port forward

happydaddy · Wed Sep 21, 2011 2:53 pm

Hi

I am trying to port forwad radius packets to my radiusmanager server from the wan port . i have used this example and ssh works but not radius. http://wiki.mikrotik.com/wiki/Forwardin ... nternal_IP

I forwarded 1812, 1813, and 1700 to my internal radius server but no luck i can see packets coming in on wan but nothing happening on radiusd -x. Any help with this

Thanks

cbrown · Wed Sep 21, 2011 9:09 pm

Can you post:

/ip firewall export
/ip address export

happydaddy · Mon Sep 26, 2011 1:03 pm

/ip firewall export

/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
    tcp-close-wait-timeout=10s tcp-established-timeout=1d \
    tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
    tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=drop chain=forward comment="" disabled=no src-address=85.17.92.151
add action=accept chain=forward comment="" disabled=no dst-port=5060 \
    protocol=udp src-address=196.x.x.x
add action=drop chain=forward comment="" disabled=no dst-port=5060 protocol=\
    udp
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="Port scanners to list " \
    disabled=no protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
    disabled=no protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/FIN scan" disabled=no \
    protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/RST scan" disabled=no \
    protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" disabled=\
    no protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="ALL/ALL scan" disabled=no \
    protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP NULL scan" disabled=no \
    protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" disabled=no \
    src-address-list="port scanners"
add action=accept chain=input comment="Accept established connections" \
    connection-state=established disabled=no
add action=accept chain=input comment="Accept related connections" \
    connection-state=related disabled=no
add action=drop chain=input comment="Drop invalid connections" \
    connection-state=invalid disabled=no
add action=accept chain=input comment=UDP disabled=no protocol=udp
add action=accept chain=input comment="Allow limited pings" disabled=no \
    limit=50/5s,2 protocol=icmp
add action=drop chain=input comment="Drop excess pings" disabled=no protocol=\
    icmp
add action=accept chain=input comment="SSH for secure shell" disabled=no \
    dst-port=22 protocol=tcp
add action=accept chain=input comment=dtv disabled=no dst-port=12000 \
    protocol=tcp
add action=accept chain=input comment=radius disabled=no dst-port=1812 \
    protocol=udp
add action=accept chain=input comment=radius disabled=no dst-port=1813 \
    protocol=udp
add action=accept chain=input comment=radius disabled=no dst-port=8181 \
    protocol=tcp
add action=accept chain=input comment=winbox disabled=no dst-port=8291 \
    protocol=tcp
add action=accept chain=input comment="From lan network" disabled=no \
    src-address=192.168.0.0/16
add action=accept chain=input comment="From our private LAN" disabled=no \
    src-address=10.0.0.0/8
add action=log chain=input comment="Log everything else" disabled=no \
    log-prefix="DROP INPUT"
/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no
add action=dst-nat chain=dstnat comment=voip disabled=no dst-port=5060 \
    protocol=udp to-addresses=192.168.1.218 to-ports=5060
add action=dst-nat chain=dstnat comment=dtv disabled=no dst-port=12000 \
    protocol=tcp to-addresses=192.168.20.200 to-ports=12000
add action=dst-nat chain=dstnat comment=radiusbox disabled=no dst-port=8181 \
    protocol=tcp to-addresses=10.0.200.2 to-ports=80
add action=dst-nat chain=dstnat comment=radiusbox disabled=no dst-port=22 \
    protocol=tcp to-addresses=10.0.200.2 to-ports=22
add action=dst-nat chain=dstnat comment=radiusbox disabled=no dst-address=\
    41.x.x.x protocol=udp to-addresses=10.0.200.2 to-ports=1812
add action=dst-nat chain=dstnat comment=radiusbox disabled=no dst-port=1813 \
    protocol=udp to-addresses=10.0.200.2
add action=dst-nat chain=dstnat comment=radiusbox disabled=no dst-port=1700 \
    protocol=udp to-addresses=10.0.200.2
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no

/ip address export

add address=192.168.20.1/24 broadcast=192.168.20.255 comment="to office/baka" \
disabled=no interface=ether3 network=192.168.20.0
add address=10.0.48.2/30 broadcast=10.0.48.3 comment="to all others" \
disabled=no interface=ether1 network=10.0.48.0
add address=192.168.37.1/24 broadcast=192.168.37.255 comment=ddwrt disabled=\
no interface=ether4 network=192.168.37.0
add address=5.5.5.2/32 broadcast=5.5.5.2 comment="" disabled=no interface=loo \
network=5.5.5.2
add address=10.0.200.1/24 broadcast=10.0.200.255 comment=radius disabled=no \
interface=ether2 network=10.0.200.0

petrn · Mon Sep 26, 2011 1:39 pm

if ssh connection to radiusbox works fine, then i would suspect firewall in radius, run 'service iptables stop' and try again.

port forward

port forward

Re: port forward

Re: port forward

Re: port forward

Who is online