<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
è corretto ... ragioniamo:<br>
<ol>
<li>richiesta src 192.168.0.20 dst 192.168.0.25 tcp porta 81
---> regola 6 ok passa e regola 1 destination-NAT lo
indirizza a 192.168.88.20:80 nella tabella del NAT tiene conto
di questa connessione<br>
</li>
<li>il server web risponde impegnando per la risposta una porta
dinamica > 1023 diciamo la 2000 quindi il pacchetto sarà src
192.168.88.20:80 dst 192.168.0.20:2000</li>
<li>la regola 0 masquerade-NAT cambia l'indirizzo src
192.168.0.25:80 dst 192.168.0.20:2000</li>
<li>nella tabella NAT non trova nessuna richiesta per la porta 80
in quanto fatta sulla porta 81 quindi devi cambiare la porta 80
in 81 perche funzioni (NAT-bidirezionale) necessita una regola
sul chain=srcnat</li>
</ol>
<p><font size="1">chain=srcnat action=src-nat to-addresses=192.168.0.25
to-ports=81 protocol=tcp in-interface=ether2-master-local src-port=80<br>
</font></p>
<p><font size="1">Vedrai che funziona ... sicuramente era più
semplice liberare la porta 80 spostando il web server interno su
altra porta ....<br>
<br>
</font></p>
<div class="moz-cite-prefix">Il 04/06/2014 9.49, Luca Postregna ha
scritto:<br>
</div>
<blockquote
cite="mid:CALiUb3e3c2yijKs50DvukRi4V_pQMv9W3ROTZ2WD-0vOxRu5GA@mail.gmail.com"
type="cite">
<div dir="ltr">ho fatto qualche piccolo passo avanti, ma ancora
non funge. questa la situazione sul mikrotik:
<div><br>
</div>
<blockquote style="margin:0 0 0 40px;border:none;padding:0px">
<div>
<div><font size="1">[admin@mikrotik] > ip address print</font></div>
</div>
<div>
<div><font size="1">Flags: X - disabled, I - invalid, D -
dynamic </font></div>
</div>
<div>
<div><font size="1"> # ADDRESS NETWORK
INTERFACE
</font></div>
</div>
<div>
<div><font size="1"> 0 ;;; default configuration</font></div>
</div>
<div>
<div><font size="1"> <a moz-do-not-send="true"
href="http://192.168.88.1/24">192.168.88.1/24</a>
192.168.88.0 ether2-master-local
</font></div>
</div>
<div>
<div><font size="1"> 1 D <a moz-do-not-send="true"
href="http://192.168.0.25/24">192.168.0.25/24</a>
192.168.0.0 ether1-gateway
</font></div>
</div>
<div>
<div><font size="1">[admin@mikrotik] > ip firewall filter
print</font></div>
</div>
<div>
<div><font size="1">Flags: X - disabled, I - invalid, D -
dynamic </font></div>
</div>
<div>
<div><font size="1"> 0 ;;; default configuration</font></div>
</div>
<div>
<div><font size="1"> chain=input action=accept
protocol=icmp </font></div>
</div>
<div>
<div><font size="1"><br>
</font></div>
</div>
<div>
<div><font size="1"> 1 ;;; default configuration</font></div>
</div>
<div>
<div><font size="1"> chain=input action=accept
connection-state=established </font></div>
</div>
<div>
<div><font size="1"><br>
</font></div>
</div>
<div>
<div><font size="1"> 2 ;;; default configuration</font></div>
</div>
<div>
<div><font size="1"> chain=input action=accept
connection-state=related </font></div>
</div>
<div>
<div><font size="1"><br>
</font></div>
</div>
<div>
<div><font size="1"> 3 ;;; default configuration</font></div>
</div>
<div>
<div><font size="1"> chain=forward action=accept
connection-state=established </font></div>
</div>
<div>
<div><font size="1"><br>
</font></div>
</div>
<div>
<div><font size="1"> 4 ;;; default configuration</font></div>
</div>
<div>
