Question

Connecting to internal exchange using public IP via a mikrotik

Asked by: cpoint-service

Good Evening,

My current situaion is as follows:

I have a customer on T1 with mikrotik RB433AH router with routeros 3.14 assigned a public IP. Inside the network is a windows server 2003 PDC using AD and Exchange.  The mikrotik has a wifi card that is bridged into the local network.  The PDC handles DHCP and DNS for the internal network.  The local domain is <company>.local

From the wifi we have flawless internet access, and can browse to http://192.168.1.254/exchange  and get the OWA login. When connecting to http://<companydomain>.com/exchange from the outside the network you also get the OWA login.

However, from inside the network on the wifi accessing http://<companydomain>.com/exchange returns page can not be displayed (timeout).


This is a known issue with many routers and is even brought up and addressed in this question:

http://www.experts-exchange.com/Hardware/Networking_Hardware/Routers/Q_23727459.html

Unfortunately when trying to implement the accepted solution to that question the winbox UI returns the following error where xxx.xxx.xxx.xxx is the public IP for the customer:

"Couldn't change NAT rule <192.168.1.0/24->xxx.xxx.xxx.xxx> - dstnat chain can not contain masquerade/snat actions (6)"

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-11-03 at 10:37:44ID24868214
Tags

mikrotik rb433ah exchange router routing

Topics

Network Routers

,

Networking Hardware Firewalls

,

IP Tables/IP Chains

Participating Experts
2
Points
500
Comments
26

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. masquerade with ip alias ?
    Have RedHat6.2 as a router/firewall with 2 nic's eth0 to internet eth1 to private internal net eth0 has public two ip's, the main one (lets say 1.1.1.1) which is the one linux uses for its own traffic. the other ip (lets say 2.2.2.2) is alias and as eth0:0. pc's in private...
  2. IP masquerading multiple public IP's to multiple private serv…
    Hi - I've seen a number of solutions for using iptables to set up IP masquerading with multiple public IP's to mutiple servers with private addresses. I've tried some of them, but I can't get any working. I'm using virtual interfaces for the extra public IP's and SNAT/DNAT ...
  3. IPtables replacement for MASQUERADE?
    Hi all, These are our current IPtables rules : -A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to-destination **IP REMOVED** -A PREROUTING -p tcp -m tcp --dport 25 -j DNAT --to-destination **IP REMOVED** -A POSTROUTING -o eth0 -j MASQUERADE Need to do this same thing wit...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: hkunnanaPosted on 2009-11-03 at 12:45:07ID: 25733394

What I understood from your explaination is the following:

Clients inside your network (through Wifi) can connect to the url which has the IP address , but can't reach the same when it contains a name instead of IP.

If I understood right, then you have the following issue:
- your DNS resolves the ip of the "<companydomain>.com" to the external IP, and it seems you can't reach it for some reason.
So, the resolution can either be:
1- Allow the communication from your inside clients to the OWA via its external address.
or (which I prefer)
2- configure your local clients to use an internal DNS that translates the OWA address to its local IP.

 

by: cpoint-servicePosted on 2009-11-03 at 13:17:07ID: 25733776

To clarify,  clients inside on wifi, can get to OWA when using the internal IP. But not when using the url that resolves to the external IP.

The problem is that the clients device (In this case an iPhone 3g) must remain configured to attach to the external server hostname.  But when in the building on wifi (instead of ATT Edge) it says unable to connect to server.  This is an issue that like the individual i linked, we have tracked down to a lack of a specific routing rule that allows for this.

You see this rule implemented in most home routers but lacking in most corporate routers that do not come with some kind of prebuilt firewall rules managed by a caked over webgui.

 

by: meverestPosted on 2009-11-03 at 13:26:23ID: 25733918

"Couldn't change NAT rule <192.168.1.0/24->xxx.xxx.xxx.xxx> - dstnat chain can not contain masquerade/snat actions (6)"

that error is displayed when you try to use the dst-nat chain in the 'general' config properties of the NAT rule.  Make sure that it is set to src-nat chain.

However, I don't think that your problem is necessarily the same as the other post.  (may cause similar behaviour, but may not be the same cause)

I'd suggest that you make a static DNS map for that server instead (look at IP->DNS->static, click '+' and put the hostname in there and the LOCAL ip address)

That will only help if your LAN clients use the mikrotik as DNS resolver though!

