Drop the first rule. Second rule, drop the protocol.
The latter rules won't apply because you're not coming from that interface. Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Jun 8, 2014 5:58 PM, "Casey Mills" <wkm...@gmail.com> wrote: > Hmm, that didn't do the trick. Here is what my NAT table looks like. > > add action=masquerade chain=srcnat comment="default configuration" > out-interface=ether1-gateway to-addresses=0.0.0.0 > add action=masquerade chain=srcnat comment=Hairpin-Test protocol=tcp > src-address=192.168.55.0/24 > add action=dst-nat chain=dstnat comment=Foscam-1 dst-port=8080 > in-interface=ether1-gateway protocol=tcp to-addresses=192.168.55.200 > to-ports=8080 > add action=dst-nat chain=dstnat comment=Foscam-2 dst-port=8081 > in-interface=ether1-gateway protocol=tcp to-addresses=192.168.55.201 > to-ports=8081 > > I loaded up Torch and can see when trying to access my dynamic DNS name > with the port it is translated to the external IP address on my router. So > the router is seeing the request? The router's response is likely coming > from the inside IP address and not being masqueraded? > > Casey > > > On Sun, Jun 8, 2014 at 2:47 PM, Josh Luthman <j...@imaginenetworksllc.com> > wrote: > > > Drop the last two arguments. > > > > Josh Luthman > > Office: 937-552-2340 > > Direct: 937-552-2343 > > 1100 Wayne St > > Suite 1337 > > Troy, OH 45373 > > On Jun 8, 2014 2:27 PM, "Casey Mills" <wkm...@gmail.com> wrote: > > > > > I started with that but no luck. Here is what I tried. > > > > > > chain=srcnat action=masquerade protocol=tcp src-address= > 192.168.55.0/24 > > > dst-address=192.168.55.0/24 out-interface=bridge-local > > > > > > Casey > > > On Jun 8, 2014 11:54 AM, "Josh Luthman" <j...@imaginenetworksllc.com> > > > wrote: > > > > > > > Just blanket masquerade the local subnet and you're done. So much > less > > > > pain and the downsides don't generally apply to small home/office > > > networks. > > > > > > > > > > > > Josh Luthman > > > > Office: 937-552-2340 > > > > Direct: 937-552-2343 > > > > 1100 Wayne St > > > > Suite 1337 > > > > Troy, OH 45373 > > > > > > > > > > > > On Sun, Jun 8, 2014 at 11:50 AM, Casey Mills <wkm...@gmail.com> > wrote: > > > > > > > > > Thanks everyone! Adding in-interface=ether1-gateway made > everything > > > work > > > > > as expected. > > > > > > > > > > Funny that you mention hairpin, I was going to tackle that next. > Not > > > > > having any luck so far. Trying to get it working for one device, > > then > > > > > hopefully expanding the rule to cover all hairpin traffic. > > > > > > > > > > Any thoughts on ports 2-5 being part of bridge-local on a rb2011? > > > > > > > > > > So far neither of these have worked. > > > > > chain=srcnat action=masquerade protocol=tcp src-address= > > > 192.168.55.0/24 > > > > > dst-address=192.168.55.200 out-interface=bridge-local dst-port=8080 > > > > > > > > > > chain=srcnat action=masquerade protocol=tcp src-address= > > > 192.168.55.0/24 > > > > > dst-address=192.168.55.200 out-interface=ether3 dst-port=8080 > > > > > > > > > > Casey > > > > > > > > > > > > > > > On Sat, Jun 7, 2014 at 5:38 PM, Alexander Neilson < > > > > > alexan...@neilson.net.nz> > > > > > wrote: > > > > > > > > > > > Josh has hit the target > > > > > > > > > > > > Your port 80 rule doesn’t specify the interface so anything > defined > > > for > > > > > > port 80 is being redirected to your internal box. > > > > > > > > > > > > This includes standard website requests, which will be preventing > > > your > > > > > > internet surfing. > > > > > > > > > > > > Just add in-interface=ether1-gateway and things should work. > > > > > > > > > > > > Regards > > > > > > Alexander > > > > > > > > > > > > Alexander Neilson > > > > > > Neilson Productions Limited > > > > > > > > > > > > alexan...@neilson.net.nz > > > > > > 021 329 681 > > > > > > 022 456 2326 > > > > > > > > > > > > On 8/06/2014, at 9:04 am, Grand Avenue Broadband < > > > > > > grandav...@grandavebb.com> wrote: > > > > > > > > > > > > > I'm assuming you mean "it kills my ability to browse TO THE WAN > > IP > > > > > using > > > > > > a device on the inside of my network." If that is accurate, see > > > here: > > > > > > > > > > > > > > http://wiki.mikrotik.com/wiki/Hairpin_NAT > > > > > > > > > > > > > > If you mean "it kills my ability to browse TO THE LAN IP using > a > > > > device > > > > > > on the inside of my network," Joshs advice has already hit the > > > target. > > > > > > > > > > > > > > On Jun 7, 2014, at 1:15 PM, Casey Mills <wkm...@gmail.com> > > wrote: > > > > > > > > > > > > > >> I was pretty big into Mikrotik in years past, but haven't been > > > > active > > > > > in > > > > > > >> some time. > > > > > > >> > > > > > > >> I just picked up a RB2011 and want to forward ports 80, 443, > and > > > > 50500 > > > > > > for > > > > > > >> my network storage device. When I dstnat those ports below it > > > kills > > > > > my > > > > > > >> ability to browse using a device on the inside of my network. > > > This > > > > > has > > > > > > to > > > > > > >> be something simple, please help. > > > > > > >> > > > > > > >> I'm not sure how traffic originating from the outside and > > destined > > > > for > > > > > > my > > > > > > >> network storage is treated. Ideally it should be handled by > the > > > > > forward > > > > > > >> chain, but it will have a destination IP of the WAN side of > the > > > > > router. > > > > > > So > > > > > > >> that makes me think imput chain. > > > > > > >> > > > > > > >> > > > > > > >> /ip firewall filter > > > > > > >> add chain=input protocol=icmp > > > > > > >> add chain=input connection-state=established > > > > > > >> add chain=input connection-state=related > > > > > > >> add action=drop chain=input in-interface=ether1-gateway > > > > > > >> add chain=forward connection-state=established > > > > > > >> add chain=forward connection-state=related > > > > > > >> add action=drop chain=forward connection-state=invalid > > > > > > >> > > > > > > >> > > > > > > >> /ip firewall nat > > > > > > >> add action=masquerade chain=srcnat > out-interface=ether1-gateway > > > > > > >> to-addresses=0.0.0.0 > > > > > > >> add action=dst-nat chain=dstnat comment=Foscam-1 dst-port=8080 > > > > > > protocol=tcp > > > > > > >> to-addresses=192.168.55.200 to-ports=8080 > > > > > > >> add action=dst-nat chain=dstnat comment=Foscam-2 dst-port=8081 > > > > > > protocol=tcp > > > > > > >> to-addresses=192.168.55.201 to-ports=8081 > > > > > > >> add action=dst-nat chain=dstnat comment=IX2 disabled=yes > > > > > > >> dst-address-type="" dst-port=80 protocol=tcp > > > > > to-addresses=192.168.55.54 > > > > > > >> to-ports=80 > > > > > > >> add action=dst-nat chain=dstnat comment=IX2 disabled=yes > > > > > > >> dst-address-type="" dst-port=443 protocol=tcp > > > > > to-addresses=192.168.55.54 > > > > > > >> to-ports=443 > > > > > > >> add action=dst-nat chain=dstnat comment=IX2 disabled=yes > > > > > dst-port=50500 > > > > > > >> protocol=tcp to-addresses=192.168.55.54 to-ports=50500 > > > > > > >> add action=dst-nat chain=dstnat comment=Casey7-RDP > dst-port=3389 > > > > > > >> protocol=tcp to-addresses=192.168.55.52 to-ports=3389 > > > > > > >> add action=dst-nat chain=dstnat comment=HTPC7-Plex > > dst-port=32400 > > > > > > >> protocol=tcp to-addresses=192.168.55.50 to-ports=32400 > > > > > > >> add action=dst-nat chain=dstnat comment=HTPC7-CetonApp > > > dst-port=5832 > > > > > > >> protocol=tcp to-addresses=192.168.55.50 to-ports=5832 > > > > > > >> > > > > > > >> > > > > > > >> Thanks, > > > > > > >> Casey > > > > > > >> -------------- next part -------------- > > > > > > >> An HTML attachment was scrubbed... > > > > > > >> URL: < > > > > > > > > > > > > > > > > > > > > > http://mail.butchevans.com/pipermail/mikrotik/attachments/20140607/7f0955d3/attachment.html > > > > > > > > > > > > > >> _______________________________________________ > > > > > > >> Mikrotik mailing