gfx wrote:
這作用在於內網裝置連接內部伺服器時,不使用策略規則.
所以這兩筆規則需拉到/ip firewall mangle最頂端0和1的位置,讓它們優先於策略規則之上.
我兩條也有加...但是還是無效
NAT chain=dstnat action dst-nat dst.address=69.69.69.69 in.interface=wan to address=192.168.2.10
NAT chain=srcnat action src-nat src.address=192.168.2.10 out.interface=wan to address=69.69.69.69
Nat Loopback
action=masquerade chain=srcnat dst-address=192.168.2.0/24 src-address=192.168.2.0/24
您設錯了,這樣才對:
chain=dstnat action=dst-nat dst-address=69.69.69.69 in-interface=wan to-addresses=192.168.2.10
chain=dstnat action=dst-nat dst-address=69.69.69.69 in-interface=lan to-addresses=192.168.2.10
action=masquerade chain=srcnat dst-address=192.168.2.10 src-address=192.168.2.0/24 out-interface=lan
或者:
chain=dstnat action=dst-nat dst-address=69.69.69.69 to-addresses=192.168.2.10
action=src-nat chain=srcnat dst-address=192.168.2.10 src-address=192.168.2.0/24 to-addresses=192.168.2.1
上是較嚴謹的,映射內外用interface區隔;
下則簡約不指名interface,只要連69.69.69.69就觸發映射。
gfx wrote:
上是較嚴謹的,映射內外用interface區隔;
下則簡約不指名interface,只要連69.69.69.69就觸發映射。
gfx兄
我用上面那個就通了, 但是請問一下, 下面這條規則不需要嗎?這台Server 有mailer server DNS server 等複合的功能, 所以我是按照網路上的教案, 不是開特定port 而是直接讓內外ip 直接對應
NAT chain=srcnat action src-nat src.address=192.168.2.10 out.interface=wan to address=69.69.69.69
而且這條的流量比dstnat 這條流量還要高..
chain=dstnat action=dst-nat dst-address=69.69.69.69 in-interface=wan to-addresses=192.168.2.10
LoveTaiwan wrote:
gfx
樓主
srcnat這規則沒意義啊,為何從公網連69.69.69.69的ip都要偽裝成192.168.2.10,這樣不就查不到是誰連接mail-server嗎?
2024-01-03 10:30
咦! 我一直以為靜態NAT 內外互指才算雙向互通...
首先假設從wan連入的ip是1.1.1.1,整個映射流程:
1.1.1.1 =wan=> 69.69.69.69 =lan=> 192.168.2.10 =lan=> 69.69.69.69 =wan=> 1.1.1.1
爾後從lan連入的ip是192.168.2.88,整個映射流程:
192.168.2.88 =lan=> 69.69.69.69 =lan=> 192.168.2.10 =lan=> 192.168.2.88
有無發現192.168.2.10在回去的時後,少了回69.69.69.69流程,直接往192.168.2.88去...
那是因為192.168.2.10與192.168.2.88在同一個內網,內網傳輸是不經過Router的。
所以透過srcnat偽裝:
192.168.2.88(192.168.2.1) =lan=> 69.69.69.69 =lan=> 192.168.2.10 =lan=> 69.69.69.69 =lan=> 192.168.2.1(192.168.2.88)
192.168.2.88連接192.168.2.10是不經過Router的,
但這不含192.168.2.1,因為192.168.2.1自己就是Router。
所以loopback的目的即想辦法,讓192.168.2.10往192.168.2.88時,
要再繞回Router,不要用一般內網方式直接回去,就這樣。
然後srcnat偽裝成Router ip一定要偽裝成192.168.2.1嗎?
其實好像也沒必要~
69.69.69.69也是Router ip啊,另一個固定制ip 69.69.69.68也是啊Router ip啊,
因wifi cam設另一個網段的gateway-ip(192.168.89.1)當然也是
這些ip拿來當loopback偽裝地址都沒問題
gfx wrote:
請您看一下NAT工作說明,舊ip是儲存在Router記憶體內。
路由返還時,Router會負責還原的。
找時間來好好研究, 我會這樣設是看原廠的Destination NAT 介紹如下
Destination NAT
Forward all traffic to internal host
If you want to link Public IP 10.5.8.200 address to Local one 192.168.0.109, you should use destination address translation feature of the MikroTik router. Also if you want allow Local server to initiate connections to outside with given Public IP you should use source address translation, too.
Add Public IP to Public interface:
/ip address add address=10.5.8.200/32 interface=Public
Add rule allowing access to the internal server from external networks:
/ip firewall nat add chain=dstnat dst-address=10.5.8.200 action=dst-nat \
to-addresses=192.168.0.109
Add rule allowing the internal server to initate connections to the outer networks having its source address translated to 10.5.8.200:
/ip firewall nat add chain=srcnat src-address=192.168.0.109 action=src-nat \
to-addresses=10.5.8.200
內文搜尋
從 APP 打開
X