Port forwarding problems

RouterOS Beginner Basics
1

Main problem, if i forward a port to internal ip, lets say 213.213.213.213:25 → 10.0.0.1:25, i cannot access it using FQDN from internal network.
In current example port 25 is forwarded, so if i use mail.blabla.com as SMTP server, then from internal network i get timeout and mail cannot be sent, from outside everything works ok.
I know there is workaround, to create record in local DNS to point to 10.0.0.1, but this only partialy resolves the problem.
Because if a user goes somwhere outside local network, with his notebook, and after a while comes back, he has record in his notebook DNS cache that mail.blabla.com is at 213.213.213.213 and he cannot send mail from local network anymore, until dns cache is flushed.

And equal situation is for everything else, if i forward port 80, from outside webpage is accessible, but from inside is not.

RB433, v3.28
Port forwarding done like this :
/ip firewall nat add chain=dstnat dst-address=69.69.69.69 protocol=tcp dst-port=5900
action=dst-nat to-addresses=192.168.1.101 to-ports=5900

Tried also other method found in forums, using netmap, the same result.

In linux if i do port forwarding in iptables then there is no such problems, also in any “cheapy” router like D-Links, Linksys etc, there’s also no such problems with port forwarding.

2

there MUST be such problem. because server sends response directly to the client, not via router, so router cannot ‘de-NAT’ those addresses. client sends packets to 213.213.213.213, receives an answers from 10.0.0.1 and drops them =)

the solutions: =)

  • split DNS (resolves FQDN to external address for external users, and to internal - for internal ones);
  • add src-nat rule, so router will masquerade clients (server will see only router’s ip in incoming packets);
  • move server out of user’s subnet, so that server replies via router, not directly).
3

DNS is split allready, but as i allready writed, if a user with notebook goes to some other place checks e-mail an then returns, in his notebook local dns cache there is still record that mail.blahblah.com was at 213.213.213.213 and does not perform lookup against internal dns server. only when a DNS cache is flushed (or expires, usualy after 24h) they get correct ip from internal server.

Interesting then how linux iptables works without a problem in the same setup?

Maybe there is some ip filter rules to overcome behavior like this.

4

I described the details of the problem. you cannot just get it to work, without breaking something

5

as i understand, when dst-nat’ing mikrotik rewrites destination address (public ip) to internal ip and sends it from own internal interface to 10.0.0.1 and when receives answer from server changes internal ip address to public IP and sends to …

This sh*t with mikrotik is cousing me too much trouble, i think Mikrotik 433AH will have to go …

How does all other routers then deal with this problem?

6

this sh*t is with any router. it’s how NAT works. don’t show your stupidity with abusive words

7

no, it is not !!! realy

I think there should be some way …

8

Chupaka is correct. Here is the way I do it:

/ip firewall nat
add chain=dstnat action=dst-nat dst-address=69.69.69.69 to-addresses=192.168.1.101 place-before=0
add chain=srcnat action=src-nat src-address=192.168.1.101 to-addresses=69.69.69.69 place-before=0

It comes in as 69.69.69.69, and dst-natted to 192.168.1.101. But that is not enough. It must go out the same way. The srcnat insures that the responses go back out as 69.69.69.69. Otherwise, they will show as your default IP on that interface if you use a masquerade here too. That isn’t 69.69.69.69, is it?

9

I allready tried setup like this too.

It does not resolves the problem.

i think MT lacks some internal inteligence to deal with this problem.

As i allready stated linux iptables, bsd pf does not have such problems including many of linux/unix firewall/router implementations like - m0n0wall, PfSense, Endian, IPCOP, Smoothwall etc etc.. Also any cheapest router can handle port forwarding corectly (if someone dont like term corectly, then i should say - the way i want and think it should work :wink: ). i mention linux, because routerOS is built on/from linux.

10

Hi janisbanis,

Please notice the wording on my response. I did not say this might work, or this could work, or something like that. This works. It is working. I just used it. Http, email, ftp, etc, all from the internal net using the public domain name.

They have enough internal intelligence for me.

11

You have to masquerade local traffic to make this setup work. RouterOS behavior is exactly the same as Linux, FreeBSD, OpenWRT and others.
Here are some references:
http://tldp.org/HOWTO/IP-Masquerade-HOWTO/forwarders.html
https://forum.openwrt.org/viewtopic.php?id=4030

Article and forum topic above explains exactly what rules you have to set in iptabes. It is basically the same as others already suggested here.

12

Since mrz brought it up, I do NOT use “action=masquerade” for the default nat when assigning multiple ips to an interface. I always use “action=src-nat” only. Masquerade with multiple ips leaves too much to chance for me. I have found it does not always choose the ip you expect.

13

Yes, if you have multiple IP’s then it is advised to use src-nat.

14

I use use “action=masquerade”, using one external IP.

1st try
/ip firewall nat add chain=dstnat dst-address=69.69.69.69 protocol=tcp dst-port=80
action=dst-nat to-addresses=192.168.1.101 to-ports=80

Webserver accessible from outside, not accessible from local network using FQDN or public IP

2nd try
addes SRC-NAT

the same

3rd try
found on forum thah action=NETMAP in place of action=dst-nat and action=src-nat can be used

the same result

15

Have you read anything from links I gave you? I guess not.

You have to add following rule to make it work:
/ip firewall nat chain=srcnat action=masquerade src-address=192.168.1.0/24 dst-port=80 protocol=tcp

So at the end you get three nat rules:

  1. Masquerade internal-to external (you already have it)
  2. port forwarding (you already have it)
  3. masquerade local to local (rule i wrote above)

You also have to do the same in linux an any other OS where iptables are used.

16

it works man !!! :laughing:

Paldies par palīdzību

17

Hi,

please paste here comlete sequence for your example.

Thanks,

Jernej

18

Hi

I got only 2 /ip firewall rules ( general ) to do this and works with FDQN.

  1. I masquerade the local IP ( subnets)
  2. I do port forwarding to my LAN servers ( ftp, smtp etc. )

Here is the code:

Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough

1 X chain=dstnat action=redirect to-ports=8080 protocol=tcp dst-port=80

2 ;;; masquerade hotspot network
chain=srcnat action=masquerade src-address=192.168.88.0/24

3 ;;; masquerade hotspot network
chain=srcnat action=masquerade src-address=192.168.55.0/24

4 ;;; masquerade hotspot network
chain=srcnat action=masquerade src-address=192.168.44.0/24

5 chain=dstnat action=dst-nat to-addresses=192.168.0.199 to-ports=20 protocol=tcp dst-address=64.165.220.163 dst-port=20

6 chain=dstnat action=dst-nat to-addresses=192.168.88.8 to-ports=21 protocol=tcp dst-address=69.165.220.163 dst-port=21

7 chain=dstnat action=dst-nat to-addresses=192.168.88.8 to-ports=110 protocol=tcp dst-address=64.165.220.163
dst-port=110

8 chain=dstnat action=dst-nat to-addresses=192.168.88.8 to-ports=25 protocol=tcp dst-address=64.165.220.163 dst-port=25
[admin@MikroTik] /ip firewall nat>

i didn’t have to masquerade local to local

How is your config/

?

19

i didn’t have to masquerade local to local

And what do you thing these two rules are doing?

2 ;;; masquerade hotspot network
chain=srcnat action=masquerade src-address=192.168.88.0/24 

3 ;;; masquerade hotspot network
chain=srcnat action=masquerade src-address=192.168.55.0/24
20

mikrotik staff.

I don’t know if you can explain this.

Like i already mention that i masqueraded Local to Local address so people on my LAN 192.168.88.1/24 can brows and send mail. I set up mail server and on the PC runing the main server i can send and receive the mail but when trying to send and receive on my other PC on the same LAN i get in Outlook Express Err: Can not Connect to POP server???


What i have done in my Firewall>NAT config is this:

For every subnet in firewall ( local to local masqueraded ) i also had configuration set for “Outgoing Interface” to my PPPoE connection ( my WAN, internet ISP Dsl line ).

SO I REMOVE IT FROM MY 192.168.88.1/24.
AND IT WORKED.

Can you tell me why it did work?









1 chain=dstnat action=redirect to-ports=8080 protocol=tcp dst-port=80

2 ;;; masquerade hotspot network
chain=srcnat action=masquerade src-address=192.168.88.0/24

3 ;;; masquerade hotspot network
chain=srcnat action=masquerade src-address=192.168.55.0/24
out-interface=pppoe-out1

4 ;;; masquerade hotspot network
chain=srcnat action=masquerade src-address=192.168.44.0/24
out-interface=pppoe-out1

5 chain=dstnat action=dst-nat to-addresses=192.168.0.199 to-ports=20
protocol=tcp dst-address=64.165.220.163 dst-port=20

6 chain=dstnat action=dst-nat to-addresses=192.168.88.8 to-ports=21
protocol=tcp dst-address=64.165.220.163 dst-port=21

7 chain=dstnat action=dst-nat to-addresses=192.168.88.8 to-ports=110
protocol=tcp dst-address=64.165.220.163 dst-port=110

8 chain=dstnat action=dst-nat to-addresses=192.168.88.8 to-ports=25
protocol=tcp dst-address=64.165.220.163 dst-port=25

9 chain=srcnat action=src-nat to-addresses=64.165.220.163 protocol=tcp
src-address=192.168.88.8