<div dir="ltr">non funziona ancora, questa la situazione sul mikrotik:<div><br></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div>[admin@mikrotik] > ip address print</div></div><div><div>
Flags: X - disabled, I - invalid, D - dynamic </div>
</div><div><div> # ADDRESS NETWORK INTERFACE </div></div><div>
<div> 0 ;;; default configuration</div></div><div><div> <a href="http://192.168.88.1/24" target="_blank">192.168.88.1/24</a> 192.168.88.0 ether2-master-local </div>
</div><div><div> 1 D <a href="http://192.168.0.25/24" target="_blank">192.168.0.25/24</a> 192.168.0.0 ether1-gateway </div>
</div><div><div>[admin@mikrotik] > ip firewall nat print</div></div><div><div>Flags: X - disabled, I - invalid, D - dynamic </div></div><div><div> 0 ;;; default configuration</div></div><div><div> chain=srcnat action=masquerade to-addresses=0.0.0.0 out-interface=ether1-gateway </div>
</div><div><div><br></div></div><div><div> 1 chain=dstnat action=dst-nat to-addresses=192.168.88.20 to-ports=81 protocol=tcp in-interface=ether1-gateway dst-port=81 </div></div><div><div>[admin@mikrotik] > ip firewall filter print </div>
</div><div><div>Flags: X - disabled, I - invalid, D - dynamic </div></div><div><div> 0 ;;; default configuration</div></div><div><div> chain=input action=accept protocol=icmp </div></div><div><div><br></div></div><div>
<div> 1 ;;; default configuration</div></div><div><div> chain=input action=accept connection-state=established </div></div><div><div><br></div></div><div><div> 2 ;;; default configuration</div></div><div><div> chain=input action=accept connection-state=related </div>
</div><div><div><br></div></div><div><div> 3 ;;; default configuration</div></div><div><div> chain=forward action=accept connection-state=established </div></div><div><div><br></div></div><div><div> 4 ;;; default configuration</div>
</div><div><div> chain=forward action=accept connection-state=related </div></div><div><div><br></div></div><div><div> 5 chain=forward action=accept connection-state=new </div></div><div><div><br></div></div><div><div>
6 chain=input action=accept protocol=tcp dst-port=81 </div></div></blockquote><div><br></div><div>questo è l'nmap da <a href="http://192.168.0.0/24" target="_blank">192.168.0.0/24</a>:</div><div><br></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px">
<div><div>> nmap -sT 192.168.0.25 </div></div><div><div><br></div></div><div><div>Starting Nmap 6.00 ( <a href="http://nmap.org" target="_blank">http://nmap.org</a> ) at 2014-06-05 12:21 CEST</div></div><div>
<div>Nmap scan report for MikroTik (192.168.0.25)</div>
</div><div><div>Host is up (0.016s latency).</div></div><div><div>Not shown: 995 closed ports</div></div><div><div>PORT STATE SERVICE</div></div><div><div>22/tcp open ssh</div></div><div><div>53/tcp open domain</div>
</div><div><div>80/tcp open http</div></div><div><div>81/tcp filtered hosts2-ns</div></div><div><div>2000/tcp open cisco-sccp</div></div><div><div>MAC Address: D4:CA:6D:E2:95:B9 (Routerboard.com)</div></div><div>
<div><br></div></div><div><div>Nmap done: 1 IP address (1 host up) scanned in 1.31 seconds</div></div></blockquote><div><br></div><div>se da <a href="http://192.168.88.0/24" target="_blank">192.168.88.0/24</a> faccio un nmap sull'ip del servizio, ottengo:</div>
<div><br></div><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div><div>> nmap -sT 192.168.88.20 </div></div><div><div><br></div></div><div><div>Starting Nmap 6.00 ( <a href="http://nmap.org">http://nmap.org</a> ) at 2014-06-05 12:30 CEST</div>
</div><div><div>Nmap scan report for 192.168.88.20</div></div><div><div>Host is up (0.044s latency).</div></div><div><div>Not shown: 996 closed ports</div></div><div><div>PORT STATE SERVICE</div></div><div><div>23/tcp open telnet</div>
</div><div><div>81/tcp open hosts2-ns</div></div><div><div>2000/tcp open cisco-sccp</div></div><div><div>5000/tcp open upnp</div></div><div><div>MAC Address: 00:4A:20:A9:4B:2E (Unknown)</div></div><div><div><br></div>
</div><div><div>Nmap done: 1 IP address (1 host up) scanned in 0.60 seconds</div></div><div><br></div></blockquote>dove sbaglio?<br><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Jun 4, 2014 at 12:15 PM, Filippo Madaro <span dir="ltr"><<a href="mailto:filippo.madaro@gmail.com" target="_blank">filippo.madaro@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<h3 style="color:rgb(34,34,34);background-image:none;background-color:rgb(250,250,250);font-weight:bold;margin:1em 0px 0.3em;padding:0.2em 0.1em 0.3em 0px;border-bottom-style:none;font-size:16px;font-family:Verdana,Arial,'Trebuchet MS';font-style:normal;font-variant:normal;letter-spacing:normal;line-height:16.940000534057617px;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-repeat:initial initial">
<span>Destination
NAT</span></h3>
<p style="margin:0.4em 0px 0.5em;line-height:1.5em;color:rgb(0,0,0);font-family:Verdana,Arial,'Trebuchet MS';font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(250,250,250)">
If you want to link Public
IP 10.5.8.200 address to Local one 192.168.0.109, you should use
destination address translation feature of the MikroTik router.
