Jump to content
  • 0

Проблем с мейлсървър зад микротик

Mitko

Asked by Mitko,

 Share

Question

Mitko Newbie

Mitko

Posted
Posted

Привет,

имам следния проблем:

Когато от вън се върже някой на 25 порт, на постфикса в лога излиза следното - postfix/smtpd[2690]: connect from unknown[192.168.0.1]

От тук нататък антиспам филтъра го третира като от локалната мрежа и... става мазало.

Преди зад линукса в скобите се изписваше реалния айпи адрес на клиента който се е вързал на 25 порт postfix/smtpd[17360]: connect from unknown[189.21.217.6]

Това са ми правилата:

/ip firewall nat

chain=srcnat action=src-nat to-addresses="външното-айпи" src-address=192.168.0.42

chain=dstnat action=dst-nat to-addresses=192.168.0.42 to-ports=25 protocol=tcp dst-address="външното-айпи" in-interface=ether2-WAN1 dst-port=25

chain=dstnat action=dst-nat to-addresses=192.168.0.42 to-ports=110 protocol=tcp dst-address="външното-айпи" in-interface=ether2-WAN1 dst-port=110

Благодаря предварително.

Link to comment
Share on other sites

16 answers to this question

Recommended Posts

  • 0
  • Administrator
111111 Rising Star

111111

Posted
  • Administrator
Posted

Какво става когато махнеш външния адрес а оставиш външния интерфейс и вътрешното ип

отвътре навън маскарадинг

Харесай поста ^^^
acer.gif htc.gifsigpic4024_2.gif

Форумът е за взаимопомощ а не за свършване на чужда работа

RB951Ui-2HnD / RBD25GR-5HPACQD2HPND&R11E-LTE6 /  RB952Ui-5ac2nD-TC

ɹɐǝɥ uɐɔ noʎ ǝɹoɯ ǝɥʇ 'ǝɯoɔǝq noʎ ɹǝʇǝınb ǝɥʇ

Link to comment
Share on other sites
  • 0
Mitko
Newbie

Mitko

Posted
  • Author
Posted (edited)

Какво става когато махнеш външния адрес а оставиш външния интерфейс и вътрешното ип

отвътре навън маскарадинг

Ако питаш за това правило - chain=srcnat chain=dstnat action=dst-nat to-addresses=192.168.0.42 to-ports=25 protocol=tcp dst-address="външното-айпи" in-interface=ether2-WAN1 dst-port=25

Резултата е същия - посфикса дава айпито на гейта 192.168.0.1 а не на клиента който реално се връзва.

Имаш предвид да махна външното айпи, да остане само интерфеса за и то от вън на вътре, защото от вътре навън с маскарадинга си работи - излиза и влиза през определеното външно айпи на което имам МХ запис.

Ето как го бях реализирал следния казус под линукс и работеше... под МТ работи но... не ми се показва външното айпи на клиента а на локалното айпи на гейта МТ - 192.168.0.1

iptables -A FORWARD -p tcp -i eth0 -s 192.168.0.42 --dport 25 -j ACCEPT

iptables -A FORWARD -p tcp -i eth0 -s 192.168.0.42 --dport 143 -j ACCEPT

iptables -A FORWARD -p tcp -i eth0 -s 192.168.0.42 --dport 465 -j ACCEPT

iptables -A FORWARD -p tcp -i eth0 -s 192.168.0.42 --dport 587 -j ACCEPT

iptables -A FORWARD -p tcp -i eth0 -s 192.168.0.42 --dport 993 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp -i eth1 -d 10.10.20.2.1 --dport 25 -j DNAT --to 192.168.0.42:25

ptables -t nat -A PREROUTING -p tcp -i eth1 -d 10.10.20.2.1 --dport 110 -j DNAT --to 192.168.0.42:110

iptables -t nat -A PREROUTING -p tcp -i eth1 -d 10.10.20.2.1 --dport 143 -j DNAT --to 192.168.0.42:143

iptables -t nat -A PREROUTING -p tcp -i eth1 -d 10.10.20.2.1 --dport 465 -j DNAT --to 192.168.0.42:465

iptables -t nat -A PREROUTING -p tcp -i eth1 -d 10.10.20.2.1 --dport 587 -j DNAT --to 192.168.0.42:587

iptables -t nat -A PREROUTING -p tcp -i eth1 -d 10.10.20.2.1 --dport 993 -j DNAT --to 192.168.0.42:993

iptables -t nat -A POSTROUTING -o eth1 -s 192.168.0.42 -j SNAT --to 10.10.20.2.1

Edited by Mitko
Link to comment
Share on other sites
  • 0
  • Administrator
111111 Rising Star

111111

Posted
  • Administrator
Posted 

/ip firewall nat

add action=masquerade chain=srcnat comment="masquerade" disabled=no out-interface=ether1-gateway

add action=dst-nat chain=dstnat comment="SNMP :25" disabled=no dst-port=25 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.88.200 to-ports=25

add action=dst-nat chain=dstnat comment="secure snmp :465" disabled=no dst-port=465 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.88.200 to-ports=465

add action=dst-nat chain=dstnat comment="snmp sub :587" disabled=no dst-port=587 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.88.200 to-ports=587

add action=dst-nat chain=dstnat comment="secure pop3 :995" disabled=no dst-port=995 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.88.200 to-ports=995

add action=dst-nat chain=dstnat comment="secure imap :993" disabled=no dst-port=993 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.88.200 to-ports=993[/CODE]



