Проброс портов на маршрутизаторе Микротик для ферм Mobileproxy.ru.
Для чего это нужно?
По умолчанию устройства, работающие за НАТом не доступны из интернета. Проброс портов на маршрутизаторах, нужен для того, что бы получить доступ к ресурсам локальной сети из интернета, например, получить доступ к панели управления прокси фермой и её портам
Настройка проброса одного порта - приоритетный вариант для ферм Mobileproxy.ru,
прорасываем порты с 1080 по 10хх для socks прокси
прорасываем порты с 3128 по 31хх для http прокси
Для начала подключитесь к Mikrotik через winbox. Затем перейдите на вкладку IP-Firewall-NAT
Нажмите на синий плюсик в верхнем меню вкладки. И заполняем необходимые настройки. Первым делом заполняем вкладку General. На рисунке показаны минимальные настройки для проброса одного порта, например, нам нужно настроить подключение к rdp серверу через Mikrotik.
Chain-канал приемник, есть два параметра srcnat-из локальной сети в интернет и dstnat из интернета в локальную сеть. Нам нужно dstanat
Src. Address — адрес с которого принимать запрос, например мы хотим разрешить подключение только с одного адреса, тогда нам нужно прописать в этом поле этот адрес. Если ничего не указано, то запросы будут приниматься со всех адресов
Dst. Address— адрес назначения (всегда ip маршрутизатора).
Protocol— Обязательное поле, указываем протокол работы, http, udp и т.д.
Src.Port – Порт источника с которого идет запрос, для нас это не важно
Dst.Port— обязательный параметр, указывает на каком порту роутер будет принимать запрос, здесь может быть указан абсолютно любой, например для rdp не обязательно указывать 3389, для безопасности лучше указать другой порт, например 33389.
Any.Port – объединяет два предыдущего параметра, если здесь будет что то указано, то это скажет маршрутизатору что src и dst порт равен указанному.
In.Interface – интерфейс на котором настроен внешний ip адрес Микротика
Out. Interface – интерфейс подключения компьютера, на который идет проброс, заполнять необязательно
Более тонкие настройки, которые редко используются
In.Interface List, Out. Interface List – принимает значение all т.е. использовать любой интерфейс, в принципе то же самое, что если не заполнять поля In и Out Interface
Packet Mark, Connection Mark, Routing Mark – Пробрасывать маркированные пакеты, маркировка происходит на вкладке firewall/mangle.
Connection Type — Пакет относится к определенному типу соединения, включенному на закладке Firewall/Service Ports, sip, ftp и т.д.
После заполнения всех необходимых полей переходим на вкладку Action.
Action – действие которое нужно выполнить, в нашем случае это или dst-nat или netmap, отличие рассмотрим ниже, я ставлю netmap как более новый и улучшенный.
To Address – ip локального компьютера на который идет проброс
To Ports – Порт на котором работает сервис, например для rdp 3389, для ftp 21. Если dst port на вкладке general совпадает с данным параметром, то можно это поле не заполнять
После всех настроек нажимаем кнопку «ОК» И во вкладке NAT появится новое правило, если все сделано правильно, то все должно работать.
Обратите внимание, что перед полем можно поставить восклицательный знак, это означает отрицание
Данные настройки означают, что будут приниматься запросы на все порты кроме 3389.
Микротик dst nat или netmap
Содержание
- Проброс портов на маршрутизаторе Микротик, проброс диапазона портов.
- Для чего это нужно?
- Настройка проброса одного порта
- Проброс диапазона портов
- Проброс всех портов и всех протоколов на локальный ip
- Manual:IP/Firewall/NAT
- Contents
- Summary
- Masquerade
- Properties
- Stats
- Menu specific commands
- Basic examples
- Source NAT
- Masquerade
- Source nat to specific address
- Destination NAT
- Forward all traffic to internal host
- Port mapping/forwarding
- Port forwarding to internal FTP server
- 1:1 mapping
- Carrier-Grade NAT (CGNAT) or NAT444
Проброс диапазона портов
Если на маршрутизаторе Микротик надо сделать проброс не один, а несколько портов на локальный компьютер, то в качестве Dst.Ports указываем эти значения через запятую.
