Answer the question
In order to leave comments, you need to log in
D
D
Denis Basarev2018-11-27 15:29:02
Denis Basarev, 2018-11-27 15:29:02
Is it possible to use an interface list in masquerade to RDP behind NAT?
The router is configured for two providers, if you specify the incoming interface, then on the FTP server behind NAT, you can see from which address you are connected to it, but RDP does not work :-( (I tried to create two masquerades, for each provider, exactly the same (If the field the incoming interface is empty, the gateway address is expected on the FTP server, but RDP works, in which direction to dig?
1 answer(s)
@poisons
In the direction of understanding that broadcasting can work in both directions and it would be nice not to confuse the parties.
1. For outgoing traffic, there should be a rule like
/ip firewall nat add action=masquerade chain=srcnat out-interface=
2. For incoming traffic,
/ip firewall nat add action=dst-nat chain=dstnat dst-port=3389 in-interface =ether1 protocol=tcp to-addresses= to-ports=3389
3. interface-list is nothing more than syntactic sugar, which eliminates the need to rivet 100,500 rules, often it all comes down to inside / outside / etc., in order to allow traffic in the firewall filter between internal interfaces with one rule. Example - I have 100 vlans coming to my router, so I put all these 100 interfaces into one interface-list and say ip firewall filter add action=accept in-interface-list=inside out-interface-list=inside chain=forward .
Well, exporting the config without verbose ip firewall nat could clarify the situation somewhat.
P
poisons, 2018-11-27 @poisons
which way to dig
In the direction of understanding that broadcasting can work in both directions and it would be nice not to confuse the parties.
1. For outgoing traffic, there should be a rule like
/ip firewall nat add action=masquerade chain=srcnat out-interface=
2. For incoming traffic,
/ip firewall nat add action=dst-nat chain=dstnat dst-port=3389 in-interface =ether1 protocol=tcp to-addresses= to-ports=3389
3. interface-list is nothing more than syntactic sugar, which eliminates the need to rivet 100,500 rules, often it all comes down to inside / outside / etc., in order to allow traffic in the firewall filter between internal interfaces with one rule. Example - I have 100 vlans coming to my router, so I put all these 100 interfaces into one interface-list and say ip firewall filter add action=accept in-interface-list=inside out-interface-list=inside chain=forward .
Well, exporting the config without verbose ip firewall nat could clarify the situation somewhat.
Similar questions
R
N
E
S
V
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question