I have a few subnets on this unit (RB1000) running on several public
IPs. Right now ether4 is my WAN. Ether2 (192.168.1.0/24) is the subnet I
am trying to get my blacklisting scripts working on. The webserver is
192.168.1.250. The MT is 192.168.1.254.
/ip firewall nat
add action=src-nat chain=srcnat comment="" disabled=no
out-interface=ether4 src-address=192.168.1.4 to-addresses=\
x.x.x.x
add action=src-nat chain=srcnat comment="" disabled=no
out-interface=ether4 src-address=192.168.1.250 to-addresses=x.x.x.x
add action=src-nat chain=srcnat comment="" disabled=no
out-interface=ether4 src-address=192.168.25.15 to-addresses=x.x.x.x
add action=dst-nat chain=dstnat comment="" disabled=no
dst-address=x.x.x.x dst-port=80 protocol=tcp to-addresses=192.168.1.250
to-ports=80
add action=dst-nat chain=dstnat comment="" disabled=no
dst-address=x.x.x.x dst-port=6500 protocol=tcp to-addresses=192.168.1.4
to-ports=6500
add action=dst-nat chain=dstnat comment="" disabled=no
dst-address=x.x.x.x dst-port=6510 protocol=tcp
to-addresses=192.168.25.15 to-ports=6510
add action=dst-nat chain=dstnat comment="" disabled=no
dst-address=x.x.x.x dst-port=6520 protocol=tcp to-addresses=192.168.2.10
to-ports=6520
add action=src-nat chain=srcnat comment="" disabled=no
out-interface=ether4 src-address=192.168.1.0/24 to-addresses=x.x.x.x
add action=src-nat chain=srcnat comment="" disabled=no
out-interface=ether4 src-address=192.168.25.0/27 to-addresses=x.x.x.x
add action=src-nat chain=srcnat comment="" disabled=no
out-interface=ether4 src-address=192.168.2.0/28 to-addresses=x.x.x.x
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=80
protocol=tcp src-address-list=Blacklist to-addresses=192.168.1.250 \
to-ports=80
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=53
protocol=udp src-address=192.168.25.15 to-addresses=192.168.1.2 to-ports=53
add action=src-nat chain=srcnat comment="" disabled=no
dst-address=192.168.1.250 dst-address-type="" dst-port=80 protocol=tcp
src-address-type="" \
to-addresses=192.168.1.254
On 6/28/2010 12:15 PM, Butch Evans wrote:
On Mon, 2010-06-28 at 11:15 -0500, Rory McCann wrote:
I don't think it's an issue of the traffic being blocked, but rather
when the traffic is modified to redirect the user to my block page
instead of Google.com, it utilized the hairpin NAT rule to find the
webserver, but replaces the source address with that of the MT router
instead of the source address of the client.
Post a copy of the output of: "/ip firewall nat export"
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://www.butchevans.com/pipermail/mikrotik/attachments/20100628/477f7fb5/attachment.html>
_______________________________________________
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik
Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS