Community discussions

MikroTik App
 
tawh
just joined
Topic Author
Posts: 17
Joined: Sun Jun 30, 2013 2:11 pm

when use-ip-firewall=yes, DNAT from LAN to LAN not work

Sun Jun 30, 2013 4:19 pm

Hardware : RB2011UAS-2HnD
OS: ROS 6.0 & 6.1

Scenario:

use-ip-firewall set to "no":

1. A firewall address-list named "ISP" is created to store the WAN IP (ip address: A)
/ip firewall address-list add address=A list=ISP
2. A bridge is created in LAN side with member ports.
3. A FTP server (ip address: B) is hosted on LAN
4. A DNAT firewall rule is created to NAT the destination address from A to B for all connection.
/ip firewall chain=dstnat add action=dst-nat to-addresses=B protocol=tcp dst-address-list=GW dst-port=21
(A corresponding Hairpin NAT is created for completing the loopback NAT for LAN to A:21)

5. Another PC (say ip address C) inside LAN access to A:21 successful. View the firewall statistic, the two related firewall rules do have hit.

However, the DNAT firewall rule don't work if "user-ip-firewall" set to yes... (WAN to LAN DNAT still works) :cry:
Findings:
a. the firewall rule as specified in 4 do have hit, but the hairpin firewall rule don't record any hit. I replace the hairpin rule with the following relaxed rule, no hit was recorded too.
/ip firewall chain=dstnat add action=accept protocol=tcp dst-port=21
b. from the built-in packet sniffer, router do receive the FTP sync packet (C to A:21), but no packet is transmitted from router afterwards, the router seems drops the packet.[/color]

I suspect there might be a software bug in the bridging firewall which cannot re-transmit the packet back to the LAN bridge after DNAT the packet from bridge.

Anyone could help to solve this issue? Or is there anything I missed in the setup? Thanks in advance!
 
Rus123
just joined
Posts: 13
Joined: Wed Jan 20, 2010 2:27 pm

Re: when use-ip-firewall=yes, DNAT from LAN to LAN not work

Fri Aug 16, 2013 1:49 am

Same in 6.2.

Hairpin works only if use-ip-firewall=no in bridge settings.

There were changes in packet flow in ROS 6.

Returned to 5.25. - All works as desired.


Please, FIX THIS IN 6...
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6263
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: when use-ip-firewall=yes, DNAT from LAN to LAN not work

Fri Aug 16, 2013 10:32 am

tawh please generate support output file and send it to support so we can see the exact configuration. Additional network diagram of what comes in from where and on what port exactly would be nice addition (or description)

Who is online

Users browsing this forum: Amazon [Bot], arebelo, baragoon, Bolendox, maciejl and 88 guests