Also if you want allow Local server to talk with outside with
given Public IP you should use source address translation, too.</p>
<p style="margin:0.4em 0px 0.5em;line-height:1.5em;color:rgb(0,0,0);font-family:Verdana,Arial,'Trebuchet MS';font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(250,250,250)">
Add Public IP to Public
interface:</p>
<pre style="padding:10px;border:1px solid rgb(170,170,170);color:rgb(68,68,68);background-color:rgba(255,255,238,0.701961);line-height:1.2em;font-family:monospace,Courier,Arial;overflow-x:visible;margin:12px 0px 12px 20px;width:759.90625px;border-top-left-radius:5px;border-top-right-radius:5px;border-bottom-right-radius:5px;border-bottom-left-radius:5px;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;word-spacing:0px;background-repeat:initial initial">
/ip address add address=<a href="http://10.5.8.200/32" target="_blank">10.5.8.200/32</a> interface=Public
</pre>
<p style="margin:0.4em 0px 0.5em;line-height:1.5em;color:rgb(0,0,0);font-family:Verdana,Arial,'Trebuchet MS';font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(250,250,250)">
Add rule allowing access to
the internal server from external networks:</p>
<pre style="padding:10px;border:1px solid rgb(170,170,170);color:rgb(68,68,68);background-color:rgba(255,255,238,0.701961);line-height:1.2em;font-family:monospace,Courier,Arial;overflow-x:visible;margin:12px 0px 12px 20px;width:759.90625px;border-top-left-radius:5px;border-top-right-radius:5px;border-bottom-right-radius:5px;border-bottom-left-radius:5px;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;word-spacing:0px;background-repeat:initial initial">
/ip firewall nat add chain=dstnat dst-address=10.5.8.200 action=dst-nat \
to-addresses=192.168.0.109
</pre>
<p style="margin:0.4em 0px 0.5em;line-height:1.5em;color:rgb(0,0,0);font-family:Verdana,Arial,'Trebuchet MS';font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(250,250,250)">
Add rule allowing the
internal server to talk to the outer networks having its source
address translated to <a href="http://10.5.8.200" target="_blank">10.5.8.200</a>:</p>
<pre style="padding:10px;border:1px solid rgb(170,170,170);color:rgb(68,68,68);background-color:rgba(255,255,238,0.701961);line-height:1.2em;font-family:monospace,Courier,Arial;overflow-x:visible;margin:12px 0px 12px 20px;width:759.90625px;border-top-left-radius:5px;border-top-right-radius:5px;border-bottom-right-radius:5px;border-bottom-left-radius:5px;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;word-spacing:0px;background-repeat:initial initial">
/ip firewall nat add chain=srcnat src-address=192.168.0.109 action=src-nat \
to-addresses=10.5.8.200
</pre>
<h3 style="color:rgb(34,34,34);background-image:none;background-color:rgb(250,250,250);font-weight:bold;margin:1em 0px 0.3em;padding:0.2em 0.1em 0.3em 0px;border-bottom-style:none;font-size:16px;font-family:Verdana,Arial,'Trebuchet MS';font-style:normal;font-variant:normal;letter-spacing:normal;line-height:16.940000534057617px;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-repeat:initial initial">
<span>1:1 mapping</span></h3>
<p style="margin:0.4em 0px 0.5em;line-height:1.5em;color:rgb(0,0,0);font-family:Verdana,Arial,'Trebuchet MS';font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(250,250,250)">
If you want to link Public
IP subnet <a href="http://11.11.11.0/24" target="_blank">11.11.11.0/24</a> to local one <a href="http://2.2.2.0/24" target="_blank">2.2.2.0/24</a>, you should use
destination address translation and source address translation
features with action=netmap.</p>
<pre style="padding:10px;border:1px solid rgb(170,170,170);color:rgb(68,68,68);background-color:rgba(255,255,238,0.701961);line-height:1.2em;font-family:monospace,Courier,Arial;overflow-x:visible;margin:12px 0px 12px 20px;width:759.90625px;border-top-left-radius:5px;border-top-right-radius:5px;border-bottom-right-radius:5px;border-bottom-left-radius:5px;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;word-spacing:0px;background-repeat:initial initial">
/ip firewall nat add chain=dstnat dst-address=<a href="http://11.11.11.0/24" target="_blank">11.11.11.0/24</a> \
action=netmap to-addresses=<a href="http://2.2.2.0/24" target="_blank">2.2.2.0/24</a>
/ip firewall nat add chain=srcnat src-address=<a href="http://2.2.2.0/24" target="_blank">2.2.2.0/24</a> \
action=netmap to-addresses=<a href="http://11.11.11.0/24" target="_blank">11.11.11.0/24</a>
</pre>
<p style="margin:0.4em 0px 0.5em;line-height:1.5em;color:rgb(0,0,0);font-family:Verdana,Arial,'Trebuchet MS';font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(250,250,250)">
Same can be written using
different address notation, that still have to match with the
described network</p>
<pre style="padding:10px;border:1px solid rgb(170,170,170);color:rgb(68,68,68);background-color:rgba(255,255,238,0.701961);line-height:1.2em;font-family:monospace,Courier,Arial;overflow-x:visible;margin:12px 0px 12px 20px;width:759.90625px;border-top-left-radius:5px;border-top-right-radius:5px;border-bottom-right-radius:5px;border-bottom-left-radius:5px;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;word-spacing:0px;background-repeat:initial initial">
/ip firewall nat add chain=dstnat dst-address=11.11.11.0-11.11.11.255 \
action=netmap to-addresses=2.2.2.0-2.2.2.255
/ip firewall nat add chain=srcnat src-address=2.2.2.0-2.2.2.255 \
action=netmap to-addresses=11.11.11.0-11.11.11.255
</pre>
<p style="margin:0.4em 0px 0.5em;line-height:1.5em;color:rgb(0,0,0);font-family:Verdana,Arial,'Trebuchet MS';font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(250,250,250)">
<br>
</p>
<h3 style="color:rgb(34,34,34);background-image:none;background-color:rgb(250,250,250);font-weight:bold;margin:1em 0px 0.3em;padding:0.2em 0.1em 0.3em 0px;border-bottom-style:none;font-size:16px;font-family:Verdana,Arial,'Trebuchet MS';font-style:normal;font-variant:normal;letter-spacing:normal;line-height:16.940000534057617px;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-repeat:initial initial">
<span>Port mapping</span></h3>
<p style="margin:0.4em 0px 0.5em;line-height:1.5em;color:rgb(0,0,0);font-family:Verdana,Arial,'Trebuchet MS';font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(250,250,250)">
If you would like to direct
requests for a certain port to an internal machine (sometimes
called opening a port, port mapping), you can do it like this:</p>
<pre style="padding:10px;border:1px solid rgb(170,170,170);color:rgb(68,68,68);background-color:rgba(255,255,238,0.701961);line-height:1.2em;font-family:monospace,Courier,Arial;overflow-x:visible;margin:12px 0px 12px 20px;width:759.90625px;border-top-left-radius:5px;border-top-right-radius:5px;border-bottom-right-radius:5px;border-bottom-left-radius:5px;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;word-spacing:0px;background-repeat:initial initial">
/ip firewall nat add chain=dstnat dst-port=1234 action=dst-nat protocol=tcp to-address=192.168.1.1 to-port=1234
</pre>
<p style="margin:0.4em 0px 0.5em;line-height:1.5em;color:rgb(0,0,0);font-family:Verdana,Arial,'Trebuchet MS';font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(250,250,250)">
This rule translates to:<span> </span><i>when an incoming
connection requests TCP port 1234, use the DST-NAT action and
redirect it to local address 192.168.1.1 and the port 1234<br>
<br>
</i></p>
<br>
<br>
</div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div><a href="http://luca.postregna.name/" target="_blank">luca.postregna.name</a></div><div><a href="http://twitter.com/lucapost" target="_blank">twitter.com/lucapost</a></div>
</div>