Cheers,  Mike.

 

by: hkunnanaPosted on 2009-11-03 at 13:38:03ID: 25734068

"But when in the building on wifi (instead of ATT Edge) it says unable to connect to server."
This is because it is getting its IP information (including the DNS server) from the internal IP range (private range), so you need to configure the IP of the iPhone for the WiFi to use the internal DNS (that has the OWA mapped to an internal IP), that would be done via the DHCP server you have in your local LAN, or in the network properties of the WiFi in the profile on the iPhone.

 

by: cpoint-servicePosted on 2009-11-04 at 09:29:49ID: 25741707

As i mentioned in my original post "The PDC handles DHCP and DNS for the internal network." So sadly the easy DNS fix is not viable here.

Also, I am quite certain and well aware that it is in fact the same issue as the post I linked, as we have run into identical issues with other internally run services using a mikrotik.  In these cases using a residential router, most of which standardize this function, resolved it.   In this case the function being a device behind the firewall being able to connect to the ouside IP of the firewall and get passed through to the local server using the nat rules for port fowards already in place.

                                                                 ____ (Server)
                                  Router                   /
(Internet)---------(public | private)--------|
                                                               \_____ (Client)

In this case the client  is trying to connect to the public side of the router.  The mikrotik by default has no rule to handle this and so causes the packet to drop.  But i have been unable to determine how to correct for this, or even what specifically causes it.  but it is a known issue with MANY routers that i saw time after time with residential customers and things like web cameras.

 

by: hkunnanaPosted on 2009-11-04 at 10:11:04ID: 25742093

I agree with you, the router should do that function, but I for my way of thinknig, I still see the DNS solution as much easier, and more realstic.

If your DNS serve hosted on your PDC is your live DNS as in the mentioned link (Which I highly doubt it), then you will need to add a rule in the router to allow traffic from your inside not only to go out, but also to go in.

Otherwise, the DNS server hosted on the PDC is not your live DNS , then that server would naturally host the internal private IP addresses of internal hosts, including that server.

I don't know why would internal users, using your internal network with private addresses would have to go out of the router then in to use the server via its public IP, and why would the internal DNS server resolve the server's IP as the public, not the private IP?

Naturally, that server has a local private IP address, and your DNS server could have a zone for your domain.

In the DNS zone for your domain on the PDC, why not put the internal private IP instead of the Public IP.

When the users are on the 3G public network, they would get the public IP of the server through the public DNS.

 

by: meverestPosted on 2009-11-04 at 12:52:30ID: 25743774

>> As i mentioned in my original post "The PDC handles DHCP and DNS for the internal network." So sadly the easy DNS fix is not viable here.

then add the host entry to that DNS server.

Cheers!

 

by: cpoint-servicePosted on 2009-11-04 at 14:59:28ID: 25745006

hkunnana,  the PDC is not the live DNS,  the reason for the internal users access it he outside IP is because of the configuration in the client (iPhone).  It only allows one exchange account, and i need it to work on Edge as well as the internal wifi.  To work on Edge it must access the public IP via hostname.  Unless they wish to reconfigure the iPhone every time they transition the public hostname which resolves to the public IP needs to be accessable from the internal wifi.

The PDC does not contain a zone for the customers internet domain, just for thier AD domain <servername>.local  and the customer does not wish to have to maintain a seperate copy of thier internet domain zone that he has to maintain when they make changes.

 

by: cpoint-servicePosted on 2009-11-04 at 15:00:29ID: 25745016

Also on a side not, the answer i am looking for, would correct multiple issues with other customers using these routers and others.

 

by: hkunnanaPosted on 2009-11-04 at 19:15:55ID: 25746474

Justified, then we need to look into the router/firewall configuration to see what needs to be modified.

 

by: meverestPosted on 2009-11-04 at 22:14:46ID: 25747107

OK, understood, and agreed.

In that case, NAT rule somewhere is the best solution.  Unfortunately, since you say that the wifi on the Mikrotik is BRIDGED to the LAN, then that is probably not a good opportunity to NAT.

But you can try this:

1.  open mikrotik winbox and click on 'bridge' in the main menu
2.  click 'settings' on the bridge tab.
3.  check the box that says "use IP firewall"
4.  click 'ip' in the main menu, then choose 'firewall'
5.  click the 'nat' tab and click '+' (add)
6.  make the chain = 'dst-nat' and enter the 'LIVE' IP address of the exchange server in the 'destination address'
7.  select the 'action tab' and choose 'dst-nat'
8.  enter the local (LAN) ip address of the exchange server in the to-address field.
9. click OK.

if that doesn;t cut it for you, then your choices are:

a. make the wireless network ROUTE to the LAN instead of bridge - then the NAT rules will work a lot better
b. make the NAT rule on the internet router.  If it is not supported by that router, chuck it out and replace it with something that behaves better (e.g Mikrotik)

Cheers,  Mike.

 

by: cpoint-servicePosted on 2009-11-05 at 07:18:16ID: 25750346

meverest,  the networks are bridged because they need to appear as part of the same lan.  If it helps a PC on the wired network has the same issue.  I will try this and post my results.

 

by: meverestPosted on 2009-11-05 at 12:28:02ID: 25753606

Hi,

your problem is not uncommon.  It is due to poor design of the border router in that many of those products can not cope with port forward when the client is on the lan side.

perhaps you will simply need to replace that 'faulty' device.

Cheers.

 

by: hkunnanaPosted on 2009-11-05 at 12:52:42ID: 25753883

I recommend you put your question to the Mikrotik support guys, :

http://www.mikrotik.com/support.html
http://forum.mikrotik.com/

 

by: meverestPosted on 2009-11-05 at 13:12:17ID: 25754090

hey - this is not a mikrotik problem!  it is already noted that the same problem happens for a PC connected to the LAN!

 

by: hkunnanaPosted on 2009-11-05 at 16:38:10ID: 25755722

As I understood, Mikrotik router is the LAN's border router, and it is connected to the LAN via its WiFi card.

The internal PC's and iPhone users connected to the local LAN cannot connect to the server using its public IP. Their request to connect to that IP goes to that gateway. Now, when that request needs to be handled properly by tweaking the configuration (I guess NATing or routing info would do it) in order to allow this kind of communication to happen.

Is this right?

 

by: meverestPosted on 2009-11-05 at 17:25:36ID: 25755963

good question - as Mikrotik does not have T1 type interfaces, (especially 433AH!;-)  I have been assuming (perhaps erroneously) that there is something else managing that interface.

*if* your assessment is correct, and one of the RB433AH ports has the public ip address, then the routerOS NAT rule should work just fine - regardless of whether the bridge is passed through the IP firewall or not.

waiting on clarification...

Cheers! :)

 

by: cpoint-servicePosted on 2009-11-09 at 08:13:28ID: 25777207

The cisco router in this case only creates an ip ethernet network attached via that T1.  The mikrotik IS in fact the border router reflecting the public IP.  Eth1 is the public ip while the other two and wlan1 interfaces are bridged. With masquarade rules in place to do the routing.  General port forwards through the router work, but clients from the lan side of the router are not able to access the forwards. The connection simply times out.  I enabled the "Use IP Firewall on bridge" option but this does not appear to have resolved the issue.  

 

by: hkunnanaPosted on 2009-11-09 at 09:02:57ID: 25777769

I assume that request from your lan to the internet go via the Mikrotik to the cisco router to the internet without errors.

But request to that subnet (which includes your server's public IP) also goes to the Mikrotik router and it in turn forward it to the Eth1 assuming that request resides in that network.

The request actually never reaches the cisco router, it is dropped via the Mikrotik's Eth1 interface and times out there.

We need to tell that Mikrotik router to NAT requests to that IP (the server's IP), and forward it to the proper interface.

 

by: cpoint-servicePosted on 2009-11-09 at 09:34:14ID: 25778064

HKunnana,


You are correct.  The cisco router only handles static routing from the backbone to the mikrotik's ethernet.  The Mikrotik is acting as the edge for the entire network in question.

 

by: hkunnanaPosted on 2009-11-09 at 11:49:38ID: 25779287

Is it possible you could post your current Miktotik configuration so that some one might be able to guide you through the configuration.

 

by: meverestPosted on 2009-11-09 at 13:14:14ID: 25780158

good idea, do "export file=config" at a 'new terminal' and post the resulting file "config.rsc" here.

