最後更新: 2016-09-14
目錄
List nat rule
/ip firewall nat
Stats
/ip firewall nat print stats
Port mapping/forwarding
Public IP: 10.5.8.200
Local IP: 192.168.0.109
/ip firewall nat add chain=dstnat dst-port=1234 action=dst-nat protocol=tcp to-address=192.168.1.1 to-port=1234
GUI
Tab1
Chian: dstnat
Protocol: tcp
dst-port=1234 => "必須填 !!!"
Tab4
Action: dst-nat
to-address => LAN_IP_ADDR
to-port => Server_Listen_Port
service-port
Hosts behind a NAT-enabled router do not have true end-to-end connectivity. Therefore some Internet protocols might not work in scenarios with NAT.
To overcome these limitations RouterOS includes a number of NAT helpers, that enable NAT traversal for various protocols.
Helper: ftp, pptp, sip ...
/ip firewall service-port enable pptp
PPTP
PPTP uses port 1723 as well as protocol 47. You need to allow this thru the forward chain.
Also, turn on the IP services (helper) for pptp - it will allow nat traversal of GRE(protocol 47).
Its the only way to have more than 1 PPTP behind a NAT.
Action
accept - accept the packet. Packet is not passed to next NAT rule.
add-dst-to-address-list - add destination address to Address list specified by address-list parameter
add-src-to-address-list - add source address to Address list specified by address-list parameter
dst-nat - replaces destination address and/or port of an IP packet to values specified by to-addresses and to-ports parameters
jump - jump to the user defined chain specified by the value of jump-target parameter
log - add a message to the system log containing following data: in-interface, out-interface, src-mac, protocol, src-ip:port->dst-ip:port and length of the packet.
After packet is matched it is passed to next rule in the list, similar as passthrough
masquerade - replace source address of an IP packet to IP determined by routing facility.
netmap - creates a static 1:1 mapping of one set of IP addresses to another one. Often used to distribute public IP addresses to hosts on private networks
passthrough - ignore this rule and go to next one (useful for statistics).
redirect - replaces destination port of an IP packet to one specified by to-ports parameter and destination address to one of the router's local addresses
return - passes control back to the chain from where the jump took place
same - gives a particular client the same source/destination IP address from supplied range for each connection.
This is most frequently used for services that expect the same client address for multiple connections from the same client
src-nat - replaces source address of an IP packet to values specified by to-addresses and to-ports parameters
hairpin
假設有 NAT
/ip firewall nat
add chain=dstnat dst-address=W.W.W.W protocol=tcp dst-port=80 \
action=dst-nat to-address=192.168.1.2
# 上網
add chain=srcnat out-interface=WAN action=masquerade
hairpin loopback
* 在 NAT 之後加
/ip firewall nat
add chain=srcnat src-address=192.168.1.0/24 \
dst-address=192.168.1.2 protocol=tcp dst-port=80 \
out-interface=LAN action=masquerade
設定 Example
Doc
http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT