1 = LAN users
    ether2 = WAN Link

Now we want to forward traffic as follows. (all ip scheme used here is fictional and for example purposes only) 

    mail server = 10.0.0.2 → 1.2.3.1    WAN IP
    dude server = 10.0.0.3 → 1.2.3.2   WAN IP
    cctv1 server = 10.0.0.4 → 1.2.3.3   WAN IP
    cctv2 server = 10.0.0.5 → 1.2.3.4   WAN IP

IP Configuration at Mikrotik Interfaces . . . 1 2 3 4 5 6

/ip address add address=10.0.0.1/8 comment=LAN disabled=no interface="LAN - ether1" add address=1.2.3.1/29 interface="WAN - ether2" add address=1.2.3.2/29 interface="WAN - ether2" add address=1.2.3.3/29 interface="WAN - ether2" add address=1.2.3.4/29 interface="WAN - ether2" ↓ Filter Rules Section to allow only required Incoming traffic on WAN interface, and DENY all other for security purposes :) Now we will first add required ports in firewall filter BEFORE DENY rule which is in last. 1 2 3 4 5 6 7 8 9 10

/ip firewall filter add action=accept chain=input comment="SMTP" disabled=no dst-address=1.2.3.1 dst-port=25 in-interface="WAN - ether2" protocol=tcp add action=accept chain=input comment="POP3" disabled=no dst-address=1.2.3.1 dst-port=110 in-interface="WAN - ether2" protocol=tcp add action=accept chain=input comment="Webmail" disabled=no dst-address=1.2.3.1 dst-port=80 in-interface="WAN - ether2" protocol=tcp add action=accept chain=input comment="DUDE" disabled=no dst-address=1.2.3.2 dst-port=80 in-interface="WAN - ether2" protocol=tcp add action=accept chain=input comment="CCTV 1" disabled=no dst-address=1.2.3.3 dst-port=81 in-interface="WAN - ether2" protocol=tcp add action=accept chain=input comment="CCTV 2" disabled=no dst-address=1.2.3.4 dst-port=82 in-interface="WAN - ether2" protocol=tcp add action=accept chain=input comment="WINBOX 8192" disabled=no dst-port=8192 in-interface="WAN - ether2" protocol=tcp add action=accept chain=input comment="Allow PING ICMP " disabled=no protocol=icmp add action=drop chain=input comment="DROP ALL INCOMING TRAFFIC ON WAN INTERFACE" disabled=no in-interface="WAN - ether2" ↓ NAT Section To Do Port Forwarding From WAN ip’s To Local Server’s and use src-nat to bind local server to route traffic via specific WAN IP

  1. First dst-nat section to forward port

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

/ip firewall nat add action=dst-nat chain=dstnat comment="SMTP 25 Forward to MAIL-Server" disabled=no dst-address=1.2.3.1 dst-port=25 in-interface="WAN - ether2" protocol=tcp to-addresses=10.0.0.2 to-ports=25 add action=dst-nat chain=dstnat comment="POP3 110 Forward to MAIL-Server" disabled=no dst-address=1.2.3.1 dst-port=110 in-interface="WAN - ether2" protocol=tcp to-addresses=10.0.0.2 to-ports=110 add action=dst-nat chain=dstnat comment="Web 80 Forward to MAIL-Server Webmail" disabled=no dst-address=1.2.3.1 dst-port=80 in-interface="WAN - ether2" protocol=tcp to-addresses=10.0.0.2 to-ports=80 add action=dst-nat chain=dstnat comment="Web 80 Forward to DUDE" disabled=no dst-address=1.2.3.2 dst-port=80 in-interface="WAN - ether2" protocol=tcp to-addresses=10.0.0.3 to-ports=80 add action=dst-nat chain=dstnat comment="CCTV1 - 81 Forward to cctv1" disabled=no dst-address=1.2.3.3 dst-port=81 in-interface="WAN - ether2" protocol=tcp to-addresses=10.0.0.4 to-ports=81 add action=dst-nat chain=dstnat comment="CCTV2 - 82 Forward to cctv2" disabled=no dst-address=1.2.3.4 dst-port=82 in-interface="WAN - ether2" protocol=tcp to-addresses=10.0.0.5 to-ports=82

  1. Now route specific local servers traffic from specific WAN IP address

add action=src-nat chain=srcnat comment="Rotue mail traffic via 1.2.3.1" disabled=no src-address=10.0.0.2 to-addresses=1.2.3.1 add action=src-nat chain=srcnat comment="Rotue DUDE traffic via 1.2.3.2" disabled=no src-address=10.0.0.3 to-addresses=1.2.3.2 add action=src-nat chain=srcnat comment="Rotue CCTV1 traffic via 1.2.3.3" disabled=no src-address=10.0.0.4 to-addresses=1.2.3.3 add action=src-nat chain=srcnat comment="Rotue CCTV2 traffic via 1.2.3.4" disabled=no src-address=10.0.0.5 to-addresses=1.2.3.4 add action=masquerade chain=srcnat comment="Default Masquerade Rule for LAN" disabled=no out-interface="WAN - ether2" src-address=10.0.0.2-10.0.0.255 ☺ Now test it from WAN side. You can check port status from http://www.yougetsignal.com/tools/open-ports/ ♣ ♣ ♣ << HAIRPIN NAT >> Using above method, I was ablet o successfully setup a port forwarding on a Mikrotik router that do port forwarding from mikrotik wan ip to local lan servers (Example: 1.2.3.4:3389 to 192.168.1.10:3389) BUT there is a BUT, when I tried to open Mikrotik WAN ip from local LAN user, for example 

    192.168.1.20    –>    1.2.3.4:3389    –>   192.168.1.10:3389

it didn’t opened and the connection goes in SINK hole, means lost. The solution was to rewrite the port forwarding rule to NOT to use in-interface=WAN-GATEWAY, but dst-address-type=local This is called – among other terms – hair pin NAT because the traffic flow has clients enter the router through the same interface it leaves through, which when drawn looks like a hair pin. As showed in the example below . . . 1 2 3 4 5 6 7

  1. DST-NAT rule to redirect port 3389 from

/ip firewall nat add action=dst-nat chain=dstnat disabled=no dst-address=1.2.3.4 dst-address-type=local dst-port=3389 protocol=tcp to-addresses=192.168.1.10 to-ports=3389 comment="Redirect RDP PORT TCP 3389 to local server"

  1. Masquerade local traffic going to mikrotik WAN IP - [To access that service from LAN using mikrtoik wan ip]

/ip firewall nat add chain=srcnat src-address=192.168.1.0/24 dst-address=192.168.1.10 protocol=tcp dst-port=3389 out-interface=LAN-Interface action=masquerade comment="Masquerade Traffic going to WAN IP of mikrotik from local LAN users"

Editar - Histórico - Imprimir - Mudanças Recentes - Buscar
Pagina modificada em 05 de dezembro de 2020, às 23h24