Routeros port ing

1. What is port ing?

The port ing mentioned here is the port ing on the vro. Generally, vrouters in the network have a firewall function. Internet users can only access the WAN port of your vro (connected to the ADSL line port or
A fixed Internet IP address. To allow external users to access the computer on the LAN, a forwarding setting, that is, port ing setting, must be made on the router,
After the user requests are sent to the vro, they can be forwarded to machines in the local area, such as game servers or web servers. This is port ing.
For example, if you create a web server in the LAN with the IP address 192.168.1.3 and port 80, you only need to enter

Http: // 192.168.1.3, you can access the content of your web site, but if you want to access this web server on the Internet, enter http: // 192.168.1.3

Intranet IP addresses of LAN, which cannot be accessed. When you need to access this server from the Internet, you need to map port 80 of the host to the Internet through the router. Besides Web
In addition to services, other services such as FTP and Remote Desktop can map different ports so that they can access Intranet machines through routers on the Internet. Generally, routers have port ing functions
This section describes the port ing for more Ros soft routes, and proposes to solve the problem of display and backflow of Internet IP addresses.

2. Configure port ing for Ros 2.96

Enter winbox, click IP →
Firewall → Nat open the firewall settings page. Click "+" in the upper left corner to add a dstnat rule.
Enter the Internet IP address you want to map. In this example, the IP address is 218.87.96.xxx (enter your Internet IP address here). Then, select Protocol 6 (TCP protocol) and set DST.
Port (Target Port) is 80. 1 after the settings are complete.

Click the action tab. In the action box, select DST-Nat"
In the "to. Address" box, enter the IP address of the Intranet Service Provider. In this example, enter 192.168.1.3 and the IP port of the Intranet service provider in "to. Port ".
This ing is complete, as shown in Figure 2. You can enter your Internet IP address in the outer network to view the website on the Intranet 192.168.1.3web server. You can set it in the same way.
FTP and Remote Desktop. Note that the ports of these services are different. For example, if you have two Intranet web servers and port 80 is used up, the second server can be mapped to port 80, but can be mapped to other servers.
For example, port 81. For example, you can map the Intranet 192.168.1.4: 80 to the Internet port 218.87.96.xxx: 81. In this way
The IP address is used to access two Intranet web servers.

3. IP display and Backflow troubleshooting

4. after configuring the basic port ing in step 2, the external network can be accessed, but there are some imperfections. For example, the addresses of all Internet visitors are vro Intranet gateways. In this example
192.168.1.1, as shown in 3. In this way, the visitor's source cannot be counted, and there is still a lot of inconvenience. For example, forums on the Web cannot block the IP addresses of some members, because everyone is
192.168.1.1.

The reason is: in order to make all the machines in the Intranet share the Internet, we need to set a srcnat rule when setting Ros, and the action is set
"Amasquerade", amasquerade is a special case of SNAT, mainly used in the absence of a fixed IP gateway, such as ADSL dialing, masquerade
The reason for the low efficiency compared with Nat is that Nat directly points out the source address that needs to be disguised, while the source address that masquerade needs to disguise must be searched in the mock gateway, and masquerade always uses the default network
The off-IP address is the source address disguised by the IP address, so the efficiency is slow first, and only one Internet IP address is used. If there are multiple Wan interfaces, you cannot use masquerade, but you can only use it.
Nat, because Nat can manually specify multiple source IP addresses to be disguised, but masquerade can only find one address, that is, the default gateway address. Because the NAT side is relatively set
Amasquerade is complex. In addition, a large number of ROS tutorials share the Internet with amasquerade, so most of the currently used ros
Amasquerade sets sharing. Through the above analysis, we can see why after Port ing, the IP addresses that access the Internet have become Intranet gateways. There are two solutions:
This method has limitations and can only be used for public networks with fixed IP addresses, but not for ADSL. The other method is to adjust the settings of masquerade to display the public IP addresses. The specific operations are as follows:
Next, enter winbox, click IP →
Firewall → Nat open the firewall settings interface, double-click the original srcnat rule amasquerade (used for Internet sharing), in the "General" tab
"Out. Interface", select "Lan", that is, the Intranet Nic, and click "!" in the front box. Click OK to complete the setting.

After the settings are complete, we can find that the Internet visitor can access the website normally and the IP address is displayed correctly, but at the same time, the problem is that the intranet user cannot use the external IP address to access the internal mapped domain.
Server: add an intranet rule and set action to amasquerade. On the General tab, set chain
"Srcnat", SRC.
Address is "192.168.0.0/21". Because the Intranet in this example has several Class c cidr blocks, such as 192.168.0, 192.168.1, and 192.168.7
Set the subnet to 21, that is, 255.255.248.0, as shown in Figure 5. Generally, when there is only one CIDR block, for example, 192.168.1, you can set a subnet mask.
The value is 24, that is, 255.255.255.0. Enter 192.168.1.0/24 here. You can modify the value based on your intranet.

At this point, the Intranet and Internet can be accessed normally and the Internet visitor IP address is correct. When the Intranet accesses the web with an Internet IP address, the displayed IP address is the Intranet gateway address, this method can be used for internal and external networks.
The user uses the external IP address of the gateway to access the mapped internal service and solves the problem that the IP address displayed by the external user is incorrect. Of course, the IP address displayed by the intranet user is incorrect, to solve the problem of displaying IP addresses on the Intranet,
You can set up a DNS server in routeros and use a domain name for access. The intranet IP address can be used to access the Internet IP address. I think we mainly want to know the Internet IP address and Intranet IP address.
Not important. So now the settings are complete.

The following describes the backflow problem. In fact, the backflow problem refers to converting the source address to the Internet IP address for all the machines with the Intranet source address as the network segment, then forward it. All the data returned from the
network is sent back to the Intranet machine through the Internet IP address, which ensures that the Intranet access is normal, but the efficiency is reduced to 50%, obviously, it is not cost-effective. When amasquerade
is used to share the Internet, the IP address accessed from the Internet is displayed as the Intranet gateway, so backflow is not desirable. Although not desirable, we also write the method for your reference and add a srcnat rule.
SRC. address: Enter the Intranet network address. Note that it is not the host address, but the network segment. If the Intranet IP address is 192.168.0.x and the subnet mask is
255.255.255.0, enter 192.168.0.0/24, DST. address indicates the IP address of the host that provides services over the Intranet.
for the protocol and port, see the content above this article. On the action tab, select Src-Nat
. enter the ing internet IP address and port.