В этом случае будут приниматься пакеты из диапазона 3389-3391
Можно использовать оператор отрицания
Здесь будут приниматься пакеты в диапазоне с 1 по 3388 и с 3392 по 65536
Проброс диапазона портов - для наших ферм
Если же данного инструмента нам недостаточно, например надо пробросить udp для asterisk в диапазоне с 10000 по 20000, что не совсем удобно сделать вышеуказанными способами, то на помощь нам придет маркировка пакетов, переходим на вкладку firewall-Mangle.
нажимаем на плюс добавить правило. И заполняем необходимые поля
Chain – цепочка, может принимать следующие параметры
PREROUTING — Маркирует пакет до принятия решения о маршрутизации.
INPUT — Маркирует пакет, предназначенный самому хосту.
FORWARD — Маркирует транзитные пакеты.
OUTPUT — Маркирует пакеты, исходящие от самого хоста.
POSTROUTING — Маркирует все исходящие пакеты, как сгенерированные самим хостом, так и транзитные.
Нам нужно промаркировать пакет до того как он будет обработан правилами роутера, выбираем prerouting
Все остальные поля идентичны полям из правила NAT, только в Dst.Port уже можно указать диапазон.
Затем переходим на вкладку Action
Action ставим маркировку пакетов, mark packet
New Packet Mark – название маркировки, вводим удобное имя.
После чего нажимаем кнопку «ОК»
Теперь переходим во вкладку NAT и добавляем новое правило
Выбираем только канал приемник Chain dstnat и пункт Packet Mark, который создали выше. Затем переходим на вкладку Action
Указываем действие netmap или dst-nat
To Adresses — ip локального компьютера
Если хотим перенаправлять диапазон порт в порт, то поле To Ports не заполняем, если нужно перенаправлять с диапазона на один порт, то в To Ports указываем нужное значение.
Проброс всех портов и всех протоколов на локальный ip
Иногда нужно пробросить все порты и все протоколы на локальный ip, в этом случае нужно использовать netmap. По-простому, netmap это маршрутизация сеть в сеть. Работает так же как DMZ на домашних роутерах типа dlink или tplink.
Для настройки также заходим в NAT, Нажимаем добавить правило и заполняем поля как показано на рисунке
Выбираем только канал dstnat, после чего переходим на вкладку Action
Здесь Action ставим netmap и указываем адрес назначения
Все. Теперь все запросы на внешний ip будут перенаправляться на указанный локальный ip.
Manual:IP/Firewall/NAT
Contents
Summary
Sub-menu: /ip firewall nat
Network Address Translation is an Internet standard that allows hosts on local area networks to use one set of IP addresses for internal communications and another set of IP addresses for external communications. A LAN that uses NAT is referred as natted network. For NAT to function, there should be a NAT gateway in each natted network. The NAT gateway (NAT router) performs IP address rewriting on the way a packet travel from/to LAN.
There are two types of NAT:
- source NAT or srcnat. This type of NAT is performed on packets that are originated from a natted network. A NAT router replaces the private source address of an IP packet with a new public IP address as it travels through the router. A reverse operation is applied to the reply packets travelling in the other direction.
- destination NAT or dstnat. This type of NAT is performed on packets that are destined to the natted network. It is most comonly used to make hosts on a private network to be acceesible from the Internet. A NAT router performing dstnat replaces the destination IP address of an IP packet as it travel through the router towards a private network.
Hosts behind a NAT-enabled router do not have true end-to-end connectivity. Therefore some Internet protocols might not work in scenarios with NAT. Services that require the initiation of TCP connection from outside the private network or stateless protocols such as UDP, can be disrupted. Moreover, some protocols are inherently incompatible with NAT, a bold example is AH protocol from the IPsec suite.
To overcome these limitations RouterOS includes a number of so-called NAT helpers, that enable NAT traversal for various protocols.
Masquerade
Firewall NAT action=masquerade is unique subversion of action=srcnat , it was designed for specific use in situations when public IP can randomly change, for example DHCP-server changes it, or PPPoE tunnel after disconnect gets different IP, in short — when public IP is dynamic.
