[ninux-not-wireless] [IuliiNet] port forwarding su mikrotik

Luca Postregna luca.postregna at gmail.com
Wed Jun 4 09:49:20 CEST 2014 

ho fatto qualche piccolo passo avanti, ma ancora non funge. questa la
situazione sul mikrotik:

[admin at mikrotik] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS            NETWORK         INTERFACE


 0   ;;; default configuration
     192.168.88.1/24    192.168.88.0    ether2-master-local


 1 D 192.168.0.25/24    192.168.0.0     ether1-gateway


[admin at mikrotik] > ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
 0   ;;; default configuration
     chain=input action=accept protocol=icmp

 1   ;;; default configuration
     chain=input action=accept connection-state=established

 2   ;;; default configuration
     chain=input action=accept connection-state=related

 3   ;;; default configuration
     chain=forward action=accept connection-state=established

 4   ;;; default configuration
     chain=forward action=accept connection-state=related

 5   chain=forward action=accept connection-state=new

 6   chain=input action=accept protocol=tcp dst-port=81
[admin at mikrotik] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
 0   ;;; default configuration
     chain=srcnat action=masquerade to-addresses=0.0.0.0
out-interface=ether1-gateway

 1   chain=dstnat action=dst-nat to-addresses=192.168.88.20 to-ports=80
protocol=tcp in-interface=ether1-gateway dst-port=81


questo invece il risultato di un nmap dalla subnet della wan del mikrotik:

> nmap -sT 192.168.0.25

Starting Nmap 6.00 ( http://nmap.org ) at 2014-06-04 09:44 CEST
Nmap scan report for MikroTik (192.168.0.25)
Host is up (0.012s latency).
Not shown: 995 closed ports
PORT     STATE    SERVICE
22/tcp   open     ssh
53/tcp   open     domain
80/tcp   open     http
81/tcp   filtered hosts2-ns
2000/tcp open     cisco-sccp
MAC Address: D4:CA:6D:E2:95:B9 (Routerboard.com)


Nmap done: 1 IP address (1 host up) scanned in 7.81 seconds

non capisco quel filtered che forse dovrebbe essere open.

se mi girano le balle ci metto openwrt sul mikrotik...



2014-06-03 16:36 GMT+02:00 Filippo Madaro <filippo.madaro at gmail.com>:

