Subscribe For Free Updates!

We'll not spam mate! We promise.

Sunday 24 November 2013

Mikrotik with Multiple WAN IP’s and Port Forwarding / HAIRPIN NAT

Unknown    No comments


CISCO-asa-replacement-diagram

Mark my words !

MIKROTIK is the Future & Cisco’s Domination is about to end.
For sure CISCO still holds the majority of shares in routers world, but it will going to change very soon  . . .
CISCO is best, but at higher price. Cisco have edge dueto reliable OS and Hardware.
Mikrotik is good for multi purpose in a very cheap price as compared to CISCO and offer more.  So very cost effective solution.
Its all about personnel preference, choice, budget.
But Even if i have high budgeting, I will prefer Mikrotik :) , buts that’s my personnel choice. and you are not bound to agree with it :D
Jz

Recently I did some testing at my office for a possible replacement of Cisco ASA 5510 Firewall/Router with Mikrotik Router-board. Following are some short reference on how I did it. I had a /29 public ip pool.  Configuration was was pretty straight forward but i was confused on howto route specific LAN server (or ip) traffic with Specific WAN ip. Using src-address I managed to solve it. Following are short reference for future usage.
Scenario is as follows
We will configure all useable WAN ip addresses in mikrotik wan interface, and we will forward required ports from specific wan ip’s to specific lan servers. we will also configure firewall so that only required ports are open from WAN side for security purposes, all other traffic will be denied on WAN interface. We will also bind local servers with specific WAN ip addresses.
Mikrotik have two interfaces.
ether1 = LAN users
ether2 = WAN Link
Now we want to forward traffic as follows. (all ip scheme used here is fictional and for example purposes only)
mail server = 10.0.0.2 → 1.2.3.1    WAN IP
dude server = 10.0.0.3 → 1.2.3.2   WAN IP
cctv1 server = 10.0.0.4 → 1.2.3.3   WAN IP
cctv2 server = 10.0.0.5 → 1.2.3.4   WAN IP

IP Configuration at Mikrotik Interfaces . . .

1
2
3
4
5
6
/ip address
add address=10.0.0.1/8 comment=LAN disabled=no interface="LAN - ether1"
add address=1.2.3.1/29 interface="WAN - ether2"
add address=1.2.3.2/29 interface="WAN - ether2"
add address=1.2.3.3/29 interface="WAN - ether2"
add address=1.2.3.4/29 interface="WAN - ether2"

Filter Rules Section to allow only required Incoming traffic on WAN interface, and DENY all other for security purposes :)

Now we will first add required ports in firewall filter BEFORE DENY rule which is in last.
1
2
3
4
5
6
7
8
9
10
/ip firewall filter
add action=accept chain=input comment="SMTP" disabled=no dst-address=1.2.3.1 dst-port=25 in-interface="WAN - ether2" protocol=tcp
add action=accept chain=input comment="POP3" disabled=no dst-address=1.2.3.1 dst-port=110 in-interface="WAN - ether2" protocol=tcp
add action=accept chain=input comment="Webmail" disabled=no dst-address=1.2.3.1 dst-port=80 in-interface="WAN - ether2" protocol=tcp
add action=accept chain=input comment="DUDE" disabled=no dst-address=1.2.3.2 dst-port=80 in-interface="WAN - ether2" protocol=tcp
add action=accept chain=input comment="CCTV 1" disabled=no dst-address=1.2.3.3 dst-port=81 in-interface="WAN - ether2" protocol=tcp
add action=accept chain=input comment="CCTV 2" disabled=no dst-address=1.2.3.4 dst-port=82 in-interface="WAN - ether2" protocol=tcp
add action=accept chain=input comment="WINBOX 8192" disabled=no dst-port=8192 in-interface="WAN - ether2" protocol=tcp
add action=accept chain=input comment="Allow PING ICMP " disabled=no protocol=icmp
add action=drop chain=input comment="DROP ALL INCOMING TRAFFIC ON WAN INTERFACE" disabled=no in-interface="WAN - ether2"

NAT Section To Do Port Forwarding From WAN ip’s  To  Local Server’s and use src-nat to bind local server to route traffic via specific WAN IP

