Hi,
If I have to perform a very standard dst nat from wan to firewall wan (i.e. 192.168.1.2), I add the following rule:
chain=dstnat action=dst-nat to-addresses=192.168.1.2 src-address=0.0.0.0/0 in-interface-list=WAN log=no log-prefix=""
Everything works perfectly, but I have to specify the destination ip. I cannot find a way to use destination nat address alias for it. Is there a way create an alias name, i.e. firewall_wan? In order to have something like:
chain=dstnat action=dst-nat to-addresses=firewall_wan src-address=0.0.0.0/0 in-interface-list=WAN log=no log-prefix=""
Thanks
Re: Address list for dst nat
Your example rule might be a bit too minimalistic, what are you trying to do exactly? A list means N addresses, but dst-nat can only forward traffic to 1 address.
Re: Address list for dst nat
the rule is the classical rule "just forward every connection coming from the internet to the wan of the device behind the mikrotik". But if I decide to change the wan of the device behind the mikrotik, i.e. from 192.168.1.2 to 192.168.1.3, I have to rember that I have to edit the rule. Instead of writing the rule with the ip "hardcoded", with an alias I could simply change that association to 192.168.1.3 in address list without having to edit the rule itself.
Since it is possibile to do it for source in General section (you can choose "Src. Address" or "Src. Address List"), I was wondering if there was a way to do so also in Action section, but if you choose dst-nat in Action section you are prompted to enter a "To Address" but it has to be an ip, not an alias.
Since it is possibile to do it for source in General section (you can choose "Src. Address" or "Src. Address List"), I was wondering if there was a way to do so also in Action section, but if you choose dst-nat in Action section you are prompted to enter a "To Address" but it has to be an ip, not an alias.
Re: Address list for dst nat
I don't think that's possible currently unless you implement a script to monitor the address list for you and update the dst-nat rule if needed.
I agree with you that it would be nice if it was possible to use (single) host aliases everywhere (ie also outside ip firewall) using either an ip or mac address, but afaik ros only supports lists within ip firewall.
I agree with you that it would be nice if it was possible to use (single) host aliases everywhere (ie also outside ip firewall) using either an ip or mac address, but afaik ros only supports lists within ip firewall.
Re: Address list for dst nat
Ok, I assumed as much, as there was no option for that, thanks.
Re: Address list for dst nat
For port forwarding, you need a generic allow port forwarding rule in the forward chain.
add chain=forward action=accept comment="port forwarding" connection-nat-state=dstnat
Then you need a specific DST NAT rule, detailing the port, the server etc......
For a dynamic public IP the standard format is:
add chain=dstnat action=dst-nat in-interface=WANX dst-port=abcd protocol=tcp or udp to-address=IPofServer
For a static fixed public IP the standard format is:
add chain=dstnat action=dst-nat dst-address=StaticPublicIP dst-port=abcd protocol=tcp or udp to-address=IPofServer
Note1: To ports is only required for port translation (where the port hitting the router first is different from the port expected by the Server.
Note2: To provide a bit better security than an open port one can delineate specific Source address or Source address list to limit the access. By providing a source field, the addiitional benefit is that the port does not appear on scans, and instead of port visible and closed, it is simply not visible.
An additional problem occurs for the hairpin nat case. Here you want to direct users ON THE SAME SUBNET as the Server, to the server via the WANIP, aka typically an easier to remember dyndns URL. In both cases ( public, dynamic WANIP), the easiest method to deal with this may simply be move the users or Server to a different subnet ( vlans are cheap ). If unable to do so, then you need at a minimum a hairpin source nat rule.
add chain=srcnat action=masquerade src-address=subnet0fServer dst-address=subnetofServer
The static fixed WANIP needs no further changes to make this scenario work. However, the dynamic WANIP of in-interface=WAN ( or the default firewall rule handling dstnat from the WAN) is no longer viable. Hence why the forward FW above is provided - works in all cases. To mimic the static config, we simply create a firewall address list for the WAN, using the same dyndns URL provided to users, ( or use the IP cloud my netname as another option )
add address=mynetname.net list=MYWAN
Then simply modify the dst-nat rule accordingly.
add chain=dstnat action=dst-nat dst-address-list=MYWAN dst-port=abcd protocol=tcp or udp to-address=IPofServer
add chain=forward action=accept comment="port forwarding" connection-nat-state=dstnat
Then you need a specific DST NAT rule, detailing the port, the server etc......
For a dynamic public IP the standard format is:
add chain=dstnat action=dst-nat in-interface=WANX dst-port=abcd protocol=tcp or udp to-address=IPofServer
For a static fixed public IP the standard format is:
add chain=dstnat action=dst-nat dst-address=StaticPublicIP dst-port=abcd protocol=tcp or udp to-address=IPofServer
Note1: To ports is only required for port translation (where the port hitting the router first is different from the port expected by the Server.
Note2: To provide a bit better security than an open port one can delineate specific Source address or Source address list to limit the access. By providing a source field, the addiitional benefit is that the port does not appear on scans, and instead of port visible and closed, it is simply not visible.
An additional problem occurs for the hairpin nat case. Here you want to direct users ON THE SAME SUBNET as the Server, to the server via the WANIP, aka typically an easier to remember dyndns URL. In both cases ( public, dynamic WANIP), the easiest method to deal with this may simply be move the users or Server to a different subnet ( vlans are cheap ). If unable to do so, then you need at a minimum a hairpin source nat rule.
add chain=srcnat action=masquerade src-address=subnet0fServer dst-address=subnetofServer
The static fixed WANIP needs no further changes to make this scenario work. However, the dynamic WANIP of in-interface=WAN ( or the default firewall rule handling dstnat from the WAN) is no longer viable. Hence why the forward FW above is provided - works in all cases. To mimic the static config, we simply create a firewall address list for the WAN, using the same dyndns URL provided to users, ( or use the IP cloud my netname as another option )
add address=mynetname.net list=MYWAN
Then simply modify the dst-nat rule accordingly.
add chain=dstnat action=dst-nat dst-address-list=MYWAN dst-port=abcd protocol=tcp or udp to-address=IPofServer
Re: Address list for dst nat
Now with that knowledge can you frame your question so that it makes sense.....................
Re: Address list for dst nat
Thanks, but my question was not about how to do a dst nat, it was about the possibility to use an alias in the to-address field in action section, which is not possible. The dst-address-list is in the general section (I am talking about sections in webfig), but it is not what I need.
Re: Address list for dst nat
I dont care about wanting to use an alias address because that is not clarifying or providing any logic or reasoning. Its some unknown functionality without a purpose.
Please state what associated users you have and what traffic flows they require..... then we will be able to make sense of what you are actually/practically attempting to achieve.
Please state what associated users you have and what traffic flows they require..... then we will be able to make sense of what you are actually/practically attempting to achieve.
Re: Address list for dst nat
Not very useful, those "I don't understand why you would want that, so you should not want that!" replies.
I understand what you mean but there is no direct solution in RouterOS.
It has been proposed before that it would be useful to have some "mnemonic name" for an IP address other than DNS or address lists, and that it would be used (and shown) all over the system.
It could e.g. be the hostname provided to DHCP or the MAC address of the system.
Other routers (by other manufacturers) often have such a mechanism, where you can see a list of all your internal systems and can refer to them by name or ID when configuring firewall, port forwarding, priority, limitations (e.g. kid control) etc.
But RouterOS does not yet have it.
Indeed as written, the closest you can get is write some script that adjusts the rules when the address changes.
I understand what you mean but there is no direct solution in RouterOS.
It has been proposed before that it would be useful to have some "mnemonic name" for an IP address other than DNS or address lists, and that it would be used (and shown) all over the system.
It could e.g. be the hostname provided to DHCP or the MAC address of the system.
Other routers (by other manufacturers) often have such a mechanism, where you can see a list of all your internal systems and can refer to them by name or ID when configuring firewall, port forwarding, priority, limitations (e.g. kid control) etc.
But RouterOS does not yet have it.
Indeed as written, the closest you can get is write some script that adjusts the rules when the address changes.
Re: Address list for dst nat
read again, and then one more time............ its not dont want, its cant because dont understand, so need different wording.Not very useful, those "I don't understand why you would want that, so you should not want that!" replies.=
very few people here actually word requirements in clear unambiguous language.