list > > > > > > >> Mikrotik@mail.butchevans.com > > > > > > >> http://mail.butchevans.com/mailman/listinfo/mikrotik > > > > > > >> > > > > > > >> Visit http://blog.butchevans.com/ for tutorials related to > > > Mikrotik > > > > > > RouterOS > > > > > > > > > > > > > > _______________________________________________ > > > > > > > Mikrotik mailing list > > > > > > > Mikrotik@mail.butchevans.com > > > > > > > http://mail.butchevans.com/mailman/listinfo/mikrotik > > > > > > > > > > > > > > Visit http://blog.butchevans.com/ for tutorials related to > > > Mikrotik > > > > > > RouterOS > > > > > > > > > > > > -------------- next part -------------- > > > > > > A non-text attachment was scrubbed... > > > > > > Name: smime.p7s > > > > > > Type: application/pkcs7-signature > > > > > > Size: 4127 bytes > > > > > > Desc: not available > > > > > > URL: < > > > > > > > > > > > > > > > > > > > > > http://mail.butchevans.com/pipermail/mikrotik/attachments/20140608/9821d202/attachment.bin > > > > > > > > > > > > > _______________________________________________ > > > > > > Mikrotik mailing list > > > > > > Mikrotik@mail.butchevans.com > > > > > > http://mail.butchevans.com/mailman/listinfo/mikrotik > > > > > > > > > > > > Visit http://blog.butchevans.com/ for tutorials related to > > Mikrotik > > > > > > RouterOS > > > > > > > > > > > -------------- next part -------------- > > > > > An HTML attachment was scrubbed... > > > > > URL: < > > > > > > > > > > > > > > > http://mail.butchevans.com/pipermail/mikrotik/attachments/20140608/bba86333/attachment.html > > > > > > > > > > > _______________________________________________ > > > > > Mikrotik mailing list > > > > > Mikrotik@mail.butchevans.com > > > > > http://mail.butchevans.com/mailman/listinfo/mikrotik > > > > > > > > > > Visit http://blog.butchevans.com/ for tutorials related to > Mikrotik > > > > > RouterOS > > > > > > > > > -------------- next part -------------- > > > > An HTML attachment was scrubbed... > > > > URL: < > > > > > > > > > > http://mail.butchevans.com/pipermail/mikrotik/attachments/20140608/4b2343c0/attachment.html > > > > > > > > > _______________________________________________ > > > > Mikrotik mailing list > > > > Mikrotik@mail.butchevans.com > > > > http://mail.butchevans.com/mailman/listinfo/mikrotik > > > > > > > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik > > > > RouterOS > > > -------------- next part -------------- > > > An HTML attachment was scrubbed... > > > URL: < > > > > > > http://mail.butchevans.com/pipermail/mikrotik/attachments/20140608/a16411c4/attachment.html > > > > > > > _______________________________________________ > > > Mikrotik mailing list > > > Mikrotik@mail.butchevans.com > > > http://mail.butchevans.com/mailman/listinfo/mikrotik > > > > > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik > > > RouterOS > > -------------- next part -------------- > > An HTML attachment was scrubbed... > > URL: < > > > http://mail.butchevans.com/pipermail/mikrotik/attachments/20140608/6d777f8d/attachment.html > > > > > _______________________________________________ > > Mikrotik mailing list > > Mikrotik@mail.butchevans.com > > http://mail.butchevans.com/mailman/listinfo/mikrotik > > > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik > > RouterOS > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://mail.butchevans.com/pipermail/mikrotik/attachments/20140608/0b5859ac/attachment.html > > > _______________________________________________ > Mikrotik mailing list > Mikrotik@mail.butchevans.com > http://mail.butchevans.com/mailman/listinfo/mikrotik > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik > RouterOS -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.butchevans.com/pipermail/mikrotik/attachments/20140608/82a7c3e3/attachment.html> _______________________________________________ Mikrotik mailing list Mikrotik@mail.butchevans.com http://mail.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS