Here is. Let me know if you have any questions.
Comments:
These NAT rules don't do anything useful: the first one says "from 192.168.88.248 source port 80 to PUBLIC.IP.TWO destination port 80, change the source IP to PUBLIC.IP.TWO and the source port to 80." The second one says "from 192.168.88.248 source port 80 to PUBLIC.IP.TWO destination port 80, change the destination to 192.168.88.248."
Given this looks like you are doing bidirectional NAT, it should most likely be:This doesn't address the hairpin NAT. Let me know if you need help with that.
The filter rules expose everything that is translated, which is pretty bad.
Instead, consider creating specific rules to permit the necessary traffic through. For example the following rules permit access to the HTTP port of two of your internal servers, drop everything else.
Conclusions:
Your NAT rules should look like this. Keep in mind this doesn't include the hairpin NAT.
Your rules should look like (chain forward only):
Comments:
- If the Public IP One to Five are in the same network, then the addresses with the netmask /32 are to be fixed. Or replace the additional addresses by host routes (my preferred version but that's personal).
- For the NAT configuration, there are some issues, see the corrections below.
- There is no hairpin NAT, so you won't be able to reach the servers using the public IP. This explains why you connect to the device when you use the public IP addresses.
- The filter rules need some attention as you are fully exposing one of your servers, the other one is not exposed due to its NAT rules being incorrect.
Code:
add action=src-nat chain=srcnat dst-address=PUBLIC.IP.TWO dst-port=80 out-interface=charter protocol=tcp src-address=192.168.88.248 src-port=80 to-addresses=PUBLIC.IP.TWO to-ports=80add action=dst-nat chain=dstnat dst-address=PUBLIC.IP.TWO dst-port=80 in-interface=charter protocol=tcp src-address=192.168.88.248 src-port=80 to-addresses=192.168.88.248 to-ports=80Given this looks like you are doing bidirectional NAT, it should most likely be:
Code:
add action=src-nat chain=srcnat out-interface=charter src-address=192.168.88.248 to-addresses=PUBLIC.IP.TWOadd action=dst-nat chain=dstnat in-interface=charter dst-address=PUBLIC.IP.TWO to-addresses=192.168.88.248The filter rules expose everything that is translated, which is pretty bad.
Code:
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN disabled=yesCode:
add action=accept chain=forward comment="Access HTTP to 88.248" dst-address=192.168.88.248 protocol=tcp dst-port=80 in-interface=charteradd action=accept chain=forward comment="Access HTTP to 88.254" dst-address=192.168.88.254 protocol=tcp dst-port=80 in-interface=charteradd action=drop chain=forward comment="Drop everything else coming from the WAN" in-interface=charterConclusions:
Your NAT rules should look like this. Keep in mind this doesn't include the hairpin NAT.
Code:
/ip firewall natadd action=dst-nat chain=dstnat dst-address=PUBLIC.IP.ONE in-interface=charter to-addresses=192.168.88.254add action=src-nat chain=srcnat out-interface=charter src-address=192.168.88.254 to-addresses=PUBLIC.IP.ONEadd action=src-nat chain=srcnat out-interface=charter src-address=192.168.88.248 to-addresses=PUBLIC.IP.TWOadd action=dst-nat chain=dstnat dst-address=PUBLIC.IP.TWO in-interface=charter to-addresses=192.168.88.248add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes ipsec-policy=out,none out-interface-list=WANCode:
/ip firewall filteradd action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsecadd action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsecadd action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,relatedadd action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untrackedadd action=drop chain=forward comment="defconf: drop invalid" connection-state=invalidadd action=accept chain=forward comment="Access HTTP to 88.248" dst-address=192.168.88.248 protocol=tcp dst-port=80 in-interface=charteradd action=accept chain=forward comment="Access HTTP to 88.248" dst-address=192.168.88.254 protocol=tcp dst-port=80 in-interface=charteradd action=drop chain=forward comment="Drop everything else coming from the WAN" in-interface=charteradd action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN disabled=yesStatistics: Posted by vingjfg — Sun Jan 21, 2024 4:01 pm