<div><font size="1"> chain=forward action=accept
connection-state=related </font></div>
</div>
<div>
<div><font size="1"><br>
</font></div>
</div>
<div>
<div><font size="1"> 5 chain=forward action=accept
connection-state=new </font></div>
</div>
<div>
<div><font size="1"><br>
</font></div>
</div>
<div>
<div><font size="1"> 6 chain=input action=accept
protocol=tcp dst-port=81 </font></div>
</div>
<div>
<div><font size="1">[admin@mikrotik] > ip firewall nat
print </font></div>
</div>
<div>
<div><font size="1">Flags: X - disabled, I - invalid, D -
dynamic </font></div>
</div>
<div>
<div><font size="1"> 0 ;;; default configuration</font></div>
</div>
<div>
<div><font size="1"> chain=srcnat action=masquerade
to-addresses=0.0.0.0 out-interface=ether1-gateway </font></div>
</div>
<div>
<div><font size="1"><br>
</font></div>
</div>
<div>
<div><font size="1"> 1 chain=dstnat action=dst-nat
to-addresses=192.168.88.20 to-ports=80 protocol=tcp
in-interface=ether1-gateway dst-port=81 </font></div>
</div>
</blockquote>
<div><br>
</div>
<div>questo invece il risultato di un nmap dalla subnet della
wan del mikrotik:</div>
<div><br>
</div>
<div>
<div>> nmap -sT 192.168.0.25 </div>
<div><br>
</div>
</div>
<blockquote style="margin:0 0 0 40px;border:none;padding:0px">
<div>
<div><font size="1">Starting Nmap 6.00 ( <a
moz-do-not-send="true" href="http://nmap.org">http://nmap.org</a>
) at 2014-06-04 09:44 CEST</font></div>
</div>
<div>
<div><font size="1">Nmap scan report for MikroTik
(192.168.0.25)</font></div>
</div>
<div>
<div><font size="1">Host is up (0.012s latency).</font></div>
</div>
<div>
<div><font size="1">Not shown: 995 closed ports</font></div>
</div>
<div>
<div><font size="1">PORT STATE SERVICE</font></div>
</div>
<div>
<div>
<font size="1">22/tcp open ssh</font></div>
</div>
<div>
<div><font size="1">53/tcp open domain</font></div>
</div>
<div>
<div><font size="1">80/tcp open http</font></div>
</div>
<div>
<div><font size="1">81/tcp filtered hosts2-ns</font></div>
</div>
<div>
<div><font size="1">2000/tcp open cisco-sccp</font></div>
</div>
<div>
<div><font size="1">MAC Address: D4:CA:6D:E2:95:B9
(Routerboard.com)</font></div>
</div>
</blockquote>
<div>
<div><br>
</div>
<div>Nmap done: 1 IP address (1 host up) scanned in 7.81
seconds</div>
</div>
<div><br>
</div>
<div>non capisco quel filtered che forse dovrebbe essere open. </div>
<div><br>
</div>
<div>se mi girano le balle ci metto openwrt sul mikrotik...</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">2014-06-03 16:36 GMT+02:00 Filippo
Madaro <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:filippo.madaro@gmail.com" target="_blank">filippo.madaro@gmail.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
metti una regola che accetta anche in forward le nuove
connessioni tipo:<br>
<br>
chain=forward action=accept connection-state=new<br>
<br>
cosi dovrebbe andare ... è lo stesso meccanismo di iptables
solo che<br>
la default action se non specificata è drop ...<br>
<br>
<br>
Il 03/06/14, Luca Postregna<<a moz-do-not-send="true"
href="mailto:luca.postregna@gmail.com">luca.postregna@gmail.com</a>>
ha scritto:<br>
<div class="HOEnZb">
<div class="h5">> ho rimosso le regole di drop, ma
ancora nessun risultato:<br>
><br>
> [admin@MikroTik] > ip firewall filter print<br>
><br>
> Flags: X - disabled, I - invalid, D - dynamic<br>
><br>
> 0 ;;; default configuration<br>
><br>
> chain=input action=accept protocol=icmp<br>
><br>
><br>
> 1 ;;; default configuration<br>
><br>
> chain=input action=accept
connection-state=established<br>
><br>
><br>
> 2 ;;; default configuration<br>
><br>
> chain=input action=accept
connection-state=related<br>
><br>
><br>
> 3 ;;; default configuration<br>
><br>
> chain=forward action=accept
connection-state=established<br>
><br>
><br>
> 4 ;;; default configuration<br>
><br>
> chain=forward action=accept
connection-state=related<br>
><br>
><br>
> 5 chain=input action=accept protocol=tcp
in-interface=ether1-gateway<br>
><br>
> [admin@MikroTik] > ip firewall nat print<br>
><br>
> Flags: X - disabled, I - invalid, D - dynamic<br>
><br>
> 0 X ;;; default configuration<br>
><br>
> chain=srcnat action=masquerade
out-interface=ether1-gateway<br>
><br>
><br>
> 1 chain=dstnat action=dst-nat
to-addresses=192.168.88.20 to-ports=2080<br>
> protocol=tcp in-interface=ether1-gateway
dst-port=2080<br>
><br>
> [admin@MikroTik] > ip address print<br>
><br>
> Flags: X - disabled, I - invalid, D - dynamic<br>
><br>
> # ADDRESS NETWORK INTERFACE<br>
><br>
><br>
><br>
> 0 ;;; default configuration<br>
><br>
> <a moz-do-not-send="true"
href="http://192.168.88.1/24" target="_blank">192.168.88.1/24</a>
192.168.88.0 ether2-master-local<br>
><br>
><br>
><br>
> 1 D <a moz-do-not-send="true"
href="http://192.168.0.25/24" target="_blank">192.168.0.25/24</a>
192.168.0.0 ether1-gateway<br>
><br>
> dove sbaglio?<br>
><br>
><br>
> 2014-06-02 19:05 GMT+02:00 Filippo Madaro <<a
moz-do-not-send="true"
href="mailto:filippo.madaro@gmail.com">filippo.madaro@gmail.com</a>>:<br>
><br>
>> La regola 3 taglia tutto ciò che tenta di
entrare dalla wan e quindi<br>
>> la regola 7 non viene presa in considerazione
... chain=input<br>
>> action=drop in-interface=ether1-gateway<br>
>><br>
>><br>
>> Il 02/06/14, Luca Postregna<<a
moz-do-not-send="true"
href="mailto:luca.postregna@gmail.com">luca.postregna@gmail.com</a>>
ha scritto:<br>
>> > Salve genti,<br>
>> > ho da poco iniziato a giocare con un
mikrotik rb750gl, aggiornato a<br>
>> > firmware 6.13.<br>
>> > Il device è configurato in modalità
router, ed ho difficoltà a<br>
>> configurare<br>
>> > il port forwarding.<br>
>> > Sulla porta WAN è assegnato l'indirizzo <a
moz-do-not-send="true" href="http://192.168.0.25/24"
target="_blank">192.168.0.25/24</a>, mentre lato<br>
>> > LAN<br>
>> > distribuisco la subnet di default <a
moz-do-not-send="true" href="http://192.168.88.0/24"
target="_blank">192.168.88.0/24</a>.<br>
>> > Su un device locale lato LAN è in ascolto
un server web<br>
>> <a moz-do-not-send="true"
href="http://192.168.88.20:2080" target="_blank">192.168.88.20:2080</a>,<br>
>> > che vorrei raggiungere direttamente
dall'ip della WAN su<br>
>> <a moz-do-not-send="true"
href="http://192.168.0.25:2080" target="_blank">192.168.0.25:2080</a>.<br>
>> > Questa è la mia configurazione attuale:<br>
>> ><br>
>> > [admin@MikroTik] > ip firewall filter
print<br>
>> > Flags: X - disabled, I - invalid, D -
dynamic<br>
>> > 0 ;;; default configuration<br>
>> > chain=input action=accept
protocol=icmp<br>
>> ><br>
>> > 1 ;;; default configuration<br>
>> > chain=input action=accept
