I have a mikrotik RB2011u with two WAN with different ISP.
WAN1 - Dynamic (192.168.1.x/24) on Ether1
WAN2 - Static (129.x.x.x/24) on Ether2
Every other port and Wlan - Bridge (192.168.8.x/24)
NAT
i have two firewall NAT:
CHAIN-srcnat outinterface-ether1 action-masquerade
CHAIN-srcnat outinterface-ether2 action-masquerade
and Routes with ether1 with distance=1 and ether2 distance=2
but for reason, if i type my ip address 129.x.x.x from an outside network i keep getting this page cannot be reached.
but i can reach it from any device on the bridge.
I’m try to get the bridge to access the internet through Ether1 (dynamic WAN isp).
And access from an outside network should come in through Ether2 (static WAN isp)
Thank you in advance
you can teach your router to answer on specified interface.
mark new incoming connection on second interace
mark route for marked connection
make new route for specifide route mark
/ip firewall mangle add chain=input in-interface=Wlan2 connection-mark=no-mark action=mark-connection new-connection-mark=Wlan2Con passthrough=no
/ip firewall mangle add chain=output connection-mark=Wlan2Con action=mark-routing new-routing-mark=Wlan2Route passthrough=no
/ip route add dst-address=0.0.0.0/0 gateway=Wlan2 distance=1 routing-mark=Wlan2Route disabled=no
Related
I Setup a AWS VPC
There are different subnet such as publics subnet and private subnet
My target is created a demo that Windows Server from private subnet access public internet through third party's EC2-Firewall in AWS-VPC
I create a EC2-Firewall with different interface into different subnet (with Allow all policy and allow interface ping)
I also create a EC2-windows server into private subnet, but it cannot access outside network
The issue observed:
EC2-windows can ping local network (/24) include firewall's interface
EC2-windows cannot access (web-browsing/ping) outside network
EC2-windows tracert 8.8.8.8, all response "* * * * request timeout" (default gateway cannot be shown too)
EC2-windows's Ethernet changed to DHCP or changed to static with firewall's interface IP as a default gateway, issue also occurred
Background Information:
Network ACLs is default setting (Allow All)
Security groups is allow all traffic in both direction
AWS subnet - Routing table with two record: Destination: VPC subnet, Target: Firewall's interface & Destination: 0.0.0.0/0, Target: Firewall's interface
Firewall's interface (same subnet) can ping & RDP to EC2-Windows
Firewall has no traffic record "source with EC2-windows, destination: outside network"
EC2-Windows's internal firewall is turn off
Any setting am I missing to check? what should I check to found the root cause related to AWS or Windows setting?
More information after Wireshark on Windows and package capture on firewall:
EC2-Windows sent the "ping 8.8.8.8" & "ping firewall's interface IP" to Firewall's Interface MAC address (shown in Wireshark)
Firewall's interface packet capture only "ping firewall's interface IP" be shown
Is it mean that AWS-VPC drop my outside traffic? How can I fix it?
I found the answer. The root cause is "source/destination checks" of interface.
Since firewall will be able to send and receive traffic the source or destination is not itself when EC-Windows access outside network, AWS "source/destination checks" drop the packet of it.
After Disable source/destination checks, the issue is solved.
I have an RB750 with the follow setup:
- Interface 1 = WAN static IP
- Interface 2 = Static IP from a LAN network (LAN provided by another FW)
- MK as a IPSec/L2TP working well providing to clients the subnet x.x.x.x
I would like to redirect all traffic from VPN clients to the LAN network provided in Interface 2.
I mean; User setup in his computer the VPN with success, when connected they need to access the server z.z.z.z located inside the network provided in Interface 2.
Any ideas how to configure it?
You provide not much information, but if im not wrong
you can try NAT for example
/ip firewall nat add chain=srcnat action=masquerade out-interface="your Interface 2" src-address="your l2tp subnet x.x.x.x"
I have mikrotik.
