Community discussions

MikroTik App
 
User avatar
arthurmitch
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 82
Joined: Mon Jan 31, 2011 3:02 pm
Location: South Africa
Contact:

pcc portfowading return problem

Wed Feb 09, 2011 7:45 am

ok now im having the following problem port forwarding is working on my router but only from my on public ip address 196.212.100.148 and cannot access it via 41.134.110.10 but if i dissable interface 196.212.100.148 ,41.134.110.10 starts working!
here is my nat print:

0 ;;; Loopback-Connection 1
chain=srcnat action=masquerade protocol=tcp src-address=192.168.88.0/24 dst-address=192.168.88.2 out-interface=ether2-Main-LAN

1 chain=srcnat action=masquerade out-interface=ether1-Mweb-Router

2 I chain=srcnat action=masquerade out-interface=ether3-I.S-Router

3 chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=20-21 protocol=tcp dst-address=41.134.110.10 dst-port=20-21

4 chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=22 protocol=tcp dst-address=41.134.110.10 dst-port=22

5 chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=80 protocol=tcp dst-address=41.134.110.10 dst-port=80

6 chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=81 protocol=tcp dst-address=41.134.110.10 dst-port=81

7 chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=443 protocol=tcp dst-address=41.134.110.10 dst-port=443

8 chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=3203 protocol=tcp dst-address=41.134.110.10 dst-port=3203

9 chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=3204 protocol=tcp dst-address=41.134.110.10 dst-port=3204

10 chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=3306 protocol=tcp dst-address=41.134.110.10 dst-port=3306

11 chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=5900-5935 protocol=tcp dst-address=41.134.110.10 dst-port=5900-5935

12 chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=6000-6001 protocol=tcp dst-address=41.134.110.10 dst-port=6000-6001

13 chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=6010 protocol=tcp dst-address=41.134.110.10 dst-port=6010

14 chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=7000 protocol=tcp dst-address=41.134.110.10 dst-port=7000

15 chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=8080-8082 protocol=tcp dst-address=41.134.110.10 dst-port=8080-8082

16 chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=20-21 protocol=tcp dst-address=196.212.100.148 dst-port=20-21

17 chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=22 protocol=tcp dst-address=196.212.100.148 dst-port=22

18 chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=80 protocol=tcp dst-address=196.212.100.148 dst-port=80

19 chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=81 protocol=tcp dst-address=196.212.100.148 dst-port=81

20 chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=443 protocol=tcp dst-address=196.212.100.148 dst-port=443

21 chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=3203 protocol=tcp dst-address=196.212.100.148 dst-port=3203

22 chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=3204 protocol=tcp dst-address=196.212.100.148 dst-port=3204

23 chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=3306 protocol=tcp dst-address=196.212.100.148 dst-port=3306

24 chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=5900-5935 protocol=tcp dst-address=196.212.100.148 dst-port=5900-5935

25 chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=6000-6001 protocol=tcp dst-address=196.212.100.148 dst-port=6000-6001

26 chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=6010 protocol=tcp dst-address=196.212.100.148 dst-port=6010

27 chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=7000 protocol=tcp dst-address=196.212.100.148 dst-port=7000

28 chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=8080-8082 protocol=tcp dst-address=196.212.100.148 dst-port=8080-8082


and my mangel print:

0 chain=input action=mark-connection new-connection-mark=wan1_conn passthrough=no in-interface=ether1-Mweb-Router

1 I chain=input action=mark-connection new-connection-mark=wan2_conn passthrough=no in-interface=ether3-I.S-Router

2 chain=output action=mark-routing new-routing-mark=to_wan1 passthrough=no out-interface=ether1-Mweb-Router

3 I chain=output action=mark-routing new-routing-mark=to_wan2 passthrough=no out-interface=ether3-I.S-Router

4 chain=prerouting action=accept dst-address=41.134.110.0/28 in-interface=ether2-Main-LAN

5 chain=prerouting action=accept dst-address=196.212.100.0/28 in-interface=ether2-Main-LAN

6 chain=prerouting action=accept protocol=tcp src-address=41.134.110.0/28 in-interface=ether1-Mweb-Router src-port=20-21

7 chain=prerouting action=accept protocol=tcp src-address=41.134.110.0/28 in-interface=ether1-Mweb-Router src-port=22

8 chain=prerouting action=accept protocol=tcp src-address=41.134.110.0/28 in-interface=ether1-Mweb-Router src-port=80

9 chain=prerouting action=accept protocol=tcp src-address=41.134.110.0/28 in-interface=ether1-Mweb-Router src-port=81

10 chain=prerouting action=accept protocol=tcp src-address=41.134.110.0/28 in-interface=ether1-Mweb-Router src-port=443

11 chain=prerouting action=accept protocol=tcp src-address=41.134.110.0/28 in-interface=ether1-Mweb-Router src-port=3203

12 chain=prerouting action=accept protocol=tcp src-address=41.134.110.0/28 in-interface=ether1-Mweb-Router src-port=3204

13 chain=prerouting action=accept protocol=tcp src-address=41.134.110.0/28 in-interface=ether1-Mweb-Router src-port=3306

14 chain=prerouting action=accept protocol=tcp src-address=41.134.110.0/28 in-interface=ether1-Mweb-Router src-port=5900-5935

15 chain=prerouting action=accept protocol=tcp src-address=41.134.110.0/28 in-interface=ether1-Mweb-Router src-port=6010