Every time interface disconnects and/or its IP address changes, router will clear all masqueraded connection tracking entries that send packet out that interface, this way improving system recovery time after public ip address change.
Unfortunately this can lead to some issues when action=masquerade is used in setups with unstable connections/links that get routed over different link when primary is down. In such scenario following things can happen:
- on disconnect, all related connection tracking entries are purged;
- next packet from every purged (previously masqueraded) connection will come into firewall as connection-state=new , and, if primary interface is not back, packet will be routed out via alternative route (if you have any) thus creating new connection;
- primary link comes back, routing is restored over primary link, so packets that belong to existing connections are sent over primary interface without being masqueraded leaking local IPs to a public network.
You can workaround this by creating blackhole route as alternative to route that might disappear on disconnect).
When action=srcnat is used instead, connection tracking entries remain and connections can simply resume.
Properties
Property | Description |
---|---|
action (action name; Default: accept) | Action to take if packet is matched by the rule:
|
address-list (string; Default: ) | Name of the address list to be used. Applicable if action is add-dst-to-address-list or add-src-to-address-list |
address-list-timeout (none-dynamic | none-static | time; Default: none-dynamic) | Time interval after which the address will be removed from the address list specified by address-list parameter. Used in conjunction with add-dst-to-address-list or add-src-to-address-list actions
|
chain (name; Default: ) | Specifies to which chain rule will be added. If the input does not match the name of an already defined chain, a new chain will be created. |
comment (string; Default: ) | Descriptive comment for the rule. |
connection-bytes (integer-integer; Default: ) | Matches packets only if a given amount of bytes has been transfered through the particular connection. 0 — means infinity, for example connection-bytes=2000000-0 means that the rule matches if more than 2MB has been transfered through the relevant connection |
connection-limit (integer,netmaks; Default: ) | Matches connections per address or address block after given value is reached. |
connection-mark (no-mark | string; Default: ) | Matches packets marked via mangle facility with particular connection mark. If no-mark is set, rule will match any unmarked connection. |
connection-rate (Integer 0..4294967295; Default: ) | Connection Rate is a firewall matcher that allow to capture traffic based on present speed of the connection. Read more>> |
connection-type (ftp | h323 | irc | pptp | quake3 | sip | tftp; Default: ) | Matches packets from related connections based on information from their connection tracking helpers. A relevant connection helper must be enabled under /ip firewall service-port |
content (string; Default: ) | Match packets that contain specified text |
dscp (integer: 0..63; Default: ) | Matches DSCP IP header field. |
dst-address (IP/netmask | IP range; Default: ) | Matches packets which destination is equal to specified IP or falls into specified IP range. |
dst-address-list (name; Default: ) | Matches destination address of a packet against user-defined address list |
dst-address-type (unicast | local | broadcast | multicast; Default: ) | Matches destination address type:
|
dst-limit (integer[/time],integer,dst-address | dst-port | src-address[/time]; Default: ) | Matches packets until a given pps limit is exceeded. As opposed to the limit matcher, every destination IP address / destination port has it’s own limit. Parameters are written in following format: count[/time],burst,mode[/expire] .
|
dst-port (integer[-integer]: 0..65535; Default: ) | List of destination port numbers or port number ranges |
fragment (yes|no; Default: ) | Matches fragmented packets. First (starting) fragment does not count. If connection tracking is enabled there will be no fragments as system automatically assembles every packet |
hotspot (auth | from-client | http | local-dst | to-client; Default: ) | Matches packets received from HotSpot clients against various HotSpot matchers.
|
icmp-options (integer:integer; Default: ) | Matches ICMP type:code fileds |
in-bridge-port (name; Default: ) | Actual interface the packet has entered the router, if incoming interface is bridge |
in-interface (name; Default: ) | Interface the packet has entered the router |
ingress-priority (integer: 0..63; Default: ) | Matches ingress priority of the packet. Priority may be derived from VLAN, WMM or MPLS EXP bit. Read more>> |
ipsec-policy (in | out, ipsec | none; Default: ) | Matches the policy used by IpSec. Value is written in following format: direction, policy . Direction is Used to select whether to match the policy used for decapsulation or the policy that will be used for encapsulation.