Not Away From Home There are People Who Have Hotspot Network Via Mikrotik.
I Want to Log in from mikrotik system because I use it for some people
topology like this:
Mikrotik[with Hotspot system] --> My Mikrotik [Log in And Share] --> My PC
First Mikrotik : RB1200 (belongs to someone else)
Last Mikrotik : RB951Ui (my own)
if your mikrotik have internet connection, you can use feature cloud on your mikrotik.
IP -> Cloud, then thick DDNS Enable.
*) For some reference :
https://wiki.mikrotik.com/wiki/Manual:IP/Cloud
Did you mean to share the hotspot connection with your own mikrotik ?
So the topology will be like this.
Mikrotik Outside [With Hotspot] --[By Cable or Wifi] -- eth1 Your Own Mikrotik
The main parameter just like this.
Make your own mikrotik DNS are set to Mikrotik Outside IP address.
/ip dns set allow-remote-requests=yes servers=1.2.3.4
IP 1.2.3.4 is Mikrotik Outside IP
and Makesure your own mikrotik gateway set the same servers too.
/ip route add gateway=1.2.3.4
don't forget make some NAT
/ip firewall nat out-interface=eth1 chain=srcnat action=masquerade
Hope it Helps !
I have a macbook, connected with ethernet, and wifi.
A site (lets call it facebook) is blocked on one of the interface (ethernet)
but is open on the other (wifi), on the other hand eth is better (fastest and more reliable than the wifi) so I use eth as a priority interface (on top of network preferences), but in this way there is no access to the blocked site.
I would know if there is a way to say to the operating system or browser or other
software components that it must use the connection of wifi if and only if a connection on :80 over eth fail. this would be perfect...or any other means to solve the problem..
It's a matter of configuring a proper proxy?
Thanks in advance.
You could modify routing table to pass traffic to given host or network through chosen gateway.
List your routing table:
$ netstat -rn
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 10.0.0.1 UGSc 15 0 en0
default 192.168.0.1 UGScI 1 0 en1
[...]
In this case en1 is wifi. So to use wifi connection to a host x.x.x.x, route traffic to this host through 192.168.0.1 gateway:
sudo route add -host x.x.x.x 192.168.0.1
Or better add routing to entire network used by given service:
sudo route add -net x.x 192.168.0.1
The downside is that it may be difficult to determine an ultimate list of IPs, networks used by the service.
See man route.
Here's the scenario. I'm currently running a Mikrotik RB433AH for my router here at my office. I have several firewall rules setup and all is good. I am also configured for NAT. I'm at a point now where I need to retrieve data from a host located on the inside network "192.168.0.10", protocol TCP and port 502. I will be accessing this internal host from a server that is located in a remote location with a static IP address. I need to allow this IP and everything else will need to be denied.
I add my dst-nat rule and once again all is fine there. However, since adding a dst-nat rule I can access this internal host from the outside where I need to have this internal host only accessible from my equipment that is located at a datacenter.
From what I've read so far I do believe that NAT rules are processed first and then the firewall filter rules. So this explains why I'm able to access this device from the outside. How do I filter the outside world from accessing this device?
Do I need to add another rule perhaps on the filter rule for chain=forward ? I've read a lot of documentation thus far and now things are quite hazy so any help would be awesome at this point.
Thanks in advance!
T
Yes, you need to make a firewall rule, from a specific address, to your host, and accept it, and drop everything else... That can be done in a single rule, using the ! option.
/ip firewall filter
add chain=forward src-address=!EXTERNALSERVERIP dst-address=192.168.0.10 action=accept
After that change only your external server can access your local host.
you need to put this rule on top
/ip firewall filter add chain=forward src-address=yourexternalipaddress dst-address=192.168.0.10 action=accept
below that rule you need to do this block
/ip firewall filter add chain=forward dst-address=192.168.0.10 action=drop
the explaination
when the connection goes through firewall filter rule, it will be checked by first rule.. if it match then it will be executed... if not matched it will be pass to the next rule..