> metti una regola che accetta anche in forward le nuove connessioni tipo:
>
> chain=forward action=accept connection-state=new
>
> cosi dovrebbe andare ... è lo stesso meccanismo di iptables solo che
> la default action se non specificata è drop ...
>
>
> Il 03/06/14, Luca Postregna<luca.postregna at gmail.com> ha scritto:
> > ho rimosso le regole di drop, ma ancora nessun risultato:
> >
> > [admin at MikroTik] > ip firewall filter print
> >
> > Flags: X - disabled, I - invalid, D - dynamic
> >
> >  0   ;;; default configuration
> >
> >      chain=input action=accept protocol=icmp
> >
> >
> >  1   ;;; default configuration
> >
> >      chain=input action=accept connection-state=established
> >
> >
> >  2   ;;; default configuration
> >
> >      chain=input action=accept connection-state=related
> >
> >
> >  3   ;;; default configuration
> >
> >      chain=forward action=accept connection-state=established
> >
> >
> >  4   ;;; default configuration
> >
> >      chain=forward action=accept connection-state=related
> >
> >
> >  5   chain=input action=accept protocol=tcp in-interface=ether1-gateway
> >
> > [admin at MikroTik] > ip firewall nat print
> >
> > Flags: X - disabled, I - invalid, D - dynamic
> >
> >  0 X ;;; default configuration
> >
> >      chain=srcnat action=masquerade out-interface=ether1-gateway
> >
> >
> >  1   chain=dstnat action=dst-nat to-addresses=192.168.88.20 to-ports=2080
> > protocol=tcp in-interface=ether1-gateway dst-port=2080
> >
> > [admin at MikroTik] > ip address print
> >
> > Flags: X - disabled, I - invalid, D - dynamic
> >
> >  #   ADDRESS            NETWORK         INTERFACE
> >
> >
> >
> >  0   ;;; default configuration
> >
> >      192.168.88.1/24    192.168.88.0    ether2-master-local
> >
> >
> >
> >  1 D 192.168.0.25/24    192.168.0.0     ether1-gateway
> >
> > dove sbaglio?
> >
> >
> > 2014-06-02 19:05 GMT+02:00 Filippo Madaro <filippo.madaro at gmail.com>:
> >
> >> La regola 3 taglia tutto ciò che tenta di entrare dalla wan e quindi
> >> la regola 7 non viene presa in considerazione ... chain=input
> >> action=drop in-interface=ether1-gateway
> >>
> >>
> >> Il 02/06/14, Luca Postregna<luca.postregna at gmail.com> ha scritto:
> >> > Salve genti,
> >> >   ho da poco iniziato a giocare con un mikrotik rb750gl, aggiornato a
> >> > firmware 6.13.
> >> > Il device è configurato in modalità router, ed ho difficoltà a
> >> configurare
> >> > il port forwarding.
> >> > Sulla porta WAN è assegnato l'indirizzo 192.168.0.25/24, mentre lato
> >> > LAN
> >> > distribuisco la subnet di default 192.168.88.0/24.
> >> > Su un device locale lato LAN è in ascolto un server web
> >> 192.168.88.20:2080,
> >> > che vorrei raggiungere direttamente dall'ip della WAN su
> >> 192.168.0.25:2080.
> >> > Questa è la mia configurazione attuale:
> >> >
> >> > [admin at MikroTik] > ip firewall filter print
> >> > Flags: X - disabled, I - invalid, D - dynamic
> >> >  0   ;;; default configuration
> >> >      chain=input action=accept protocol=icmp
> >> >
> >> >  1   ;;; default configuration
> >> >      chain=input action=accept connection-state=established
> >> >
> >> >  2   ;;; default configuration
> >> >      chain=input action=accept connection-state=related
> >> >
> >> >  3   ;;; default configuration
> >> >      chain=input action=drop in-interface=ether1-gateway
> >> >
> >> >  4   ;;; default configuration
> >> >      chain=forward action=accept connection-state=established
> >> >
> >> >  5   ;;; default configuration
> >> >      chain=forward action=accept connection-state=related
> >> >
> >> >  6   ;;; default configuration
> >> >      chain=forward action=drop connection-state=invalid
> >> >
> >> >  7   chain=input action=accept protocol=tcp
> in-interface=ether1-gateway
> >> > [admin at MikroTik] > ip firewall nat print
> >> > Flags: X - disabled, I - invalid, D - dynamic
> >> >  0   ;;; default configuration
> >> >      chain=srcnat action=masquerade out-interface=ether1-gateway
> >> >
> >> >  1   chain=dstnat action=dst-nat to-addresses=192.168.88.20
> >> > to-ports=2080
> >> > protocol=tcp in-interface=ether1-gateway dst-port=2080
> >> > [admin at MikroTik] > ip address print
> >> > Flags: X - disabled, I - invalid, D - dynamic
> >> >  #   ADDRESS            NETWORK         INTERFACE
> >> >
> >> >
> >> >  0   ;;; default configuration
> >> >      192.168.88.1/24    192.168.88.0    ether2-master-local
> >> >
> >> >
> >> >  1 D 192.168.0.25/24    192.168.0.0     ether1-gateway
> >> >
> >> >
> >> > Con questa configurazione se digito nel browser 192.168.0.25:2080 il
> >> port
> >> > forwarding non funge, questo vale per test con il client in entrambe
> le
> >> > subnet 192.168.0.0/24 e 192.168.88.0/24.
> >> > Non capisco dove sia il problema, qualche regola sbagliata, piuttosto
> >> > che
> >> > priorità nelle regole del firewall.
> >> >
> >> > Qualcuno mi da una mano?
> >> >
> >> > Saluti,
> >> > Luca.
> >> >
> >> > --
> >> > luca.postregna.name
> >> > twitter.com/lucapost
> >> >
> >>
> >>
> >> --
> >> p.i. *Filippo Madaro*
> >> Mob. 3883448904
> >>
> >
> >
> >
> > --
> > luca.postregna.name
> > twitter.com/lucapost
> >
>
>
> --
> p.i. *Filippo Madaro*
> Mob. 3883448904
>



-- 
luca.postregna.name
twitter.com/lucapost
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://ml.ninux.org/pipermail/not-wireless/attachments/20140604/26840a3a/attachment-0001.html>

More information about the Not-wireless mailing list