📗MikroTik MTCNA - NAT (Dstnat, Srcnat, Redirect)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

welcome back in this video we'll be ending things off on the firewall by talking about nat so we'll be looking at sourcenet destination net as well as the redirect action on a marketing device so let's get into it all right so we'll be labbing this in an eve topology i've got my router one two and three here i've actually brought up a lab from a previous lecture that we did for the routing all that i've done is extend or increase the addressing between our router so before it was just slash 30s between our networks now we're using slash 29 just to give us additional rp addressing to play around with now if we think about that we need to first figure out why do we need to talk about nat and nat i think i brought up when we discussed uh masquerading on a microtic device and it is a mechanism that was developed to help fight the starvation of ipv4 addressing because what matting allows us to do is we can essentially hide behind a specific public ip address whenever we use private addressing so not every device needs to have a public ip address the same goes for the services when we think about destination at what destination that allows us to do is traffic and get your router and then your router can forward that traffic off to a specific server so that each server doesn't in essence needs to have its own individual public ip this this is more or less like port address translation where you can map certain ports so we'll have one public ip and then that public ip we could send port 80 and 443 to a web server but then uh smtp traffic we could send off to a mail server somewhere and it would use the same public ip but it's going internally to two different ip addresses so that is kind of what destination net entails for us and the redirect i won't go too deeply in it but redirect allows you to set your router to basically redirect traffic to itself on a specific port so let's say traffic was coming from r2 it was sending a like a dns request and it would have your let's say your dna server was google's dns if you perform the redirect router one what what you could effectively do is you could take any traffic that was going to go to google redirect it to the router itself and then the router could act as that dns server or for the the dns request off to google so that's that's kind of like the gist of redirect it's it's useful but it's not often used but it does have its its uses okay but let's get into some actual configuration so what i'd like us to do is start off with source based nat and to do this i'm just going to use router 2 as an example all right i've connected onto ramon on router 2 and let's just get into the ip firewall go to our nat and then from the net we can set up a source based mat to hide the ip address behind something else but just to see that it does work actually let's just do a basic mass grade rule which we've already gone through in other lectures but this is just to kind of install that knowledge so let's say the chain is a source based not and then we're going to say any traffic leaving over ether 2 because that's the interface going from r2 to r1 and you can think of that as your wan or it could have been your triple poe as well it doesn't matter it's just how we get out of the network so we're going to masquerade and then i'm going to apply this and now what this basic firewall rule will do is any traffic that leaves over ethernet 2 so any traffic that comes in even from the pc it comes to router 2 if it leaves the router over ether two then it's going to be masqueraded or hidden as 10 128 100.130 that's the ip address that rather one will see so we can taste this by just going into our terminal and let's do a ping and let's ping 10.128.100.129 which is rather one's ip but let's ping it as 192.1680.1 which is the source address of the lan so let's just do that ping and we're getting a response but i want to show you actually what's happening if i go on to another winbox session and i go to my router one and i connect what we can see here is if i go to my interfaces and i go to my ether2 and i torch this let's just start it up again we'll actually see there is icmp traffic so there is the ping but we see the ping as coming from 10 128 100 at 130. we don't see it as coming from the land address so that's a source based on that now let's just disable that rule quickly on router 2 and let's see if it's still the same type of scenario that happens so disable and then if i go back to router 1 now you see the ip address is actually changed to the lan ip so that is a very basic source based not where we use mask grade but we can specify what address you want to net it out as and that is why i've increased these ip pools between these routers so that i can showcase that as well so let me go back onto router 2 and then this natural let me just delete it and what i firstly want to do is i want to go to my ip addresses and i'm going to add another address and this address is going to be 10.128.10.131. i'm just going to bind that to ether2 as well actually what i could do is i could also just add this as a bridge but let's just do that let's add one three one so that's also now 32 that exists on ether two and then what i could potentially do is i could go into my ip i can go into my firewall i can add a natural we can leave it as a source not but then what i'm going to do is i'm going to say that okay we can still say any traffic going out over ether 2. what we want to do now is we're going to source that so that's going to be our action so instead of masquerade we're using source now now we can change the source ip ourselves so that the remote side sees the ip that we want them to see and this i'm now going to just update to 10 100 sorry 10.128.100.131 which is that additional ip that i added i'm going to apply this and now that that's been applied i think my ping is still running yes it is if i go back to router 1 and i torch this interface i can see traffic is now being generated from 10 128 100.131 so we know that we've actually got the source not working why is this useful well let's say if you let's say these weren't private ips these were public ip addresses and perhaps you wanted to give each customer their own public ip address then that is how you could go about that you could specify their ip ranges or their vrfs or whatnot and then you could not traffic out as their public ip so that's that's one like very good use case for public ip addressing and source matching out as a specific ip okay so that covers source net let's jump into destination app now destination that allows us to effectively change the ip address that traffic is being sent to so i'm just going to use an example i'm going to say traffic is going to be coming from router 1 and rather one is going to try and connect to router 2 but what we want router 2 to do is actually forward the traffic to pc1 so pc1 should be the recipient of the traffic the ip address resides on the router so let's it's a public ip or it's this wan address that exists on the router but it's been forwarded it's been not it a destination that to an internal host now this is again why we do stuff for like web servers or mail servers or whatnot so let's just quickly add that on router 2 as well and what we'll do is we'll go into our nat table we'll add a new nat rule the chain will be destination at and what we can say is the destination address we can specify and for this i'm going to specify that same wan ip that i added on the router so 10.128.10.131 and we're going to go to our action and then we can set the destination that so dst nat so if i click on this we can see we can actually change the address we can forward it to something else so here i can forward um that to dot 192.168.0.1 not totally sure the ips.10 but we need to set the ip on the host anyways because let's just test this out and see if it works i'm going to go into router 1 and then let's run a ping to 10 128 100.131. the ping is currently failing but it's because this pc's ip hasn't been configured yet and whenever we reboot these vpcs we just need to re add the ip so i'm going to add ip 10 128 100. no sorry i i don't want to add that ip i want to add 192.168.0.10 that's all i want to add and my gateway will be 192.1680.1 i'm adding that ip so the ip address is being added to the vpc and that should be live now so if i go back to my router i can actually see it started responding so now if i'm pinging 10.128.100 of 131 it's coming from router 1. it's hitting router 2 and then router 2 is forwarding 10 128 100.131 to the internal ipf pc one so that ip or that host has now been matted down or that ip's not down to that host you can also like i said in that specific port and that you would do by just going into the natural and then you could just specify the ports so let's say we just wanted to forward port 80 and port so we we just need to specify tcp as well if we're going to do that so protocol will use tcp and let's say the protocol port is 80 then we can forward the ports 80 to that as well so now port 80 will be forwarded to that machine and i've just copied this to make it 443 so this would in in the event if that was a web server it would for that wave traffic to the web server and now it's just the one ip but now i can also basically forward other things like i said like an smtp like port let's say 25 to a different host if there was a different host on the network so now 443 and 80 would go to um the 10 or 192.1680 but poor 25 would go to 192.168.0.11 so that is destination that in a nutshell all right so let's just quickly do the redirect bit so redirect allows you to effectively redirect traffic to the router so you could set up a natural on router one for example to say any traffic coming from ro2 that wants to get to a server on the internet rather just redirect it to me so it will use your router and you can redirect it on a specific port that is what redirect does so let's just add a redirect rule on router one let's go to our ip firewall let's add a net rule redirect does fall under the destination that chain you need to use that we can specify some protocol so let's say tcp perhaps let's also specify the in addresses or in interface ether 2 because that's the interface that's coming from router 2. and let's set our action to redirect so now we can redirect to certain ports so maybe i could redirect to um let's say 23 so that's a telnet board so and let's just specify destination address as well so i'll just put this in this 1.1.1.1 so now in theory if router 2 tried to get to 1.1.1.1 on a tcp connection it would just forward it as telnet to um router one so let's just test this out let's go to router two and let's do maybe let's say telnet 1.1.1.1 or sorry we need to use system telnet 1.1.1.1 and it says connected to 1.1.1.1 but i i highly doubt that's 1.1.1.1 if i do admin and enter ta-da i'm on router 1. rather one trick me my traffic got redirected to other one so that is what we can use redirect for all right so this will cover up the nat section and this is actually all of the firewall that we need to cover for the mtcna i'd like to thank you for watching and i'll catch you in the next video where we'll be discussing kios so let's enjoy bye

Info

Channel: The Network Berg

Views: 1,428

Rating: undefined out of 5

Keywords: #Routers, #MTCNA, #MTCRE, #MTCINE, #Firewall, #NAT, #Srcnat, #Dstnat, #Redirect

Id: GTDgeZLc190

Channel Id: undefined

Length: 12min 33sec (753 seconds)

Published: Fri Oct 29 2021