Cheers.

 

by: cpoint-servicePosted on 2009-11-10 at 08:28:36ID: 25786971

I attached the config.rsc contents as a code snippet due to the file type restriction.   In the file all references of the company's name are replaced with <Company>, public ip <Public IP>/<public IP broadcast>, and wireless key with <WPA Key>

# nov/10/2009 10:18:55 by RouterOS 3.14
# software id = TBU1-PTT
#
/interface bridge
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes \
    comment="LAN Bridge" disabled=no forward-delay=15s max-message-age=20s \
    mtu=1500 name=bridge1 priority=0x8000 protocol-mode=none \
    transmit-hold-count=6
/interface ethernet
set 0 arp=enabled auto-negotiation=yes comment="Public Interface eth1" \
    disabled=no full-duplex=yes mac-address=00:0C:42:21:76:C3 mtu=1500 name=\
    public speed=100Mbps
set 1 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
    "" disabled=no full-duplex=yes mac-address=00:0C:42:21:76:C4 master-port=\
    none mtu=1500 name=ether2 speed=100Mbps
set 2 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
    "" disabled=no full-duplex=yes mac-address=00:0C:42:21:76:C5 master-port=\
    none mtu=1500 name=ether3 speed=100Mbps
/interface wireless security-profiles
set default authentication-types="" eap-methods=passthrough group-ciphers="" \
    group-key-update=5m interim-update=0s mode=none name=default \
    radius-eap-accounting=no radius-mac-accounting=no \
    radius-mac-authentication=no radius-mac-caching=disabled \
    radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username \
    static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=\
    none static-key-0="" static-key-1="" static-key-2="" static-key-3="" \
    static-sta-private-algo=none static-sta-private-key="" \
    static-transmit-key=key-0 supplicant-identity=MikroTik tls-certificate=\
    none tls-mode=no-certificates unicast-ciphers="" wpa-pre-shared-key="" \
    wpa2-pre-shared-key=""
add authentication-types=wpa-psk,wpa2-psk group-ciphers=tkip \
    group-key-update=5m interim-update=0s mode=dynamic-keys name=<company> \
    radius-eap-accounting=no radius-mac-accounting=no \
    radius-mac-authentication=no radius-mac-caching=disabled \
    radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username \
    static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=\
    none static-key-0="" static-key-1="" static-key-2="" static-key-3="" \
    static-sta-private-algo=none static-sta-private-key="" \
    static-transmit-key=key-0 supplicant-identity="" tls-certificate=none \
    tls-mode=no-certificates unicast-ciphers=tkip wpa-pre-shared-key=<wpa key> \
    wpa2-pre-shared-key=<wpa key>
/interface wireless
set 0 ack-timeout=dynamic adaptive-noise-immunity=none allow-sharedkey=no \
    antenna-gain=5 antenna-mode=ant-a area="" arp=enabled band=2.4ghz-b/g \
    basic-rates-a/g=6Mbps basic-rates-b=1Mbps burst-time=disabled comment=\
    WiFi compression=no country="united states" default-ap-tx-limit=0 \
    default-authentication=yes default-client-tx-limit=0 default-forwarding=\
    yes dfs-mode=none disable-running-check=no disabled=no \
    disconnect-timeout=3s frame-lifetime=0 frequency=2452 frequency-mode=\
    regulatory-domain hide-ssid=no hw-retries=4 mac-address=00:02:6F:53:EA:D6 \
    max-station-count=2007 mode=ap-bridge mtu=1500 name=wlan1 \
    noise-floor-threshold=default on-fail-retry-time=100ms \
    periodic-calibration=default periodic-calibration-interval=60 \
    preamble-mode=both proprietary-extensions=post-2.9.25 radio-name=\
    00026F53EAD6 rate-set=default scan-list=default security-profile=<company> \
    ssid=<company> station-bridge-clone-mac=00:00:00:00:00:00 \
    supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps \
    supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps tx-power=20 tx-power-mode=\
    card-rates update-stats-interval=disabled wds-cost-range=50-150 \
    wds-default-bridge=none wds-default-cost=100 wds-ignore-ssid=no wds-mode=\
    disabled wmm-support=disabled
/interface wireless manual-tx-power-table
set wlan1 comment=WiFi manual-tx-powers="1Mbps:17,2Mbps:17,5.5Mbps:17,11Mbps:1\
    7,6Mbps:17,9Mbps:17,12Mbps:17,18Mbps:17,24Mbps:17,36Mbps:17,48Mbps:17,54Mb\
    ps:17,HT20-1:0,HT20-2:0,HT20-3:0,HT20-4:0,HT20-5:0,HT20-6:0,HT20-7:0,HT20-\
    8:0,HT40-1:0,HT40-2:0,HT40-3:0,HT40-4:0,HT40-5:0,HT40-6:0,HT40-7:0,HT40-8:\
    0"
/interface wireless nstreme
set wlan1 comment=WiFi disable-csma=no enable-nstreme=no enable-polling=yes \
    framer-limit=3200 framer-policy=none
/ip hotspot profile
set default dns-name="" hotspot-address=0.0.0.0 html-directory=hotspot \
    http-cookie-lifetime=3d http-proxy=0.0.0.0:0 login-by=cookie,http-chap \
    name=default rate-limit="" smtp-server=0.0.0.0 split-user-domain=no \
    use-radius=no
/ip hotspot user profile
set default idle-timeout=none keepalive-timeout=2m name=default shared-users=\
    1 status-autorefresh=1m transparent-proxy=no
/ip ipsec proposal
set default auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m \
    name=default pfs-group=modp1024
/port
set 0 baud-rate=auto data-bits=8 flow-control=none name=serial0 parity=none \
    stop-bits=1
/queue type
set default kind=pfifo name=default pfifo-limit=50
set ethernet-default kind=pfifo name=ethernet-default pfifo-limit=50
set wireless-default kind=sfq name=wireless-default sfq-allot=1514 \
    sfq-perturb=5
set synchronous-default kind=red name=synchronous-default red-avg-packet=1000 \
    red-burst=20 red-limit=60 red-max-threshold=50 red-min-threshold=10
set hotspot-default kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=\
    5
set default-small kind=pfifo name=default-small pfifo-limit=10
/snmp
set contact="" enabled=no engine-boots=0 engine-id="" location="" \
    time-window=15 trap-sink=0.0.0.0 trap-version=1
/snmp community
set public address=0.0.0.0/0 authentication-password="" \
    authentication-protocol=MD5 encryption-password="" encryption-protocol=\
    DES name=public read-access=yes security=none write-access=no
/system logging action
set memory memory-lines=100 memory-stop-on-full=no name=memory target=memory
set disk disk-lines=100 disk-stop-on-full=no name=disk target=disk
set echo name=echo remember=yes target=echo
set remote name=remote remote=0.0.0.0:514 target=remote
/system routerboard settings
set baud-rate=115200 boot-delay=2s boot-device=nand-if-fail-then-ethernet \
    boot-protocol=bootp cpu-frequency=680MHz enable-jumper-reset=yes \
    enter-setup-on=any-key
set baud-rate=115200 boot-delay=2s boot-device=nand-if-fail-then-ethernet \
    boot-protocol=bootp cpu-frequency=680MHz enable-jumper-reset=yes \
    enter-setup-on=any-key
/user group
add name=read policy="local,telnet,ssh,reboot,read,test,winbox,password,web,sn\
    iff,!ftp,!write,!policy"
add name=write policy="local,telnet,ssh,reboot,read,write,test,winbox,password\
    ,web,sniff,!ftp,!policy"
add name=full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbo\
    x,password,web,sniff"
/interface bridge port
add bridge=bridge1 comment="" disabled=no edge=auto external-fdb=auto \
    horizon=none interface=ether2 path-cost=10 point-to-point=auto priority=\
    0x80
add bridge=bridge1 comment="" disabled=no edge=auto external-fdb=auto \
    horizon=none interface=ether3 path-cost=10 point-to-point=auto priority=\
    0x80
add bridge=bridge1 comment="" disabled=no edge=auto external-fdb=auto \
    horizon=none interface=wlan1 path-cost=10 point-to-point=auto priority=\
    0x80
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=no
/interface ethernet mirror
set mirror-port=none source-port=none
/interface wireless align
set active-mode=yes audio-max=-20 audio-min=-100 audio-monitor=\
    00:00:00:00:00:00 filter-mac=00:00:00:00:00:00 frame-size=300 \
    frames-per-second=25 receive-all=no ssid-all=no
/interface wireless sniffer
set channel-time=200ms file-limit=10 file-name="" memory-limit=10 \
    multiple-channels=no only-headers=no receive-errors=no streaming-enabled=\
    no streaming-max-rate=0 streaming-server=0.0.0.0
/interface wireless snooper
set channel-time=200ms multiple-channels=yes receive-errors=no
/ip accounting
set account-local-traffic=no enabled=no threshold=256
/ip accounting web-access
set accessible-via-web=no address=0.0.0.0/0
/ip address
add address=<public IP>/30 broadcast=<public IP broadcast> comment="" disabled=no \
    interface=public network=67.36.101.4
add address=192.168.1.253/24 broadcast=192.168.1.255 comment="" disabled=no \
    interface=bridge1 network=192.168.1.0
/ip dhcp-server config
set store-leases-disk=5m
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB \
    max-udp-packet-size=512 primary-dns=68.252.180.9 secondary-dns=\
    68.252.180.11
/ip firewall address-list
add address=67.39.166.3 comment="" disabled=no list=barracuda-list
add address=67.39.166.4 comment="" disabled=no list=barracuda-list
add address=192.168.1.254 comment="" disabled=no list=allowed-ips
add address=192.168.1.100 comment="" disabled=no list=allowed-ips
add address=192.168.1.101 comment="" disabled=no list=allowed-ips
add address=192.168.1.113 comment="" disabled=no list=allowed-ips
add address=192.168.1.104 comment="" disabled=no list=allowed-ips
add address=192.168.1.110 comment="" disabled=yes list=allowed-ips
add address=192.168.1.117 comment="" disabled=yes list=allowed-ips
add address=192.168.1.114 comment="" disabled=no list=allowed-ips
add address=192.168.1.251 comment="" disabled=no list=allowed-ips
add address=192.168.1.119 comment="" disabled=no list=allowed-ips
add address=192.168.1.120 comment="Tom Malpass" disabled=no list=allowed-ips
add address=192.168.1.108 comment="" disabled=no list=allowed-ips
add address=192.168.1.116 comment="" disabled=no list=allowed-ips
add address=192.168.1.102 comment="" disabled=no list=allowed-ips
add address=192.168.1.253 comment="" disabled=no list=allowed-ips
add address=192.168.1.106 comment="" disabled=no list=allowed-ips
add address=192.168.1.107 comment="" disabled=no list=allowed-ips
add address=192.168.1.109 comment="" disabled=no list=allowed-ips
add address=192.168.1.124 comment="cpcc laptop" disabled=no list=allowed-ips
add address=192.168.1.125 comment="Tom's iPhone" disabled=no list=allowed-ips
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
    tcp-close-wait-timeout=10s tcp-established-timeout=1d \
    tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
    tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=forward comment="Allow specific machines full access" \
    disabled=no out-interface=public src-address-list=allowed-ips
add action=accept chain=forward comment="Allow ping" disabled=no \
    out-interface=public protocol=icmp
add action=accept chain=forward comment="allow https" disabled=no dst-port=\
    443 out-interface=public protocol=tcp
add action=reject chain=forward comment="Reject mail to outside servers" \
    disabled=no dst-port=25 out-interface=public protocol=tcp reject-with=\
    icmp-admin-prohibited src-address-list=smtp-external
add action=add-src-to-address-list address-list=smtp-external \
    address-list-timeout=0s chain=forward comment=\
    "Detect and list PC's connecting to outside mail" disabled=no dst-port=25 \
    out-interface=public protocol=tcp src-address=!192.168.1.254
add action=drop chain=forward comment=\
    "Drop all traffic not previously exempted" disabled=no out-interface=\
    public
/ip firewall nat
add action=dst-nat chain=dstnat comment=\
    "Port 25 mail forward - barracuda only" disabled=no dst-address=\
    <public IP> dst-port=25 in-interface=public protocol=tcp \
    src-address-list=barracuda-list to-addresses=192.168.1.254 to-ports=25
add action=dst-nat chain=dstnat comment="POP3 Redirect" disabled=no \
    dst-address=<public IP> dst-port=110 in-interface=public protocol=tcp \
    to-addresses=192.168.1.254 to-ports=110
add action=dst-nat chain=dstnat comment="HTTP Redirect" disabled=no \
    dst-address=<public IP> dst-port=80 in-interface=public protocol=tcp \
    to-addresses=192.168.1.254 to-ports=80
add action=dst-nat chain=dstnat comment="HTTPS Redirect" disabled=no \
    dst-address=<public IP> dst-port=443 in-interface=public protocol=tcp \
    to-addresses=192.168.1.254 to-ports=443
add action=dst-nat chain=dstnat comment="RDP Redirect (TCP)" disabled=no \
    dst-address=<public IP> dst-port=3389 in-interface=public protocol=tcp \
    to-addresses=192.168.1.254 to-ports=3389
add action=dst-nat chain=dstnat comment="RDP Redirect (UDP)" disabled=no \
    dst-address=<public IP> dst-port=3389 in-interface=public protocol=udp \
    to-addresses=192.168.1.254 to-ports=3389