connection-state=established<br>
>> ><br>
>> > 2 ;;; default configuration<br>
>> > chain=input action=accept
connection-state=related<br>
>> ><br>
>> > 3 ;;; default configuration<br>
>> > chain=input action=drop
in-interface=ether1-gateway<br>
>> ><br>
>> > 4 ;;; default configuration<br>
>> > chain=forward action=accept
connection-state=established<br>
>> ><br>
>> > 5 ;;; default configuration<br>
>> > chain=forward action=accept
connection-state=related<br>
>> ><br>
>> > 6 ;;; default configuration<br>
>> > chain=forward action=drop
connection-state=invalid<br>
>> ><br>
>> > 7 chain=input action=accept
protocol=tcp in-interface=ether1-gateway<br>
>> > [admin@MikroTik] > ip firewall nat
print<br>
>> > Flags: X - disabled, I - invalid, D -
dynamic<br>
>> > 0 ;;; default configuration<br>
>> > chain=srcnat action=masquerade
out-interface=ether1-gateway<br>
>> ><br>
>> > 1 chain=dstnat action=dst-nat
to-addresses=192.168.88.20<br>
>> > to-ports=2080<br>
>> > protocol=tcp in-interface=ether1-gateway
dst-port=2080<br>
>> > [admin@MikroTik] > ip address print<br>
>> > Flags: X - disabled, I - invalid, D -
dynamic<br>
>> > # ADDRESS NETWORK
INTERFACE<br>
>> ><br>
>> ><br>
>> > 0 ;;; default configuration<br>
>> > <a moz-do-not-send="true"
href="http://192.168.88.1/24" target="_blank">192.168.88.1/24</a>
192.168.88.0 ether2-master-local<br>
>> ><br>
>> ><br>
>> > 1 D <a moz-do-not-send="true"
href="http://192.168.0.25/24" target="_blank">192.168.0.25/24</a>
192.168.0.0 ether1-gateway<br>
>> ><br>
>> ><br>
>> > Con questa configurazione se digito nel
browser <a moz-do-not-send="true"
href="http://192.168.0.25:2080" target="_blank">192.168.0.25:2080</a>
il<br>
>> port<br>
>> > forwarding non funge, questo vale per test
con il client in entrambe le<br>
>> > subnet <a moz-do-not-send="true"
href="http://192.168.0.0/24" target="_blank">192.168.0.0/24</a>
e <a moz-do-not-send="true"
href="http://192.168.88.0/24" target="_blank">192.168.88.0/24</a>.<br>
>> > Non capisco dove sia il problema, qualche
regola sbagliata, piuttosto<br>
>> > che<br>
>> > priorità nelle regole del firewall.<br>
>> ><br>
>> > Qualcuno mi da una mano?<br>
>> ><br>
>> > Saluti,<br>
>> > Luca.<br>
>> ><br>
>> > --<br>
>> > <a moz-do-not-send="true"
href="http://luca.postregna.name" target="_blank">luca.postregna.name</a><br>
>> > <a moz-do-not-send="true"
href="http://twitter.com/lucapost" target="_blank">twitter.com/lucapost</a><br>
>> ><br>
>><br>
>><br>
>> --<br>
>> p.i. *Filippo Madaro*<br>
>> Mob. <a moz-do-not-send="true"
href="tel:3883448904" value="+393883448904">3883448904</a><br>
>><br>
><br>
><br>
><br>
> --<br>
> <a moz-do-not-send="true"
href="http://luca.postregna.name" target="_blank">luca.postregna.name</a><br>
> <a moz-do-not-send="true"
href="http://twitter.com/lucapost" target="_blank">twitter.com/lucapost</a><br>
><br>
<br>
<br>
--<br>
p.i. *Filippo Madaro*<br>
Mob. <a moz-do-not-send="true" href="tel:3883448904"
value="+393883448904">3883448904</a><br>
</div>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div><a moz-do-not-send="true"
href="http://luca.postregna.name/" target="_blank">luca.postregna.name</a></div>
<div><a moz-do-not-send="true"
href="http://twitter.com/lucapost" target="_blank">twitter.com/lucapost</a></div>
</div>
</blockquote>
<br>
</body>
</html>