|
For example, if router receives Ipsec encapsulated Gre packet, then rule ipsec-policy=in,ipsec will match Gre packet, but rule ipsec-policy=in,none will match ESP packet.
ipv4-options (any | loose-source-routing | no-record-route | no-router-alert | no-source-routing | no-timestamp | none | record-route | router-alert | strict-source-routing | timestamp; Default: ) Matches IPv4 header options.- any — match packet with at least one of the ipv4 options
- loose-source-routing — match packets with loose source routing option. This option is used to route the internet datagram based on information supplied by the source
- no-record-route — match packets with no record route option. This option is used to route the internet datagram based on information supplied by the source
- no-router-alert — match packets with no router alter option
- no-source-routing — match packets with no source routing option
- no-timestamp — match packets with no timestamp option
- record-route — match packets with record route option
- router-alert — match packets with router alter option
- strict-source-routing — match packets with strict source routing option
- timestamp — match packets with timestamp
- count — maximum average packet rate measured in packets per time interval
- time — specifies the time interval in which the packet rate is measured (optional, 1s will be used if not specified)
- burst — number of packets which are not counted by packet rate
- WeightThreshold — total weight of the latest TCP/UDP packets with different destination ports coming from the same host to be treated as port scan sequence
- DelayThreshold — delay for the packets with different destination ports coming from the same host to be treated as possible port scan subsequence
- LowPortWeight — weight of the packets with privileged ( random (integer: 1..99; Default: ) Matches packets randomly with given probability. routing-mark (string; Default: ) Matches packets marked by mangle facility with particular routing mark same-not-by-dst (yes | no; Default: ) Specifies whether to take into account or not destination IP address when selecting a new source IP address. Applicable if action=same src-address (Ip/Netmaks, Ip range; Default: ) Matches packets which source is equal to specified IP or falls into specified IP range. src-address-list (name; Default: ) Matches source address of a packet against user-defined address list src-address-type (unicast | local | broadcast | multicast; Default: )
Matches source address type:
- unicast — IP address used for point to point transmission
- local — if address is assigned to one of router’s interfaces
- broadcast — packet is sent to all devices in subnet
- multicast — packet is forwarded to defined group of devices
Stats
/ip firewall nat print stats will show additional read-only properties
Property Description bytes (integer) Total amount of bytes matched by the rule packets (integer) Total amount of packets matched by the rule By default print is equivalent to print static and shows only static rules.
To print also dynamic rules use print all.
Or to print only dynamic rules use print dynamic
Menu specific commands
Property Description reset-counters (id) Reset statistics counters for specified firewall rules. reset-counters-all ( ) Reset statistics counters for all firewall rules. Basic examples
Source NAT
Masquerade
If you want to «hide» the private LAN 192.168.0.0/24 «behind» one address 10.5.8.109 given to you by the ISP, you should use the source network address translation (masquerading) feature of the MikroTik router. The masquerading will change the source IP address and port of the packets originated from the network 192.168.0.0/24 to the address 10.5.8.109 of the router when the packet is routed through it.
To use masquerading, a source NAT rule with action ‘masquerade’ should be added to the firewall configuration:
All outgoing connections from the network 192.168.0.0/24 will have source address 10.5.8.109 of the router and source port above 1024. No access from the Internet will be possible to the Local addresses. If you want to allow connections to the server on the local network, you should use destination Network Address Translation (NAT).
Source nat to specific address
If you have multiple public IP addresses, source nat can be changed to specific IP, for example, one local subnet can be hidden behind first IP and second local subnet is masqueraded behind second IP.
Destination NAT
Forward all traffic to internal host
If you want to link Public IP 10.5.8.200 address to Local one 192.168.0.109, you should use destination address translation feature of the MikroTik router. Also if you want allow Local server to initiate connections to outside with given Public IP you should use source address translation, too.
Add Public IP to Public interface:
Add rule allowing access to the internal server from external networks:
Add rule allowing the internal server to initate connections to the outer networks having its source address translated to 10.5.8.200:
Port mapping/forwarding
If you would like to direct requests for a certain port to an internal machine (sometimes called opening a port, port mapping), you can do it like this:
This rule translates to: when an incoming connection requests TCP port 1234, use the DST-NAT action and redirect it to local address 192.168.1.1 and the port 1234
Port forwarding to internal FTP server
As you can see from illustration above FTP uses more than one connection, but only command channel should be forwarded by Destination nat. Data channel is considered as related connection and should be accepted with «accept related» rule if you have strict firewall. Note that for related connections to be properly detected FTP helper has to be enabled.
Note that active FTP might not work if client is behind dumb firewall or NATed router, because data channel is initiated by the server and cannot directly access the client.
If client is behind Mikrotik router, then make sure that FTP helper is enabled
1:1 mapping
If you want to link Public IP subnet 11.11.11.0/24 to local one 2.2.2.0/24, you should use destination address translation and source address translation features with action=netmap.
Same can be written using different address notation, that still have to match with the described network
Carrier-Grade NAT (CGNAT) or NAT444
To combat IPv4 address exhaustion, new RFC 6598 was deployed. The idea is to use shared 100.64.0.0/10 address space inside carrier’s network and performing NAT on carrier’s edge router to sigle public IP or public IP range.
Because of nature of such setup it is also called NAT444, as opposed to a NAT44 network for a ‘normal’ NAT environment, three different IPv4 address spaces are involved.
CGNAT configuration on RouterOS does not differ from any other regular source NAT configuration:
- 2.2.2.2 — public IP address,
- public_if — interface on providers edge router connected to internet
The advantage of NAT444 is obvious, less public IPv4 addresses used. But this technique comes with mayor drawbacks:
- The service provider router performing CGNAT needs to maintain a state table for all the address translations: this requires a lot of memory and CPU resources.
- Console gaming problems. Some games fail when two subscribers using the same outside public IPv4 address try to connect to each other.
- Tracking of users for legal reasons means extra logging, as multiple households go behind one public address.
- Anything requiring incoming connections is broken. While this already was the case with regular NAT, end users could usually still set up port forwarding on their NAT router. CGNAT makes this impossible. This means no web servers can be hosted here, and IP Phones cannot receive incoming calls by default either.
- Some web servers only allow a maximum number of connections from the same public IP address, as a means to counter DoS attacks like SYN floods. Using CGNAT this limit is reached more often and some services may be of poor quality.
- 6to4 requires globally reachable addresses and will not work in networks that employ addresses with limited topological span.
More on things that can break can be read in this article [1]
Packets with Shared Address Space source or destination addresses MUST NOT be forwarded across Service Provider boundaries. Service Providers MUST filter such packets on ingress links. In RouterOS this can be easily done with firewall filters on edge routers:
Service providers may be required to do logging of MAPed addresses, in large CGN deployed network that may be a problem. Fortunately RFC 7422 suggests a way to manage CGN translations in such a way as to significantly reduce the amount of logging required while providing traceability for abuse response.
RFC states that instead of logging each connection, CGNs could deterministically map customer private addresses (received on the customer-facing interface of the CGN, a.k.a., internal side) to public addresses extended with port ranges.
In RouterOS described algorithm can be done with few script functions. Lets take an example:
Inside IP Outside IP/Port range 100.64.1.1 2.2.2.2:2000-2099 100.64.1.2 2.2.2.2:2100-2199 100.64.1.3 2.2.2.2:2200-2299 100.64.1.4 2.2.2.2:2300-2399 100.64.1.5 2.2.2.2:2400-2499 100.64.1.6 2.2.2.2:2500-2599 Instead of writing NAT mappings by hand we could write a function which adds such rules automatically.
After pasting above script in the terminal function «addNatRules» is available. If we take our example, we need to map 6 shared network addresses to be mapped to 2.2.2.2 and each address uses range of 100 ports starting from 2000. So we run our function:
Now you should be able to get set of rules: