Jump to content
  • 0

Port forward

Upcho

Asked by Upcho,

 Share

Question

Upcho Newbie

Upcho

Posted
Posted

spacer.png

 

Здравейте,

опитвам се да пренасоча заявки от моя публичен адрес с порт 9001 към адрес и порт зад рутера.

Имам два bridge-a:
- bridge-tv (WAN): ISP и STB, получавам динамичен публичен адрес от доставчика (vivacom)
- bridge (LAN): http server със адрес 192.168.88.23:8000

Целта ми е заявки към публичния адрес порт 9001 да отиват към 192.168.88.23:8000, до колкото прочетох трябва да направя dst-nat правило, но не се получава. 

add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=9001 in-interface=bridge-tv log=yes protocol=tcp to-addresses=\
    198.168.88.23 to-ports=8000

Може би трябва да има и друго правило да пренасоча от 'bridge-tv' към 'bridge' но не разбирам как да го направя.
Всяка насола е добре дошла. 

/interface bridge
add comment=defconf name=bridge
add admin-mac=B0:48:7A:F3:BE:83 auto-mac=no name=bridge-tv
/interface ethernet
set [ find default-name=ether1 ] comment=isp
set [ find default-name=ether2 ] comment="access point"
set [ find default-name=ether3 ] comment="tv"
set [ find default-name=ether4 ] comment="switch child room"
set [ find default-name=ether5 ] comment="living room"
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge-tv interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge-tv interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=bridge-tv list=WAN
/interface pptp-server server
set enabled=yes
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip cloud
set ddns-enabled=yes update-time=no
/ip dhcp-client
add comment=defconf interface=ether1
add comment=vivacom disabled=no interface=bridge-tv use-peer-dns=no
/ip dhcp-server lease
add address=192.168.88.21 client-id=1:b8:27:eb:6d:1b:b5 mac-address=B8:27:EB:6D:1B:B5 server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=192.168.88.21
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
add address=192.168.88.249 name=pihole.local
/ip firewall address-list
add address=cc210cb350ce.sn.mynetname.net list=WAN-IP
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="PPTP VPN" disabled=yes dst-port=1723 protocol=tcp
add action=accept chain=input dst-port=9001 log=yes protocol=tcp
add action=accept chain=foward comment="Allow port forwarding" connection-nat-state=dstnat connection-state=new in-interface=\
    bridge
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
    in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN
add action=masquerade chain=srcnat comment="HAIRPIN NAT" disabled=yes dst-address=192.168.88.0/24 src-address=192.168.88.0/24
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=9001 in-interface=bridge-tv log=yes protocol=tcp to-addresses=\
    198.168.88.23 to-ports=8000
/ip route
add distance=1 gateway=78.83.147.1
/system clock
set time-zone-name=Europe/Sofia
/system logging
add disabled=yes topics=pptp
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes

 

Link to comment
Share on other sites

10 answers to this question

Recommended Posts

  • 0
  • Administrator
JohnTRIVOLTA Proficient

JohnTRIVOLTA

Posted
  • Administrator
Posted

Пробвай, като в правилото за нат махнеш дист.адрес листата:

add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=9001 in-interface=bridge-tv log=yes protocol=tcp to-addresses=\
    198.168.88.23 to-ports=8000

Правилото на вход за разрешение на порт 9001 не е нужно, може да го премахнеш и него:

add action=accept chain=input dst-port=9001 log=yes protocol=tcp

 

Link to comment
Share on other sites
  • 0
Upcho
Newbie

Upcho

Posted
  • Author
Posted
1 hour ago, JohnTRIVOLTA said:

Пробвай, като в правилото за нат махнеш дист.адрес листата:

add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=9001 in-interface=bridge-tv log=yes protocol=tcp to-addresses=\
    198.168.88.23 to-ports=8000

Правилото на вход за разрешение на порт 9001 не е нужно, може да го премахнеш и него:

add action=accept chain=input dst-port=9001 log=yes protocol=tcp

 

Премахнах ги, но пак не работи.
Пробвах също и да сложа директно моя публичен адрес за `dst-address`, но без успех.

В лог, виждам следните редове когато направя заявка, с което си мисля, че NAT правилото се взима под внимание, но заявката не се препраща. 

dstnat: in:bridge-tv out:(unknown 0), src-mac 00:00:5e:00:01:e5, proto TCP (SYN), 212.39.89.182:7391->publicIP:9001, len 60
dstnat: in:bridge-tv out:(unknown 0), src-mac 00:00:5e:00:01:e5, proto TCP (SYN), 212.39.89.182:55854->publicIP:9001, len 60

 

Link to comment
Share on other sites
  • 0
  • Administrator
JohnTRIVOLTA Proficient

JohnTRIVOLTA

Posted
  • Administrator
Posted

Колкото и странен да изглежда въпроса ти имаш ли сетнат гейтуей на 198.168.88.23 ?

Махни и правилото 

add action=accept chain=foward comment="Allow port forwarding" connection-nat-state=dstnat connection-state=new in-interface=\
    bridge
Link to comment
Share on other sites
  • 0
Upcho
Newbie

Upcho

Posted
  • Author
Posted

На 192.168.88.23 нямам изрично зададен gateway, автоматично си взима 192.168.88.1 (рутера) 

~ $ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.88.1    0.0.0.0         UG    202    0        0 eth0

Махнах и правилото, но без успех 

add action=accept chain=foward comment="Allow port forwarding" connection-nat-state=dstnat connection-state=new in-interface=\
    bridge

 

Link to comment
Share on other sites
  • 0
  • Administrator
JohnTRIVOLTA Proficient

JohnTRIVOLTA

Posted
  • Administrator
Posted
Преди 1 час, Upcho написа:

На 192.168.88.23 нямам изрично зададен gateway, автоматично си взима 192.168.88.1 (рутера)

~ $ route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.88.1 0.0.0.0 UG 202 0 0 eth0 

~ $ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.88.1    0.0.0.0         UG    202    0        0 eth0

Махнах и правилото, но без успех

add action=accept chain=foward comment="Allow port forwarding" connection-nat-state=dstnat connection-state=new in-interface=\ bridge 

add action=accept chain=foward comment="Allow port forwarding" connection-nat-state=dstnat connection-state=new in-interface=\
    bridge

 

Да нямаш рестрикции на услугата да се свързва само от локалната мрежа? Пакетите ти минават видно от горният лог още?

Link to comment
Share on other sites
  • 0
Upcho
Newbie

Upcho

Posted
  • Author
Posted

Услугата (nginx/caddy) e bind-ната на 0.0.0.0:8000 (192.168.88.23). Няма рестрикции.

Да, при заявка към <публичен адрес>:9001, в лог още виждам 

dstnat: in:bridge-tv out:(unknown 0), src-mac 00:00:5e:00:01:e5, proto TCP (SYN), 212.39.89.68:35812->public IP:9001, len 60

 

Link to comment
Share on other sites
  • 0
Upcho
Newbie

Upcho

Posted
  • Author
Posted

Премахнах `bridge-tv`, който обединява ether1 и ether3, промених WAN списъка сочи към ether1.

Така NAT правилото за пренасочване работи, но пък нямам телевизия.

Не разбирам защо, когато имам два bridge-a пренасочването не работи, трябва ли да имам допълнително пренасочване между самите bridge-oвете.

Някой има ли идея как да работи и пренасочването и телевизия (ether3). 

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="HAIRPIN NAT" dst-address=192.168.88.0/24 src-address=192.168.88.0/24
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=9001 protocol=tcp to-addresses=192.168.88.23 to-ports=8000

 

Link to comment
Share on other sites
  • 0
  • Administrator
JohnTRIVOLTA Proficient

JohnTRIVOLTA

Posted
  • Administrator
Posted (edited)

Остави само : ... и виж дали бриджа е вкаран в интрефейс листата WAN или промени на мястото на ether1 да е interface=bridge-tv ! 

/ip dhcp-client
add comment=vivacom interface=bridge-tv
Edited by JohnTRIVOLTA
Link to comment
Share on other sites
  • 0
Upcho
Newbie

Upcho

Posted
  • Author
Posted
On 1/14/2023 at 12:37 PM, JohnTRIVOLTA said:

Остави само : ... и виж дали бриджа е вкаран в интрефейс листата WAN или промени на мястото на ether1 да е interface=bridge-tv !

/ip dhcp-client add comment=vivacom interface=bridge-tv 

/ip dhcp-client
add comment=vivacom interface=bridge-tv

Първоначалната конфигурация беше така, правилно ли разбирам твоя коментар, NAT правилото с тези настройки не работи:

bridge-tv=(ether1, ether3)
WAN=bridge-tv
dhcp client на bridge-tv 

/interface bridge port
add bridge=bridge-tv interface=ether3
add bridge=bridge-tv interface=ether1

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=bridge-tv list=WAN

/ip dhcp-client
add comment=vivacom disabled=no interface=bridge-tv use-peer-dns=no

 

Link to comment
Share on other sites
  • 0
  • Administrator
JohnTRIVOLTA Proficient

JohnTRIVOLTA

Posted
  • Administrator
Posted (edited)

Трябва ми целия export на рутера, може и на лични за да видя защо не сработва.

За проба може на същия сървър да отвориш и друга услуга, колкото за проба дали ще сработи с правило и за нея в нат, пример http!

Edited by JohnTRIVOLTA
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to question listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.

  I accept