![首頁 Logo Keith ]p !!](/themes/mytheme/logo.png){kind=logo}
最後更新: 2016-09-14
目錄
- NAT Rule
- service-port(NAT helpers)
- PPTP with NAT
- NAT Action
- hairpin
NAT Rule
List nat rule
/ip firewall nat
/ip firewall nat print stats
Add Port forwarding By CLI
Public IP: 10.5.8.200
Local IP: 192.168.0.109
/ip firewall nat add chain=dstnat dst-port=1234 action=dst-nat protocol=tcp to-address=192.168.1.1 to-port=1234
Add Port forwarding By GUI
Tab1
Chian: dstnat
Protocol: tcp
dst-port=1234 => "必須填 !!!"
Tab4
Action: dst-nat
to-address => LAN_IP_ADDR
to-port => Server_Listen_Port
service-port(NAT helpers)
Hosts behind a NAT-enabled router do not have true end-to-end connectivity.
Therefore some Internet protocols might not work in scenarios with NAT.
To overcome these limitations RouterOS includes a number of NAT helpers,
that enable NAT traversal for various protocols.
Helper: ftp, pptp, sip ...
/ip firewall service-port enable pptp
PPTP with NAT
PPTP uses port 1723 as well as protocol 47. You need to allow this thru the forward chain.
Also, turn on the IP services (helper) for pptp - it will allow nat traversal of GRE(protocol 47).
Its the only way to have more than 1 PPTP behind a NAT.
NAT Action
dst-nat - replaces destination address and/or port of an IP packet to values specified by to-addresses and to-ports parameters
masquerade - replace source address of an IP packet to IP determined by routing facility.
src-nat - replaces source address of an IP packet to values specified by to-addresses and to-ports parameters
netmap - creates a static 1:1 mapping of one set of IP addresses to another one. Often used to distribute public IP addresses to hosts on private networks
redirect - replaces destination port of an IP packet to one specified by to-ports parameter and destination address to one of the router's local addresses
same - gives a particular client the same source/destination IP address from supplied range for each connection.
This is most frequently used for services that expect the same client address for multiple connections from the same client
Notes
在 nat 之前有 accept
accept - accept the packet. Packet is not passed to next NAT rule.
hairpin
假設有 NAT
/ip firewall nat
add chain=dstnat dst-address=W.W.W.W protocol=tcp dst-port=80 \
action=dst-nat to-address=192.168.1.2
# 上網
add chain=srcnat out-interface=WAN action=masquerade* W.W.W.W 是 ether1 口的 Wan IP. 如果沒有固定 IP 就要用 in-interface=ether1 取代
hairpin loopback
* 在 NAT 之後加
/ip firewall nat add chain=srcnat src-address=192.168.1.0/24 \ dst-address=192.168.1.2 protocol=tcp dst-port=80 \ out-interface=LAN action=masquerade
Notes
* 如果 dst-nat 的 rule 係用 "in-interface=ether1" 而不是 "dst-address=W.W.W.W"
那要加多條 rule 相同的 rule, 只中 in-interface 改成 bridge1
* 由於使用 srcnat 用不了 in-interface, 所以要限 src-address
* dst-address 及 dst-port 係 nat 後的結果
設定 Example
Doc
https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT
