dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
34

Rhaas
Premium Member
join:2005-12-19
Bernie, MO

Rhaas to jim_p_price7

Premium Member

to jim_p_price7

Re: [Equipment] Rewrite destination in Mikrotik bridge?

Here is what I have:
add action=jump chain=forward comment="DC/Non Pay Users" disabled=no jump-target=DC_USERS src-address=10.201.0.0/16
 
All of my disconnected/non pay users get an ip address out of the 10.201.0.0/16 range. The above rule forces all of their traffic into the DC_USERS chain.

add action=accept chain=DC_USERS comment="" disabled=no dst-address=66.211.40.15 dst-port=80 protocol=tcp
add action=accept chain=DC_USERS comment="" disabled=no dst-port=53 protocol=udp
add action=drop chain=DC_USERS comment="" disabled=no
 
We allow traffic to 66.211.40.15 which is my webserver where the 'contact billing' page exists.
We also allow DNS traffic.
Lastly we drop all other traffic.

add action=dst-nat chain=dstnat comment="DC/NonPay Users" disabled=no dst-port=80 protocol=tcp src-address=10.201.0.0/16 to-addresses=66.211.40.15 to-ports=80
add action=dst-nat chain=dstnat comment="DC/NonPay Users" disabled=no src-address=10.201.0.0/16 dst-port=53 protocol=udp to-addresses=74.91.66.2 to-ports=53
 
In the nat page we dstnat port 80 traffic from 10.201.0.0/16 to our webserver ip.
We also redirect DNS to our DNS server at 74.91.66.2.

For the webser the trick is you have to use IP base site (name aliasing wont work). You also need to setup the 404 page to be the index page of the site as well.
jim_p_price7
join:2005-10-28
Henryetta, OK

jim_p_price7

Member

Thank you!
jim_p_price7

jim_p_price7 to Rhaas

Member

to Rhaas
So I messed around using your suggestions and made some progress, but I'm stuck on the whole dst-nat thing. I think its because my RB1200 is being used as a transparent bridge. I've verified that traffic is jumping to my non-pay chain, and I can allow hits to my website, DNS, and drop the rest. But dst-nat in the NAT tab has no effect - the counters don't move. BTW, I do have "use IP Firewall" enabled on the bridge.

I did some reading and learned that I can do dst-nat in the bridge tab, but I can only rewrite MAC addresses, not IP's.

Any thoughts?

Rhaas
Premium Member
join:2005-12-19
Bernie, MO

Rhaas

Premium Member

I can see the dstnat rules on my transparrent bridge increment. However I'm on the same layer 2 network as my web server so I'm getting some funkyness right now.

Can you post your dstnat rules and what ip pool range you are using for your dc/non pay customers?
Rhaas

Rhaas to jim_p_price7

Premium Member

to jim_p_price7
Hmm, seems as though this will not work through a transparrent bridge.

I tried the dstnat rule on my bridge that sits between my edge/bgp router and my core router and I could see the Syn/Ack begin to take place however the full handshake was never completed:
08:39:22.630032 IP xxx.bpsnetworks.com.3339 > host-66.211.40.15.bpsnetworks.com.http: S 3511203765:3511203765(0) win 16384 <mss 1460,nop,nop,sackOK>
        0x0000:  4500 0030 ba4f 4000 7d06 4137 4a5b 4d04  E..0.O@.}.A7J[M.
        0x0010:  42d3 280f 0d0b 0050 d148 b7b5 0000 0000  B.(....P.H......
        0x0020:  7002 4000 aa84 0000 0204 05b4 0101 0402  p.@.............
08:39:22.630092 IP host-66.211.40.15.bpsnetworks.com.http > xxx.bpsnetworks.com.3339: S 2140628834:2140628834(0) ack 3511203766 win 65535 <mss 1460,sackOK,eol>
        0x0000:  4500 0030 560f 4000 4006 e277 42d3 280f  E..0V.@.@..wB.(.
        0x0010:  4a5b 4d04 0050 0d0b 7f97 6762 d148 b7b6  J[M..P....gb.H..
        0x0020:  7012 ffff 047b 0000 0204 05b4 0402 0000  p....{..........
08:39:22.632425 IP xxx.bpsnetworks.com.3339 > host-66.211.40.15.bpsnetworks.com.http: R 3511203766:3511203766(0) win 0
        0x0000:  4500 0028 ba51 0000 7e06 803d 4a5b 4d04  E..(.Q..~..=J[M.
        0x0010:  42d3 280f 0d0b 0050 d148 b7b6 d148 b7b6  B.(....P.H...H..
        0x0020:  5004 0000 8e45 0000 0000 0000 0000       P....E........
 
 

Moving the same rule to the core router worked.. I'll take a look at it more later on and see if I can tell what is happening.
jim_p_price7
join:2005-10-28
Henryetta, OK

jim_p_price7

Member

Thanks, glad to know I wasn't going crazy. I too saw the syn/ack traffic spike briefly in the stats, but not fully completed. Looking forward to what you find out - feel free to PM if you want, and I appreciate your brain power on this.