### First dst-nat section to forward port
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
/ip firewall nat
add action=dst-nat chain=dstnat comment="SMTP 25 Forward to MAIL-Server" disabled=no dst-address=1.2.3.1 dst-port=25 in-interface="WAN - ether2" protocol=tcp to-addresses=10.0.0.2 to-ports=25
add action=dst-nat chain=dstnat comment="POP3 110 Forward to MAIL-Server" disabled=no dst-address=1.2.3.1 dst-port=110 in-interface="WAN - ether2" protocol=tcp to-addresses=10.0.0.2 to-ports=110
add action=dst-nat chain=dstnat comment="Web 80 Forward to MAIL-Server Webmail" disabled=no dst-address=1.2.3.1 dst-port=80 in-interface="WAN - ether2" protocol=tcp to-addresses=10.0.0.2 to-ports=80
add action=dst-nat chain=dstnat comment="Web 80 Forward to DUDE" disabled=no dst-address=1.2.3.2 dst-port=80 in-interface="WAN - ether2" protocol=tcp to-addresses=10.0.0.3 to-ports=80
add action=dst-nat chain=dstnat comment="CCTV1 - 81 Forward to cctv1" disabled=no dst-address=1.2.3.3 dst-port=81 in-interface="WAN - ether2" protocol=tcp to-addresses=10.0.0.4 to-ports=81
add action=dst-nat chain=dstnat comment="CCTV2 - 82 Forward to cctv2" disabled=no dst-address=1.2.3.4 dst-port=82 in-interface="WAN - ether2" protocol=tcp to-addresses=10.0.0.5 to-ports=82
### Now route specific local servers traffic from specific WAN IP address
add action=src-nat chain=srcnat comment="Rotue mail traffic via 1.2.3.1" disabled=no src-address=10.0.0.2 to-addresses=1.2.3.1
add action=src-nat chain=srcnat comment="Rotue DUDE traffic via 1.2.3.2" disabled=no src-address=10.0.0.3 to-addresses=1.2.3.2
add action=src-nat chain=srcnat comment="Rotue CCTV1  traffic via 1.2.3.3" disabled=no src-address=10.0.0.4 to-addresses=1.2.3.3
add action=src-nat chain=srcnat comment="Rotue CCTV2  traffic via 1.2.3.4" disabled=no src-address=10.0.0.5 to-addresses=1.2.3.4
add action=masquerade chain=srcnat comment="Default Masquerade Rule for LAN" disabled=no out-interface="WAN - ether2" src-address=10.0.0.2-10.0.0.255

Now test it from WAN side. You can check port status from http://www.yougetsignal.com/tools/open-ports/
♣ ♣ ♣

<<    HAIRPIN NAT   >>

Using above method, I was ablet o successfully setup a port forwarding on a Mikrotik router that do port forwarding from mikrotik wan ip to local lan servers (Example: 1.2.3.4:3389 to 192.168.1.10:3389)
BUT there is a BUT, when I tried to open Mikrotik WAN ip from local LAN user, for example
192.168.1.20    –>    1.2.3.4:3389    –>   192.168.1.10:3389
it didn’t opened and the connection goes in SINK hole, means lost.
The solution was to rewrite the port forwarding rule to NOT to use in-interface=WAN-GATEWAY, but dst-address-type=local
This is called – among other terms – hair pin NAT because the traffic flow has clients enter the router through the same interface it leaves through, which when drawn looks like a hair pin.
As showed in the example below . . .
1
2
3
4
5
6
7
# DST-NAT rule to redirect port 3389 from
/ip firewall nat
add action=dst-nat chain=dstnat disabled=no dst-address=1.2.3.4 dst-address-type=local dst-port=3389 protocol=tcp to-addresses=192.168.1.10 to-ports=3389 comment="Redirect RDP PORT  TCP 3389 to local server"
# Masquerade local traffic going to mikrotik WAN IP - [To access that service from LAN using mikrtoik wan ip]
/ip firewall nat
add chain=srcnat src-address=192.168.1.0/24 dst-address=192.168.1.10 protocol=tcp dst-port=3389 out-interface=LAN-Interface action=masquerade comment="Masquerade Traffic going to WAN IP of mikrotik from local LAN users"
Regard’s

Please Give Us Your 1 Minute In Sharing This Post!
SOCIALIZE IT → ,
,
FOLLOW US →
SHARE IT →

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

 

Copyright © 2013 Learn It. Free software seo friendly blogger templates

".