S
S
sprocker2014-07-01 17:22:57
HTML
sprocker, 2014-07-01 17:22:57

How to make access "from the inside" on the external IP of the router?

Good day to all!
I used to have zyxel keenetic 4g, it was good - but rather weak.
We bought rb2011uas-2hnd-in
It seems that all the rules for NAT were set up the same way as for zyxel, there is access from the Internet, everything is fine
One trouble:
Previously, you could access the machine, say 10.10. forwarded port
Something like this: I
connect to ftp
ftp://user:[email protected]:1021
port 1021 is forwarded to machine 10.10.1.2, and apparently the packets going to the Internet were deployed in the router and then went according to NAT rules coming to the desired car.
With the advent of kinetics, such a trick fails :)
It seems to me that some other rule needs to be created ...
After playing around with src-nat and dst-nat, I decided that my experience is still not enough :)

Answer the question

In order to leave comments, you need to log in

5 answer(s)
S
Sergey delphinpro, 2016-03-03
@avtomonov17

https://jsfiddle.net/DelphinPRO/vfhcdu2q/

N
Nikita, 2016-03-03
@Rema1ns

it is possible through pseudo elements, you can make the tail absolute and put it into the content.

R
Ranwise, 2016-03-04
@Ranwise

generator

B
bevice, 2014-07-01
@sprocker

And everything is simple:
for example, your client 10.10.1.3 is trying to connect through a router
. A packet arrives at the router like src: 10.10.1.3 dst: WAN_IP dport 1021
- this rule probably already exists (note that packets are filtered only by destination address, protocol and port, you may also have an interface - this should be removed)
after it the packet will look like src: 10.10.1.3 dst: 10.10.1.2 and with the router will successfully leave for its intended purpose, it will be processed there and returned to src (i.e. 10.10.1.3), but the client is waiting for a packet back from the router, well, it will drop it like trash, so it is necessary that the packet with src be at the exit from the router -address of the router, then the router will wrap it in nat and return it to the client.
marking will help accordingly

/ip firewall mangle add chain=prerouting action=mark-packet new-packet-mark=1 protocol=tcp src-address=10.10.1.0/24 dst-address=WAN_IP dst-port=1021
this rule will be executed before DNAT and mark the necessary connection
packets And then we cheat with addresses
/ip firewall nat add chain=dstnat action=dst-nat to-addresses=10.10.1.2 packet-mark=1 
/ip firewall nat add chain=srcnat action=src-nat to-addresses=LAN_IP packet-mark=1

WAN_IP is the external address of the router,
LAN_IP is its internal address

S
Sergey Petrikov, 2014-07-01
@RicoX

Catch, even with pictures.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question