Forwarding to destionation IP

Sniff · Fri Jan 21, 2011 3:50 pm

hello, got 4 wans load balanced and using DHCP for my 2 comps

used the PCC method and works very well ..

cant access my FTP server unless i do it internally with 127.0.0.1 ..

so i need to forwards the IP i followed the proper page here:

http://wiki.mikrotik.com/wiki/Forwardin ... nternal_IP

opened the IP/Adresses and took the computers IP from ether*

and used WAN 1 my .. 1 of my ether ports to route the nat.. but it doesnt matter what i do always gets connection refused (10061)in my ftp client both tested from my own computer and with:
http://www.g6ftpserver.com/en/ftptest

and port that i forwarded was both the port i set in ftp server and the one under so for example 5560 then i forward both 5559 and 5560 so ftp can send back aswell.

Can anyone shine some light on what to do.. cant see in log in the gui either that a connection failed .. only if i use port 21 it seems to make connection but that is with mikrotiks own server so no wonder

Sniff · Sun Jan 23, 2011 1:07 am

oh come on! anyone ?

the support on this forum is really bad... and when i do get help its not exactly as detailed as u would want it to be with this technical router ...

please some help would be appreciated. (yeah i know its not gone long time but same with other questions i had limited replys with little depth unfortunlity)

fewi · Sun Jan 23, 2011 2:32 am

The most likely issue is that you have traffic coming into the router via a specific WAN connection but then PCC forces return traffic out another WAN connection and the packet cannot be properly processed from there on for various reasons (ISP drops it since the public IP is undone from the initial forward and does not match what the provider expects n that interface, or the packet makes it back but is discarded by the client due to the wrong IP address not matching its connection table). The general solution is to look at the PCC ruleset and duplicate the 'stickiness' it forces on connections in the input chain and uses to make traffic in the output chain match the initial interface for the traffic you are forwarding through the router. If you need more detailed help than that you should post more details, such as a network diagram and your relevant configuration (IP addressing, routes, the entire firewall including mangle, filter, and NAT at a minimum).

I also remember several past threads regarding that issue since PCC is used by many users, and many need to forward ports while using PCC. You may just find the answer you're looking for by searching for those past threads.

Sniff · Sun Jan 23, 2011 3:48 am

The most likely issue is that you have traffic coming into the router via a specific WAN connection but then PCC forces return traffic out another WAN connection and the packet cannot be properly processed from there on for various reasons (ISP drops it since the public IP is undone from the initial forward and does not match what the provider expects n that interface, or the packet makes it back but is discarded by the client due to the wrong IP address not matching its connection table). The general solution is to look at the PCC ruleset and duplicate the 'stickiness' it forces on connections in the input chain and uses to make traffic in the output chain match the initial interface for the traffic you are forwarding through the router. If you need more detailed help than that you should post more details, such as a network diagram and your relevant configuration (IP addressing, routes, the entire firewall including mangle, filter, and NAT at a minimum).

I also remember several past threads regarding that issue since PCC is used by many users, and many need to forward ports while using PCC. You may just find the answer you're looking for by searching for those past threads.

thank you for a very good responce.. il work on it some more with what u said.

Sniff · Fri Mar 25, 2011 8:43 pm

hello again i never got this resolved wich buggs me each day i do however figured out how to extract my settings by using new terminal in winbox and print an export this i have done:

http://pastebin.com/xNBEeLUs

there is all settings ..

first i wonder how to port forward for FTP server but also when sending to a ftp server with multiple threads i only get 1 IP's speed unless i send constantly with 1 thread and wait untill my IP changes by refreshing some WWW site with whois on my own ip. then when i get new ip i send with next thread that way it uses diffrent ip and i get double speed .. but why cant it work automaticly is annoying to me.

Also im not connectable by uTorrent.

im quite happy with how its load balancing except for FTP and also i do only have 4 WANS and each IP got 10 mbit up but they all share 100 mbit down so dont really need to load balance my download if that makes anything easier.

anyways appreciate any help.. and i have only used the winbox so if u explain something id appreciate if it made sence into winbox gui, Thanks

Sniff

Sniff · Sat Mar 26, 2011 12:27 pm

Update: just saw ur tag Fewi how to show the settings correctly .. so here is:

/ip address print detail

Flags: X - disabled, I - invalid, D - dynamic 
 0   address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=LAN actual-interface=bridge1 

 1 D address=85.230.122.7/21 network=85.230.120.0 broadcast=85.230.127.255 interface=WAN 2 actual-interface=WAN 2 

 2 D address=85.230.122.11/21 network=85.230.120.0 broadcast=85.230.127.255 interface=WAN 1 actual-interface=WAN 1 

 3 D address=85.230.122.19/21 network=85.230.120.0 broadcast=85.230.127.255 interface=WAN 3 actual-interface=WAN 3 

 4 D address=85.230.122.21/21 network=85.230.120.0 broadcast=85.230.127.255 interface=WAN 4 actual-interface=WAN 4

/ip route print detail

Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 0 A S  dst-address=0.0.0.0/0 gateway=WAN 1,WAN 3,WAN 2,WAN 4 gateway-status=WAN 1 reachable,WAN 3 reachable,WAN 2 reachable,WAN 4 reachable distance=1 
        scope=30 target-scope=10 

 1  DS  dst-address=0.0.0.0/0 gateway=85.230.120.1 gateway-status=85.230.120.1 reachable WAN 4 distance=2 scope=30 target-scope=10 

 2 A S  dst-address=85.226.125.68/32 gateway=WAN 3 gateway-status=WAN 3 reachable distance=1 scope=30 target-scope=10 

 3 ADC  dst-address=85.230.120.0/21 pref-src=85.230.122.7 gateway=WAN 2,WAN 1,WAN 3,WAN 4 
        gateway-status=WAN 2 reachable,WAN 1 reachable,WAN 3 reachable,WAN 4 reachable distance=0 scope=10 

 7 A S  ;;; Swedbank
        dst-address=164.10.45.63/32 gateway=WAN 3 gateway-status=WAN 3 reachable distance=1 scope=30 target-scope=10

/interface print

Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                                                                                                                      TYPE             MTU   L2MTU
 0  R  ;;; ether1
       WAN 1                                                                                                                     ether            1500  1526 
 1  R  ;;; ether2
       LAN                                                                                                                       ether            1500  1522 
 2  R  ;;; ether4
       WAN 3                                                                                                                     ether            1500  1522 
 3  R  ;;; ether3
       WAN 2                                                                                                                     ether            1500  1522 
 4  R  ;;; ether5
       WAN 4                                                                                                                     ether            1500  1522 
 5     ;;; ether6 - No Cable
       WAN 5                                                                                                                     ether            1500  1522 
 6  R  ;;; ether7
       LAN 2                                                                                                                     ether            1500  1522 
 7     ;;; ether8
       LAN 3                                                                                                                     ether            1500  1522 
 8     ;;; ether9
       LAN 4                                                                                                                     ether            1500  1522 
 9  R  bridge1                                                                                                                   bridge           1500  1522

/ip firewall export

/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s \
    tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m \
    udp-timeout=10s
/ip firewall mangle
add action=mark-connection chain=input comment="" disabled=no in-interface="WAN 1" new-connection-mark="TO_WAN 1" passthrough=yes
add action=mark-connection chain=input comment="" disabled=no in-interface="WAN 2" new-connection-mark="TO_WAN 2" passthrough=yes
add action=mark-connection chain=input comment="" disabled=no in-interface="WAN 3" new-connection-mark="TO_WAN 3" passthrough=yes
add action=mark-connection chain=input comment="" disabled=no in-interface="WAN 4" new-connection-mark="TO_WAN 4" passthrough=yes
add action=mark-routing chain=output comment="" connection-mark="TO_WAN 1" disabled=no new-routing-mark="TO_WAN 1" passthrough=yes
add action=mark-routing chain=output comment="" connection-mark="TO_WAN 2" disabled=no new-routing-mark="TO_WAN 2" passthrough=yes
add action=mark-routing chain=output comment="" connection-mark="TO_WAN 3" disabled=no new-routing-mark="TO_WAN 3" passthrough=yes
add action=mark-routing chain=output comment="" connection-mark="TO_WAN 4" disabled=no new-routing-mark="TO_WAN 4" passthrough=yes
add action=accept chain=prerouting comment="" disabled=no dst-address=10.111.0.0/24 in-interface=LAN
add action=accept chain=prerouting comment="" disabled=no dst-address=10.112.0.0/24 in-interface=LAN
add action=accept chain=prerouting comment="" disabled=no dst-address=10.113.0.0/24 in-interface=LAN
add action=accept chain=prerouting comment="" disabled=no dst-address=10.114.0.0/24 in-interface=LAN
add action=mark-routing chain=prerouting comment="" connection-mark="WAN 1_conn" disabled=no in-interface=LAN new-routing-mark="TO_WAN 1" passthrough=yes
add action=mark-routing chain=prerouting comment="" connection-mark="WAN 2_conn" disabled=no in-interface=LAN new-routing-mark="TO_WAN 2" passthrough=yes
add action=mark-routing chain=prerouting comment="" connection-mark="WAN 3_conn" disabled=no in-interface=LAN new-routing-mark="TO_WAN 3" passthrough=yes
add action=mark-routing chain=prerouting comment="" connection-mark="WAN 4_conn" disabled=no in-interface=LAN new-routing-mark="TO_WAN 4" passthrough=yes
add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=local in-interface=LAN new-connection-mark="WAN 1_conn" passthrough=yes \
    per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=local in-interface=LAN new-connection-mark="WAN 2_conn" passthrough=yes \
    per-connection-classifier=both-addresses:2/1
add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=local in-interface=LAN new-connection-mark="WAN 3_conn" passthrough=yes \
    per-connection-classifier=both-addresses:2/2
add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=local in-interface=LAN new-connection-mark="WAN 4_conn" passthrough=yes \
    per-connection-classifier=both-addresses:2/3
/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no out-interface="WAN 1"
add action=masquerade chain=srcnat comment="" disabled=no out-interface="WAN 2"
add action=masquerade chain=srcnat comment="" disabled=no out-interface="WAN 3"
add action=masquerade chain=srcnat comment="" disabled=no out-interface="WAN 4"
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no

thanks again / Sniff

fewi · Sat Mar 26, 2011 7:37 pm

http://forum.mikrotik.com/viewtopic.php?f=2&t=49581

Sniff · Sat Mar 26, 2011 10:35 pm

http://forum.mikrotik.com/viewtopic.php?f=2&t=49581

hey fewi, Thanks for quick responce im very new to this router and im trying to understand that post and really i dont. Ive read it like 4 times now its like a wall of text hitted me. how i setup my router so far i got help from the reseller but he wont help me further due to its a costing service.

If u could be so kind to give me example based on my router settings specific. I would greatly appreciate it.. and i will try to understand it better as i understand now i need to make a nat rule that what goes in goes out same wan port but i dont see how i will resolve that to lets say uTorrent wich connects on all my wans.. im abit lost here.

i can see the link u provided are pretty straight answer for one more experienced user. but to me its like chinese .. due to so many settings.

Took me 2 weeks to get internet at all with router dont wanna mess any settings up cos i wouldent understand what i done when changed stuff. hence i want more direct answer if possible to my configuration.

Regards: Sniff

Edit: i.e if i could get help to add for ftp server on each ip so no matter how they connect it wouild route properly on lets say port 666 then i could possibly understand how to add for utorrent and other programs. as it is now i dont understand what i do what so ever, heh

Sniff · Sun Mar 27, 2011 2:06 pm

edit again:

well i managed to get connectable to 1 port by doing:

Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=srcnat action=masquerade out-interface=WAN 1 

 1   chain=srcnat action=masquerade out-interface=WAN 2 

 2   chain=srcnat action=masquerade out-interface=WAN 3 

 3   chain=srcnat action=masquerade out-interface=WAN 4 

 4   chain=dstnat action=dst-nat to-addresses=192.168.0.253 to-ports=8858 
     protocol=tcp dst-address=85.230.122.7 dst-port=8858 

 5   chain=dstnat action=dst-nat to-addresses=192.168.0.253 to-ports=8858 
     protocol=tcp dst-address=85.230.122.11 dst-port=8858 

 6   chain=dstnat action=dst-nat to-addresses=192.168.0.253 to-ports=8858 
     protocol=tcp dst-address=85.230.122.19 dst-port=8858 

 7   chain=dstnat action=dst-nat to-addresses=192.168.0.253 to-ports=8858 
     protocol=tcp dst-address=85.230.122.21 dst-port=8858 

 8 X chain=dstnat action=dst-nat to-addresses=192.168.0.45 to-ports=80 
     protocol=tcp dst-address=85.230.122.11 dst-port=80 

 9 X chain=srcnat action=src-nat to-addresses=85.230.122.11 to-ports=80 
     protocol=tcp src-address=192.168.0.45 src-port=80

thoose last one that are disabled someone on irc told me to add but gave no explination im still connectable to that port with: http://connect.majestyc.net/

However with ftp client it does not work i tryed all kinds of combos.. like adding port range 8858-8860 and have 8858 as general port in ftp server and 8859-8860 as passive ports for transfers and change that in the ftp server program too but nothing works really... in fact if i port forward that range still only port 8858 is port forwarded

and i also tryed to add thoose ports as ftp service ports.. made no difference.

FTP server works fine before i had mikrotik also it works fine with 127.0.0.1 on that port.. also installed a second ftp server and it also works fine internally ..

Got it to work but i couldent test from my own internet if i did it would not work somehow i guess the load balance made it so.

Forwarding to destionation IP

Forwarding to destionation IP

Re: Forwarding to destionation IP

Re: Forwarding to destionation IP

Re: Forwarding to destionation IP

Re: Forwarding to destionation IP

Re: Forwarding to destionation IP

Re: Forwarding to destionation IP

Re: Forwarding to destionation IP

Re: Forwarding to destionation IP

Who is online