зад машината има меил сървър който си работи идеално



относно правилата в iptables

много лесно може да имплементираш в микротик

FORWARD правилата са в /ip firewall filter

останалите PREROUTING и POSTROUTINGв  /ip firewall nat
Харесай поста ^^^
acer.gif htc.gifsigpic4024_2.gif

Форумът е за взаимопомощ а не за свършване на чужда работа

RB951Ui-2HnD / RBD25GR-5HPACQD2HPND&R11E-LTE6 /  RB952Ui-5ac2nD-TC

ɹɐǝɥ uɐɔ noʎ ǝɹoɯ ǝɥʇ 'ǝɯoɔǝq noʎ ɹǝʇǝınb ǝɥʇ

Link to comment
Share on other sites
  • 0
Mitko
Newbie

Mitko

Posted
  • Author
Posted (edited)

Благодаря за примера и описанието за имплементация. Но това съм го направил, може би съм те подвел като не съм постнал част от конфига от /ip firewall filter. Но и това е направено.

Проблема е както писах по-горе а може и да не си ме разбрал:

- имам достъп до мейл сървъра от вън;

- получавам поща без проблем;

- изпращането също;

- проблема е в това, че от вън като се върже някой мелйсървър, моя мейлсървър го вижда с айпи адреса на МТ от локалната мрежа - 192.168.0.1 а не с реалния адрес на изпращача. В това е проблема.

Поздрави,

Митко

П.П

Възникнаха и други проблемацийки.. но ще пиша по късно - не са свързани с мейлсървъра а с доставчик1 плюс доставчик 2 по BGP >:(

Edited by Mitko
Link to comment
Share on other sites
  • 0
byte Contributor

byte

Posted
Posted

До колкото виждам на микротика имаш два частни адреса 192.168.0.42 и 10.10.20.2.1 (ебаси?!)

Проблема ти е в рутера с айпи 192.168.0.1 че прави src-nat на входящите ти връзки, което е необходимо само ако на микротика нямаш зададен default gw

Link to comment
Share on other sites
  • 0
Mitko
Newbie

Mitko

Posted
  • Author
Posted

До колкото виждам на микротика имаш два частни адреса 192.168.0.42 и 10.10.20.2.1 (ебаси?!)

Проблема ти е в рутера с айпи 192.168.0.1 че прави src-nat на входящите ти връзки, което е необходимо само ако на микротика нямаш зададен default gw

Забравих да направя едно уточнение - 10.10.20.2.1 не е реалния адрес ::) Истинския е от 2хх.ххх.ххх

Link to comment
Share on other sites
  • 0
byte Contributor

byte

Posted
Posted

Така или иначе проблема ти се крие в у-вото което държи айпи: 192.168.0.1

там имаш някакъв src-nat в посока майла

Link to comment
Share on other sites
  • 0
Mitko
Newbie

Mitko

Posted
  • Author
Posted

Така или иначе проблема ти се крие в у-вото което държи айпи: 192.168.0.1

там имаш някакъв src-nat в посока майла

Устройсвоте е Микротика... src-nat съм го постнал. Но защо на машината зад микротика външното айпи се представя с айпито на интерфейса на МТ за локална мрежа 192.168.0.1

На това търся отговор - под линукс си работи а под МТ не. Затова съм постнал в третия пост настройките на линукса.

Link to comment
Share on other sites
  • 0
  • Administrator
111111 Rising Star

111111

Posted
  • Administrator
Posted

Имаш други правила които правят нещо при мен гледах изписва адреса идващ отвън

Харесай поста ^^^
acer.gif htc.gifsigpic4024_2.gif

Форумът е за взаимопомощ а не за свършване на чужда работа

RB951Ui-2HnD / RBD25GR-5HPACQD2HPND&R11E-LTE6 /  RB952Ui-5ac2nD-TC

ɹɐǝɥ uɐɔ noʎ ǝɹoɯ ǝɥʇ 'ǝɯoɔǝq noʎ ɹǝʇǝınb ǝɥʇ

Link to comment
Share on other sites
  • 0
cdman Newbie

cdman

Posted
Posted

Проблема ти е в рутера с айпи 192.168.0.1 че прави src-nat на входящите ти връзки, което е необходимо само ако на микротика нямаш зададен default gw

Ето точно това е проблема :) , за да ти върви пощата от вън на вътре е достатъчно само DST-NAT да направиш на порт 25 , след като направиш и SRC-NAT тогава ти се пренаписва оригиналното пращащо Ip с 192.168.0.1

BILLSOFT.EU - Софтуер за Интернет Доставчици и кабелни оператори
Link to comment
Share on other sites
  • 0
Mitko
Newbie

Mitko

Posted
  • Author
Posted

Дай целия /ip firewall nat

като искаш цензурирай си реалното айпи

Мдам, прав си ::) - поствам /ip firewall nat


/ip firewall nat

add action=netmap chain=dstnat comment=m connection-mark=mail disabled=yes to-addresses=2xx.xx.xx.233

add action=netmap chain=dstnat comment=m disabled=yes dst-address=2xx.xx.xx.233 dst-port=25 protocol=tcp to-addresses=192.168.0.42

add action=netmap chain=dstnat comment=mmm disabled=yes in-interface=ether3-LAN1 routing-mark=conn1 src-address=192.168.0.42 to-addresses=2xx.xx.xx.233

add action=netmap chain=dstnat comment=m disabled=yes src-address-list=192.168.0.42 to-addresses=2xx.xx.xx.233

add action=src-nat chain=srcnat comment="mmm con1" disabled=no out-interface=ether2-WAN1 routing-mark=conn1 src-address=192.168.0.42 to-addresses=2xx.xx.xx.233

add action=dst-nat chain=dstnat comment=m disabled=yes in-interface=ether2-WAN1 src-address=2xx.xx.xx.233 to-addresses=192.168.0.42

add action=masquerade chain=srcnat comment=m disabled=yes out-interface=ether2-WAN1 src-address=192.168.0.0/24

add action=masquerade chain=srcnat comment="default configuration" disabled=no

add action=dst-nat chain=dstnat comment=DNS disabled=no dst-address=212.39.90.43 dst-port=53 protocol=tcp src-address=!192.168.10.101 to-addresses=192.168.10.101 to-ports=53

add action=dst-nat chain=dstnat disabled=no dst-address=212.39.90.43 dst-port=53 protocol=tcp src-address=!192.168.10.101 to-addresses=192.168.10.101 to-ports=53

add action=dst-nat chain=dstnat disabled=no dst-address=212.39.90.43 dst-port=53 protocol=udp src-address=192.168.0.0/24 to-addresses=192.168.0.1 to-ports=53

add action=dst-nat chain=dstnat disabled=no dst-address=212.39.90.43 dst-port=53 protocol=udp src-address=192.168.0.0/24 to-addresses=192.168.0.1 to-ports=53

add action=dst-nat chain=dstnat disabled=no dst-address=212.39.90.43 dst-port=53 protocol=udp src-address=!192.168.10.101 to-addresses=192.168.10.101 to-ports=53

add action=dst-nat chain=dstnat disabled=no dst-address=212.39.90.43 dst-port=53 protocol=udp src-address=!192.168.10.101 to-addresses=192.168.10.101 to-ports=53

add action=dst-nat chain=dstnat comment=Samba disabled=no dst-address=192.168.0.1 dst-port=135-139 protocol=tcp to-addresses=192.168.0.2 to-ports=135-139

add action=dst-nat chain=dstnat disabled=no dst-address=192.168.0.1 dst-port=135-139 protocol=udp to-addresses=192.168.0.2 to-ports=135-139

add action=dst-nat chain=dstnat disabled=no dst-address=192.168.10.254 dst-port=135-139 protocol=tcp to-addresses=192.168.0.2 to-ports=135-139

add action=dst-nat chain=dstnat disabled=no dst-address=192.168.10.254 dst-port=135-139 protocol=udp to-addresses=192.168.0.2 to-ports=135-139

add action=dst-nat chain=dstnat disabled=no dst-address=192.168.0.1 dst-port=445 protocol=tcp to-addresses=192.168.0.2 to-ports=445

add action=dst-nat chain=dstnat disabled=no dst-address=192.168.0.1 dst-port=445 protocol=udp to-addresses=192.168.0.2 to-ports=445

add action=dst-nat chain=dstnat disabled=no dst-address=192.168.10.254 dst-port=445 protocol=tcp to-addresses=192.168.0.2 to-ports=445

add action=dst-nat chain=dstnat disabled=no dst-address=192.168.10.254 dst-port=445 protocol=udp to-addresses=192.168.0.2 to-ports=445

add action=dst-nat chain=dstnat disabled=no dst-address=192.168.0.1 dst-port=8888 protocol=tcp to-addresses=192.168.0.2 to-ports=8888

add action=dst-nat chain=dstnat disabled=no dst-address=192.168.10.254 dst-port=8888 protocol=tcp to-addresses=192.168.0.2 to-ports=8888

add action=src-nat chain=srcnat disabled=yes dst-port=445 protocol=udp src-address=192.168.0.1 to-addresses=192.168.0.2 to-ports=445

add action=src-nat chain=srcnat disabled=yes dst-port=445 protocol=tcp src-address=192.168.0.1 to-addresses=192.168.0.2 to-ports=445

add action=dst-nat chain=dstnat comment=FTP disabled=no dst-address=21x.xx.xxx.xx4 dst-port=20 in-interface=ether2-WAN1 protocol=tcp to-addresses=192.168.0.2 to-ports=20

add action=dst-nat chain=dstnat comment=FTP disabled=no dst-address=2xx.xx.xx.233 dst-port=20 in-interface=ether2-WAN1 protocol=tcp to-addresses=192.168.0.2 to-ports=20

add action=dst-nat chain=dstnat disabled=no dst-address=21x.xx.xxx.xx4 dst-port=21 in-interface=ether2-WAN1 protocol=tcp to-addresses=192.168.0.2 to-ports=21

add action=dst-nat chain=dstnat disabled=no dst-address=2xx.xx.xx.233 dst-port=21 in-interface=ether2-WAN1 protocol=tcp to-addresses=192.168.0.2 to-ports=21

add action=dst-nat chain=dstnat comment=FTP disabled=yes dst-address=192.168.0.2 dst-port=20 in-interface=ether3-LAN1 protocol=tcp to-addresses=192.168.0.1 to-ports=20

add action=dst-nat chain=dstnat disabled=yes dst-address=192.168.0.2 dst-port=21 in-interface=ether3-LAN1 protocol=tcp to-addresses=192.168.0.1 to-ports=21

add action=dst-nat chain=dstnat comment="NOD32 v4 Update" disabled=no dst-address=21x.xx.xxx.xx4 dst-port=2221 in-interface=ether2-WAN1 protocol=tcp src-address-list=B_REDIRECT to-addresses=192.168.0.199 to-ports=2221

add action=dst-nat chain=dstnat comment="LADG SSH 10.100" disabled=no dst-address=21x.xx.xxx.xx4 dst-port=12222 in-interface=ether2-WAN1 protocol=tcp src-address-list=D_LADG to-addresses=192.168.10.100 to-ports=22

add action=dst-nat chain=dstnat comment="LADG SSH 10.101" disabled=no dst-address=21x.xx.xxx.xx4 dst-port=22222 in-interface=ether2-WAN1 protocol=tcp src-address-list=D_LADG to-addresses=192.168.10.101 to-ports=22

add action=dst-nat chain=dstnat comment="LADG SSH 10.102" disabled=no dst-address=21x.xx.xxx.xx4 dst-port=23333 in-interface=ether2-WAN1 protocol=tcp src-address-list=D_LADG to-addresses=192.168.10.102 to-ports=22

add action=dst-nat chain=dstnat comment="LADG SSH 10.8" disabled=no dst-address=21x.xx.xxx.xx4 dst-port=32222 in-interface=ether2-WAN1 protocol=tcp src-address-list=D_LADG to-addresses=192.168.10.8 to-ports=22

add action=dst-nat chain=dstnat comment="LADG Imp Varna 192.168.20.8" disabled=yes dst-address=7x.xx.xxx.x6 dst-port=32222 in-interface=3018 protocol=tcp src-address-list=D_LADG to-addresses=10.20.52.2 to-ports=22222

add action=dst-nat chain=dstnat comment="LADG SSL Imp 10.101" disabled=no dst-address=21x.xx.xxx.xx4 dst-port=443 in-interface=ether2-WAN1 protocol=tcp to-addresses=192.168.10.101 to-ports=443

add action=dst-nat chain=dstnat comment="LADG WEB 10.101 - Imp D free access" disabled=no dst-address=21x.xx.xxx.xx4 dst-port=18181 in-interface=ether2-WAN1 protocol=tcp to-addresses=192.168.10.101 to-ports=80

add action=dst-nat chain=dstnat comment="LADG WEB 10.101" disabled=no dst-address=21x.xx.xxx.xx4 dst-port=18181 in-interface=ether2-WAN1 protocol=tcp src-address=89.253.146.43 to-addresses=192.168.10.101 to-ports=80

add action=dst-nat chain=dstnat comment="LADG WEB 10.101" disabled=no dst-address=21x.xx.xxx.xx4 dst-port=18181 in-interface=ether2-WAN1 protocol=tcp src-address=89.215.158.200 to-addresses=192.168.10.101 to-ports=80

add action=dst-nat chain=dstnat comment="LADG WEB 10.105" disabled=no dst-address=21x.xx.xxx.xx4 dst-port=18185 in-interface=ether2-WAN1 protocol=tcp src-address-list=D_LADG to-addresses=192.168.10.105 to-ports=80

add action=dst-nat chain=dstnat comment="LADG WEB 10.106" disabled=no dst-address=21x.xx.xxx.xx4 dst-port=18186 in-interface=ether2-WAN1 protocol=tcp src-address-list=D_LADG to-addresses=192.168.10.106 to-ports=80

add action=dst-nat chain=dstnat comment="LADG WEB 10.101" disabled=no dst-address=21x.xx.xxx.xx4 dst-port=28181 in-interface=ether2-WAN1 protocol=tcp src-address-list=D_LADG to-addresses=192.168.10.101 to-ports=80

add action=dst-nat chain=dstnat comment="LADG WEB 10.102" disabled=no dst-address=21x.xx.xxx.xx4 dst-port=28282 in-interface=ether2-WAN1 protocol=tcp src-address-list=D_LADG to-addresses=192.168.10.102 to-ports=80

add action=dst-nat chain=dstnat comment="LADG WEB 10.8" disabled=no dst-address=21x.xx.xxx.xx4 dst-port=38181 in-interface=ether2-WAN1 protocol=tcp src-address-list=D_LADG to-addresses=192.168.10.8 to-ports=80

add action=dst-nat chain=dstnat comment="Dico WEB 10.99" disabled=no dst-address=21x.xx.xxx.xx4 dst-port=4230 in-interface=ether2-WAN1 protocol=tcp to-addresses=192.168.10.99 to-ports=80