add action=redirect chain=dstnat comment=\
    "HTTP Traffic not to server filtered to webproxy" disabled=no \
    dst-address=!192.168.1.254 dst-port=80 in-interface=bridge1 protocol=tcp \
    src-address-list=!allowed-ips to-ports=8080
add action=masquerade chain=srcnat comment="Standard NAT masquerade" \
    disabled=no out-interface=public
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no
set pptp disabled=no
/ip hotspot service-port
set ftp disabled=no ports=21
/ip neighbor discovery
set public discover=yes
set ether2 discover=yes
set ether3 discover=yes
set bridge1 discover=yes
set wlan1 discover=no
/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-drive=system \
    cache-hit-dscp=4 cache-on-disk=no enabled=yes max-cache-size=none \
    max-client-connections=600 max-fresh-time=3d max-server-connections=600 \
    parent-proxy=0.0.0.0 parent-proxy-port=0 port=8080 serialize-connections=\
    no src-address=0.0.0.0
/ip proxy access
add action=allow comment="allow microsoft" disabled=no dst-host=\
    *microsoft.com
add action=allow comment="" disabled=no dst-host=*windowsupdate.com
add action=allow comment="" disabled=no dst-host=*microsoftupdate.com
add action=deny comment="Deny everything else" disabled=no dst-host=""
/ip route
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    67.36.101.5 scope=30 target-scope=10
/ip service
set telnet address=0.0.0.0/0 disabled=yes port=23
set ftp address=0.0.0.0/0 disabled=yes port=21
set www address=0.0.0.0/0 disabled=yes port=80
set ssh address=0.0.0.0/0 disabled=no port=22
set www-ssl address=0.0.0.0/0 certificate=none disabled=yes port=443
set api address=0.0.0.0/0 disabled=yes port=8728
set winbox address=0.0.0.0/0 disabled=no port=8291
/ip socks
set connection-idle-timeout=2m enabled=no max-connections=200 port=1080
/ip traffic-flow
set active-flow-timeout=30m cache-entries=4k enabled=no \
    inactive-flow-timeout=15s interfaces=all
/ip upnp
set allow-disable-external-interface=yes enabled=no show-dummy-rule=yes
/queue interface
set public queue=ethernet-default
set ether2 queue=ethernet-default
set ether3 queue=ethernet-default
set bridge1 queue=default
set wlan1 queue=wireless-default
/radius incoming
set accept=no port=3799
/system clock manual
set dst-delta=+00:00 dst-end="jan/01/1970 00:00:00" dst-start=\
    "jan/01/1970 00:00:00" time-zone=+00:00
/system console
add disabled=no port=serial0 term=vt102
/system health
set fan-mode=auto use-fan=main
/system identity
set name=Tee-Group
/system logging
add action=memory disabled=no prefix="" topics=info
add action=memory disabled=no prefix="" topics=error
add action=memory disabled=no prefix="" topics=warning
add action=echo disabled=no prefix="" topics=critical
/system note
set note="" show-at-login=yes
/system ntp client
set enabled=yes mode=unicast primary-ntp=192.43.244.18 secondary-ntp=0.0.0.0
/system upgrade mirror
set check-interval=1d enabled=no primary-server=0.0.0.0 secondary-server=\
    0.0.0.0 user=""
/system watchdog
set auto-send-supout=no automatic-supout=yes no-ping-delay=5m watch-address=\
    none watchdog-timer=yes
/tool bandwidth-server
set allocate-udp-ports-from=2000 authenticate=yes enabled=yes max-sessions=10
/tool e-mail
set from=<> server=0.0.0.0
/tool graphing
set store-every=5min
/tool mac-server
add disabled=no interface=all
/tool mac-server ping
set enabled=yes
/tool sniffer
set file-limit=10 file-name="" filter-address1=0.0.0.0/0:0-65535 \
    filter-address2=0.0.0.0/0:0-65535 filter-protocol=ip-only filter-stream=\
    yes interface=all memory-limit=10 only-headers=no streaming-enabled=no \
    streaming-server=0.0.0.0
/user aaa
set accounting=yes default-group=read interim-update=0s use-radius=no
                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:
238:
239:
240:
241:
242:
243:
244:
245:
246:
247:
248:
249:
250:
251:
252:
253:
254:
255:
256:
257:
258:
259:
260:
261:
262:
263:
264:
265:
266:
267:
268:
269:
270:
271:
272:
273:
274:
275:
276:
277:
278:
279:
280:
281:
282:
283:
284:
285:
286:
287:
288:
289:
290:
291:
292:
293:
294:
295:
296:
297:
298:
299:
300:
301:
302:
303:
304:
305:
306:
307:
308:
309:
310:
311:
312:
313:
314:
315:
316:
317:
318:
319:
320:
321:
322:
323:
324:
325:

Select allOpen in new window

 

by: meverestPosted on 2009-11-12 at 13:49:31ID: 25809346

Hi,

change this:

add action=dst-nat chain=dstnat comment="HTTP Redirect" disabled=no \
    dst-address=<public IP> dst-port=80 in-interface=public protocol=tcp \
    to-addresses=192.168.1.254 to-ports=80
add action=dst-nat chain=dstnat comment="HTTPS Redirect" disabled=no \
    dst-address=<public IP> dst-port=443 in-interface=public protocol=tcp \
    to-addresses=192.168.1.254 to-ports=443

to this:

add action=dst-nat chain=dstnat comment="HTTP Redirect" disabled=no \
    dst-address=<public IP> dst-port=80 protocol=tcp \
    to-addresses=192.168.1.254 to-ports=80
add action=dst-nat chain=dstnat comment="HTTPS Redirect" disabled=no \
    dst-address=<public IP> dst-port=443 protocol=tcp \
    to-addresses=192.168.1.254 to-ports=443

(i.e. remove 'in-interface' specification from both NAT rules) - you can do it using winbox - just double click the relevamt rule in IP->Firewall->NAT and remove the 'in-interface' specification.

That should do it for you.

Cheers.



 

by: meverestPosted on 2009-11-17 at 21:15:27ID: 25846743

Hi!

I was dealing with a client just now, and this scenario came up in general discussion.  I realised another issue that may affect how this works for you!  The problem is that when the destination is translated at the router, the SOURCE address is not - therefore, when the request gets to the web server, the source address is an internal LAN IP, and so the return packets go back direct to the client.

You may recognise the problem with this:  The client has sent a request to an internet IP address, but the reply comes from a local address!  So the client does not recognose it as a response and ignores the data.

The way to work around this issue is to also translate the SOURCE address of the web requests.

Do this using a src-nat rule like this:

Log on to winbox and click 'new terminal'.
Enter a command like this:
   ip firewall nat add action=src-nat chain=srcnat comment="" disabled=no dst-address=192.168.1.254 src-address=192.168.1.0/24 to-addresses=192.168.1.253

Cheers,  Mike.


 

by: cpoint-servicePosted on 2009-12-01 at 09:21:35ID: 31649566

Meverst,

Great work, sorry it took me so long to reply.  Multiple suggestions you made seem to have resolved the issue.

First,  Use IP Firewall on the bridge, once this was on removing the interface restrictions from the filter rules seems to have done the trick.  The srcnat rule you posted at the end however seems to have done exactly what I was looking for to begin with in a test environment. As such  i approved all 3 answers for people following this thread in the future.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...