16 chain=prerouting action=accept protocol=tcp src-address=41.134.110.0/28 in-interface=ether1-Mweb-Router src-port=6000-6001

17 chain=prerouting action=accept protocol=tcp src-address=41.134.110.0/28 in-interface=ether1-Mweb-Router src-port=7000

18 chain=prerouting action=accept protocol=tcp src-address=41.134.110.0/28 in-interface=ether1-Mweb-Router src-port=8080-8082

19 chain=prerouting action=accept protocol=tcp src-address=196.212.100.0/28 src-port=20-21

20 chain=prerouting action=accept protocol=tcp src-address=196.212.100.0/28 src-port=22

21 chain=prerouting action=accept protocol=tcp src-address=196.212.100.0/28 src-port=80

22 chain=prerouting action=accept protocol=tcp src-address=196.212.100.0/28 src-port=81

23 chain=prerouting action=accept protocol=tcp src-address=196.212.100.0/28 src-port=5900-5935

24 chain=prerouting action=accept protocol=tcp src-address=196.212.100.0/28 src-port=3203

25 chain=prerouting action=accept protocol=tcp src-address=196.212.100.0/28 src-port=3204

26 chain=prerouting action=accept protocol=tcp src-address=196.212.100.0/28 src-port=443

27 chain=prerouting action=accept protocol=tcp src-address=196.212.100.0/28 src-port=3306

28 chain=prerouting action=accept protocol=tcp src-address=196.212.100.0/28 src-port=6010

29 chain=prerouting action=accept protocol=tcp src-address=196.212.100.0/28 src-port=6000-6001

30 chain=prerouting action=accept protocol=tcp src-address=196.212.100.0/28 src-port=7000

31 chain=prerouting action=accept protocol=tcp src-address=196.212.100.0/28 src-port=8080-8082

32 chain=prerouting action=mark-connection new-connection-mark=wan1_conn passthrough=yes dst-address=!192.168.88.0/24 in-interface=ether2-Main-LAN
per-connection-classifier=both-addresses:2/0

33 chain=prerouting action=mark-connection new-connection-mark=wan2_conn passthrough=yes dst-address=!192.168.88.0/24 in-interface=ether2-Main-LAN
per-connection-classifier=both-addresses:2/1

34 chain=prerouting action=mark-routing new-routing-mark=to_wan1 passthrough=no in-interface=ether2-Main-LAN connection-mark=wan1_conn

35 chain=prerouting action=mark-routing new-routing-mark=to_wan2 passthrough=no in-interface=ether2-Main-LAN connection-mark=wan2_conn

and my route print:

# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 41.134.110.9 1
1 S 0.0.0.0/0 196.212.100.145 1
2 A S 0.0.0.0/0 41.134.110.9 1
3 S 0.0.0.0/0 196.212.100.145 2
4 ADC 41.134.110.0/28 41.134.110.10 ether1-Mweb-Router 0
5 ADC 192.168.88.0/24 192.168.88.1 ether2-Main-LAN 0

so basically what happens was the connection comes in but it leaves via the other wan connection, how do i make it use the same rout it came in from?
 
NetTecture
newbie
Posts: 48
Joined: Tue Jan 25, 2011 1:20 pm

Re: pcc portfowading return problem

Wed Feb 09, 2011 10:11 am

You need to add actions routing traffic to the correct interface.

http://wiki.mikrotik.com/wiki/Manual:PCC has explanations. The section about policy routing is important.

In short:

* MAke sure your packets get a routing mark according to the interface they came with
* Have routes in the routing table with the routing mark, FIRST.

In the result:
* COnenction comes from ether4, gets connection mark ether4.
* Packets from it get routing mark ether4 when leaving
* As such, the route with ether4 routing mark will make sure they leave on the correct interface ;)
 
User avatar
arthurmitch
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 82
Joined: Mon Jan 31, 2011 3:02 pm
Location: South Africa
Contact:

Re: pcc portfowading return problem

Thu Feb 10, 2011 8:44 am

ok that works now placed my routes in the right place but still stuck at this one problem user1 ftp:41.134.110.10 on my local subnet 192.168.88.0/24 and gets timed out, so he types in the public ip adresss to access the ftp server, is there a way i can fix that the one method i used was :

0 ;;; Loopback-Connection 1
chain=srcnat action=masquerade protocol=tcp src-address=192.168.88.0/24
dst-address=192.168.88.2 out-interface=ether2-Main-LAN

if i use this rule it works i have acsess to 196.212.100.148 but not 41.134.110.10 but when i disable 196.212.100.148's interface 41.134.110.10 starts working? what-sup with that ? ta\hats weird?!
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: pcc portfowading return problem

Thu Feb 10, 2011 4:00 pm

Man am I getting a lot of miles out of this link this week.
http://wiki.mikrotik.com/wiki/Hairpin_NAT
 
User avatar
arthurmitch
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 82
Joined: Mon Jan 31, 2011 3:02 pm
Location: South Africa
Contact:

Re: pcc portfowading return problem

Mon Feb 14, 2011 2:25 pm

ok but im using two routers that is using module pcc, hairpin nat is exactingly what i want.
 
User avatar
arthurmitch
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 82
Joined: Mon Jan 31, 2011 3:02 pm
Location: South Africa
Contact:

Re: pcc portfowading return problem

Thu Feb 17, 2011 10:30 am

so how would i go about hairpin nat with pcc?

Who is online

Users browsing this forum: No registered users and 16 guests