add action=dst-nat chain=dstnat comment="Web Adasha Store" disabled=no dst-address=21x.xx.xxx.xx4 dst-port=80 in-interface=ether2-WAN1 protocol=tcp src-address-list=B_REDIRECT to-addresses=192.168.0.25 to-ports=80

add action=dst-nat chain=dstnat comment="D Webmail" disabled=no dst-address=21x.xx.xxx.xx4 dst-port=80 in-interface=ether2-WAN1 protocol=tcp to-addresses=192.168.10.245 to-ports=80

add action=dst-nat chain=dstnat comment="D SMTP" disabled=no dst-address=21x.xx.xxx.xx4 dst-port=25 in-interface=ether2-WAN1 protocol=tcp to-addresses=192.168.10.245 to-ports=25

add action=dst-nat chain=dstnat comment="D SMTPS" disabled=no dst-address=21x.xx.xxx.xx4 dst-port=465 in-interface=ether2-WAN1 protocol=tcp to-addresses=192.168.10.245 to-ports=465

add action=dst-nat chain=dstnat comment="D POP3" disabled=no dst-address=21x.xx.xxx.xx4 dst-port=110 in-interface=ether2-WAN1 protocol=tcp to-addresses=192.168.10.245 to-ports=110

add action=dst-nat chain=dstnat comment="BTK D Webmail" disabled=yes dst-address=7x.xx.xxx.x6 dst-port=80 in-interface=3018 protocol=tcp to-addresses=192.168.10.245 to-ports=80

add action=dst-nat chain=dstnat comment="BTK D SMTP" disabled=yes dst-address=7x.xx.xxx.x6 dst-port=25 in-interface=3018 protocol=tcp to-addresses=192.168.10.245 to-ports=25

add action=dst-nat chain=dstnat comment="BTK D SMTPS" disabled=yes dst-address=7x.xx.xxx.x6 dst-port=465 in-interface=3018 protocol=tcp to-addresses=192.168.10.245 to-ports=465

add action=dst-nat chain=dstnat comment="BTK D POP3" disabled=yes dst-address=7x.xx.xxx.x6 dst-port=110 in-interface=3018 protocol=tcp to-addresses=192.168.10.245 to-ports=110

add action=dst-nat chain=dstnat comment="B SMTP" disabled=no dst-address=2xx.xx.xx.233 dst-port=25 in-interface=ether2-WAN1 protocol=tcp to-addresses=192.168.0.42 to-ports=25

add action=dst-nat chain=dstnat comment="B Webmail" disabled=no dst-address=2xx.xx.xx.233 dst-port=80 in-interface=ether2-WAN1 protocol=tcp to-addresses=192.168.0.42 to-ports=80

add action=dst-nat chain=dstnat comment="B POP3" disabled=no dst-address=2xx.xx.xx.233 dst-port=110 in-interface=ether2-WAN1 protocol=tcp to-addresses=192.168.0.42 to-ports=110

add action=dst-nat chain=dstnat comment="B IMAP" disabled=no dst-address=2xx.xx.xx.233 dst-port=143 in-interface=ether2-WAN1 protocol=tcp to-addresses=192.168.0.42 to-ports=143

add action=dst-nat chain=dstnat comment="B SMTP" disabled=no dst-address=2xx.xx.xx.233 dst-port=2525 in-interface=ether2-WAN1 protocol=tcp to-addresses=192.168.0.42 to-ports=25

add action=dst-nat chain=dstnat comment="B SMTP" disabled=no dst-address=2xx.xx.xx.233 dst-port=587 in-interface=ether2-WAN1 protocol=tcp to-addresses=192.168.0.42 to-ports=587

add action=dst-nat chain=dstnat comment="B IMAPS" disabled=no dst-address=2xx.xx.xx.233 dst-port=993 in-interface=ether2-WAN1 protocol=tcp to-addresses=192.168.0.42 to-ports=993

add action=dst-nat chain=dstnat comment="B POP3S" disabled=no dst-address=2xx.xx.xx.233 dst-port=995 in-interface=ether2-WAN1 protocol=tcp to-addresses=192.168.0.42 to-ports=995

add action=dst-nat chain=dstnat comment="B Web FTP" disabled=no dst-address=21x.xx.xxx.xx4 dst-port=8888 in-interface=ether2-WAN1 protocol=tcp src-address-list=B_REDIRECT to-addresses=192.168.0.2 to-ports=8888

add action=dst-nat chain=dstnat comment="B Webmail HTTPS" disabled=no dst-address=2xx.xx.xx.233 dst-port=443 in-interface=ether2-WAN1 protocol=tcp to-addresses=192.168.0.42 to-ports=443

add action=dst-nat chain=dstnat comment="Voip 5004-5082" disabled=no dst-address=21x.xx.xxx.xx4 dst-port=5004-5082 in-interface=ether2-WAN1 protocol=udp src-address-list=IPTB to-addresses=192.168.0.222 to-ports=5004-5082

add action=dst-nat chain=dstnat comment="Voip 10000-20000" disabled=no dst-address=21x.xx.xxx.xx4 dst-port=10000-20000 in-interface=ether2-WAN1 protocol=udp src-address-list=IPTB to-addresses=192.168.0.222 to-ports=10000-20000

add action=dst-nat chain=dstnat comment="BTK Voip 5004-5082" disabled=yes dst-address=7x.xx.xxx.x6 dst-port=5004-5082 in-interface=3018 protocol=udp src-address-list=IPTB to-addresses=192.168.0.222 to-ports=5004-5082

add action=dst-nat chain=dstnat comment="BTK Voip 10000-20000" disabled=yes dst-address=7x.xx.xxx.x6 dst-port=10000-20000 in-interface=3018 protocol=udp src-address-list=IPTB to-addresses=192.168.0.222 to-ports=10000-20000

add action=dst-nat chain=dstnat comment="Video B 0.98" disabled=no dst-address=21x.xx.xxx.xx4 dst-port=8082 in-interface=ether2-WAN1 protocol=tcp src-address-list=B_VIDEO to-addresses=192.168.0.98 to-ports=80

add action=dst-nat chain=dstnat comment="Video B 0.98" disabled=no dst-address=21x.xx.xxx.xx4 dst-port=4550 in-interface=ether2-WAN1 protocol=tcp src-address-list=B_VIDEO to-addresses=192.168.0.98 to-ports=4550

add action=dst-nat chain=dstnat comment="Video B 0.98" disabled=no dst-address=21x.xx.xxx.xx4 dst-port=5550 in-interface=ether2-WAN1 protocol=tcp src-address-list=B_VIDEO to-addresses=192.168.0.98 to-ports=5550

add action=dst-nat chain=dstnat comment="Video B Varna 1.98" disabled=yes dst-address=7x.xx.xxx.x6 dst-port=8080 in-interface=3018 protocol=tcp src-address-list=B_VIDEO to-addresses=10.20.52.2 to-ports=8080

add action=dst-nat chain=dstnat comment="Video B Varna 1.98" disabled=yes dst-address=7x.xx.xxx.x6 dst-port=4550 in-interface=3018 protocol=tcp src-address-list=B_VIDEO to-addresses=10.20.52.2 to-ports=4550

add action=dst-nat chain=dstnat comment="Video B Varna 1.98" disabled=yes dst-address=7x.xx.xxx.x6 dst-port=5550 in-interface=3018 protocol=tcp src-address-list=B_VIDEO to-addresses=10.20.52.2 to-ports=5550

add action=dst-nat chain=dstnat comment="Video D Varna 1.97" disabled=yes dst-address=7x.xx.xxx.x6 dst-port=8081 in-interface=3018 protocol=tcp src-address-list=B_VIDEO to-addresses=10.20.52.2 to-ports=8081

add action=dst-nat chain=dstnat comment="Video D Varna 1.97" disabled=yes dst-address=7x.xx.xxx.x6 dst-port=4551 in-interface=3018 protocol=tcp src-address-list=B_VIDEO to-addresses=10.20.52.2 to-ports=4551

add action=dst-nat chain=dstnat comment="Video D Varna 1.97" disabled=yes dst-address=7x.xx.xxx.x6 dst-port=5551 in-interface=3018 protocol=tcp src-address-list=B_VIDEO to-addresses=10.20.52.2 to-ports=5551

add action=dst-nat chain=dstnat comment="Video D1 10.98" disabled=no dst-address=21x.xx.xxx.xx4 dst-port=8083 in-interface=ether2-WAN1 protocol=tcp src-address-list=B_VIDEO to-addresses=192.168.10.98 to-ports=80

add action=dst-nat chain=dstnat comment="Video D1 10.98" disabled=no dst-address=21x.xx.xxx.xx4 dst-port=4553 in-interface=ether2-WAN1 protocol=tcp src-address-list=B_VIDEO to-addresses=192.168.10.98 to-ports=4550

add action=dst-nat chain=dstnat comment="Video D1 10.98" disabled=no dst-address=21x.xx.xxx.xx4 dst-port=5553 in-interface=ether2-WAN1 protocol=tcp src-address-list=B_VIDEO to-addresses=192.168.10.98 to-ports=5550

add action=dst-nat chain=dstnat comment="Video D1 10.98" disabled=no dst-address=21x.xx.xxx.xx4 dst-port=6553 in-interface=ether2-WAN1 protocol=tcp src-address-list=B_VIDEO to-addresses=192.168.10.98 to-ports=6550

add action=dst-nat chain=dstnat comment="Video Deb 0.90" disabled=no dst-address=21x.xx.xxx.xx4 dst-port=8084 in-interface=ether2-WAN1 protocol=tcp src-address-list=B_VIDEO to-addresses=192.168.0.90 to-ports=80

add action=dst-nat chain=dstnat comment="Video Deb 0.90" disabled=no dst-address=21x.xx.xxx.xx4 dst-port=4554 in-interface=ether2-WAN1 protocol=tcp src-address-list=B_VIDEO to-addresses=192.168.0.90 to-ports=4550

add action=dst-nat chain=dstnat comment="Video Deb 0.90" disabled=no dst-address=21x.xx.xxx.xx4 dst-port=5554 in-interface=ether2-WAN1 protocol=tcp src-address-list=B_VIDEO to-addresses=192.168.0.90 to-ports=5550

add action=dst-nat chain=dstnat comment="Video Deb 0.90" disabled=no dst-address=21x.xx.xxx.xx4 dst-port=6554 in-interface=ether2-WAN1 protocol=tcp src-address-list=B_VIDEO to-addresses=192.168.0.90 to-ports=6550

add action=dst-nat chain=dstnat comment="Video Deb Hall 0.92" disabled=no dst-address=21x.xx.xxx.xx4 dst-port=8085 in-interface=ether2-WAN1 protocol=tcp src-address-list=B_VIDEO to-addresses=192.168.0.92 to-ports=80

add action=dst-nat chain=dstnat comment="Video Deb Hall 0.92" disabled=no dst-address=21x.xx.xxx.xx4 dst-port=4555 in-interface=ether2-WAN1 protocol=tcp src-address-list=B_VIDEO to-addresses=192.168.0.92 to-ports=4550

add action=dst-nat chain=dstnat comment="Video Deb Hall 0.92" disabled=no dst-address=21x.xx.xxx.xx4 dst-port=5555 in-interface=ether2-WAN1 protocol=tcp src-address-list=B_VIDEO to-addresses=192.168.0.92 to-ports=5550

add action=dst-nat chain=dstnat comment="Video Deb Hall 0.92" disabled=no dst-address=21x.xx.xxx.xx4 dst-port=6555 in-interface=ether2-WAN1 protocol=tcp src-address-list=B_VIDEO to-addresses=192.168.0.92 to-ports=6550

add action=dst-nat chain=dstnat comment="Video D2 10.104" disabled=no dst-address=21x.xx.xxx.xx4 dst-port=8086 in-interface=ether2-WAN1 protocol=tcp src-address-list=B_VIDEO to-addresses=192.168.10.104 to-ports=80

add action=dst-nat chain=dstnat comment="Video D2 10.104" disabled=no dst-address=21x.xx.xxx.xx4 dst-port=4556 in-interface=ether2-WAN1 protocol=tcp src-address-list=B_VIDEO to-addresses=192.168.10.104 to-ports=4550

add action=dst-nat chain=dstnat comment="Video D2 10.104" disabled=no dst-address=21x.xx.xxx.xx4 dst-port=5556 in-interface=ether2-WAN1 protocol=tcp src-address-list=B_VIDEO to-addresses=192.168.10.104 to-ports=5550

add action=dst-nat chain=dstnat comment="Video D2 10.104" disabled=no dst-address=21x.xx.xxx.xx4 dst-port=6556 in-interface=ether2-WAN1 protocol=tcp src-address-list=B_VIDEO to-addresses=192.168.10.104 to-ports=6550

add action=dst-nat chain=dstnat comment="RDP M 0.43" disabled=no dst-address=21x.xx.xxx.xx4 dst-port=33890 in-interface=ether2-WAN1 protocol=tcp src-address-list=B to-addresses=192.168.0.43 to-ports=3389

add action=dst-nat chain=dstnat comment="RDP M 0.43" disabled=yes dst-address=7x.xx.xxx.x6 dst-port=33890 in-interface=3018 protocol=tcp src-address-list=B to-addresses=192.168.0.43 to-ports=3389

add action=dst-nat chain=dstnat comment="RDP Terminal 0.99" disabled=no dst-address=21x.xx.xxx.xx4 dst-port=12000 in-interface=ether2-WAN1 protocol=tcp src-address-list=B_REDIRECT to-addresses=192.168.0.99 to-ports=3389

add action=dst-nat chain=dstnat comment="RDP Terminal 0.199" disabled=no dst-address=21x.xx.xxx.xx4 dst-port=12001 in-interface=ether2-WAN1 protocol=tcp src-address-list=B_REDIRECT to-addresses=192.168.0.99 to-ports=3389

add action=dst-nat chain=dstnat comment="BTK RDP A" disabled=yes dst-address=7x.xx.xxx.x6 dst-port=12000 in-interface=3018 protocol=tcp src-address-list=B_REDIRECT to-addresses=192.168.0.99 to-ports=3389

add action=dst-nat chain=dstnat comment="BTK SSH A System" disabled=yes dst-address=7x.xx.xxx.x6 dst-port=222 in-interface=3018 protocol=tcp src-address-list=B_REDIRECT to-addresses=192.168.0.254 to-ports=22

add action=dst-nat chain=dstnat comment="SSH A System" disabled=no dst-address=21x.xx.xxx.xx4 dst-port=222 in-interface=ether2-WAN1 protocol=tcp src-address-list=B_REDIRECT to-addresses=192.168.0.254 to-ports=22

add action=dst-nat chain=dstnat comment="SSH A Storage" disabled=no dst-address=21x.xx.xxx.xx4 dst-port=223 in-interface=ether2-WAN1 protocol=tcp src-address-list=B_REDIRECT to-addresses=192.168.0.25 to-ports=22

add action=dst-nat chain=dstnat comment="RDP A" disabled=no dst-address=21x.xx.xxx.xx4 dst-port=3389 in-interface=ether2-WAN1 protocol=tcp src-address=95.111.65.238 to-addresses=192.168.0.60 to-ports=3389

add action=dst-nat chain=dstnat comment="RDP D" disabled=no dst-address=21x.xx.xxx.xx4 dst-port=3389 in-interface=ether2-WAN1 protocol=tcp src-address=212.233.140.44 to-addresses=192.168.0.60 to-ports=3389

add action=dst-nat chain=dstnat comment="RDP S" disabled=no dst-address=21x.xx.xxx.xx4 dst-port=14444 in-interface=ether2-WAN1 protocol=tcp to-addresses=192.168.10.200 to-ports=3389

add action=dst-nat chain=dstnat comment="RDP S2" disabled=no dst-address=21x.xx.xxx.xx4 dst-port=14445 in-interface=ether2-WAN1 protocol=tcp to-addresses=192.168.10.91 to-ports=3389

add action=dst-nat chain=dstnat comment="RDP S3" disabled=no dst-address=21x.xx.xxx.xx4 dst-port=14446 in-interface=ether2-WAN1 protocol=tcp to-addresses=192.168.10.65 to-ports=3389

Link to comment
Share on other sites
  • 0
byte Contributor

byte

Posted
Posted

add action=masquerade chain=srcnat comment="default configuration" disabled=

no

това ти прави нат навред, което не е готино

сложи го да е с изходящ интерфейс (WAN*) като параметър

Link to comment
Share on other sites
  • 0
Mitko
Newbie

Mitko

Posted
  • Author
Posted

Ами бях му задал маскарадинга да е през wan1 но имах някакви проблеми между мрежите .... 192.168.0.0 не виждаше 192.168.10.0.

Специално за мейла където ми е проблем в на него маскарадинга съм ко задал като маркирам рутинг конекцията, защото пък трябва да излезе през друго външно айпи - 2xx.xx.xx.233 на което отговаря друг МХ запис от основното айпи - 2xx.xx.xx.х74 от което ми излиза трафика на маскарадинг.


add action=src-nat chain=srcnat comment="mmm con1" disabled=no out-interface=\

ether2-WAN1 routing-mark=conn1 src-address=192.168.0.42 to-addresses=\

2xx.xx.xx.233
това ти прави нат навред, което не е готино сложи го да е с изходящ интерфейс (WAN*) като параметър
Абсолютно си прав - и в това е ключа от бараката ::) Сега като се вържа от вън ми изписва айпито на клиента. Но... както споменах, че възникват други проблеми... и проблема е, че спира да ми работи редиректа към самбата. 

add action=dst-nat chain=dstnat comment=Samba disabled=no dst-address=\

192.168.0.1 dst-port=135-139 protocol=tcp to-addresses=192.168.0.2 \

to-ports=135-139

add action=dst-nat chain=dstnat disabled=no dst-address=192.168.0.1 dst-port=\

135-139 protocol=udp to-addresses=192.168.0.2 to-ports=135-139

add action=dst-nat chain=dstnat disabled=no dst-address=192.168.10.254 \

dst-port=135-139 protocol=tcp to-addresses=192.168.0.2 to-ports=135-139

add action=dst-nat chain=dstnat disabled=no dst-address=192.168.10.254 \

dst-port=135-139 protocol=udp to-addresses=192.168.0.2 to-ports=135-139

add action=dst-nat chain=dstnat disabled=no dst-address=192.168.0.1 dst-port=\

445 protocol=tcp to-addresses=192.168.0.2 to-ports=445

add action=dst-nat chain=dstnat disabled=no dst-address=192.168.0.1 dst-port=\

445 protocol=udp to-addresses=192.168.0.2 to-ports=445

add action=dst-nat chain=dstnat disabled=no dst-address=192.168.10.254 \

dst-port=445 protocol=tcp to-addresses=192.168.0.2 to-ports=445

add action=dst-nat chain=dstnat disabled=no dst-address=192.168.10.254 \

dst-port=445 protocol=udp to-addresses=192.168.0.2 to-ports=445

Зададох в маскарадинга кои точно мрежи да излизат, като указах и !192.168.0.2 но резлутата е - не работи :-

Преместих правилото за маскарадинг след пренасочването - цък, няма резултат.

Link to comment
Share on other sites
  • 0
  • Administrator
111111 Rising Star

111111

Posted
  • Administrator
Posted

остави го както беше преди и направи следното

едно правило за мрежата и правило за меил сървъра

като в правилото има външен интерфейс и вътрешна адресна група

примерно

/ip firewall nat

add action=masquerade chain=srcnat comment="masquerade vpn network" disabled=no src-address=10.20.30.0/24

add action=masquerade chain=srcnat disabled=no out-interface=WAN src-address=192.168.100.0/24

add action=masquerade chain=srcnat comment="masquerade lan network" disabled=no src-address=192.168.1.0/24[/CODE]
Харесай поста ^^^
acer.gif htc.gifsigpic4024_2.gif

Форумът е за взаимопомощ а не за свършване на чужда работа

RB951Ui-2HnD / RBD25GR-5HPACQD2HPND&R11E-LTE6 /  RB952Ui-5ac2nD-TC

ɹɐǝɥ uɐɔ noʎ ǝɹoɯ ǝɥʇ 'ǝɯoɔǝq noʎ ɹǝʇǝınb ǝɥʇ

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to question listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.

  I accept