Community discussions

MikroTik App
  4. RouterOS
  5. General

Simple one way UDP Port Forwarding NAT rule not working

Post Reply
 
User avatar
Ferrograph
Member Candidate
Member Candidate
Topic Author
Posts: 154
Joined: Wed Mar 07, 2012 4:05 am

Simple one way UDP Port Forwarding NAT rule not working

Wed Jul 24, 2013 3:50 pm

I have a fairly simple setup on RB2011. A small handful of NAT rules forwarding ports to some TCP services on the LAN - all working fine.

Today I added a UDP forwarding rule to the NAT for an inbound video stream. I can see the packets hitting the WAN and they show in "Connections" but they are not getting sent on to the LAN and the counters dont increment. Ive tried a great many different combinations of src and dst addresses, in interface, ports etc to try to make the rule match but none successful. I believe that NAT rules come before any filter rules so in theory my filters are irrelevant and pretty standard anyway.

Here is the rule. I've replaced WAN address with XX for obvious reasons.

1 X ;;; UDP Video
chain=dstnat action=dst-nat to-addresses=192.168.4.10 to-ports=5000
protocol=udp dst-address=XX.XX.XX.XX dst-port=5000

Are there any "gotacha's" when forwarding UDP one way packets, I spent quite a bit of time on this - its driving me mad. The reason I ask this is because if I delete the rule and then add back a fresh I see one packet make it through and them no more as if the tracking is waiting for a reply from the device on the LAN.

Any help greatly appreciated.
Top
 
User avatar
tomaskir
Trainer
Trainer
Posts: 1162
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: Simple one way UDP Port Forwarding NAT rule not working

Wed Jul 24, 2013 6:04 pm

Few things to check:

Is firewall on the RB allowing the NATed connection?
Does the device you NAT to have a gateway configured?
Does the device you NAT to allow connections from other subnets if it has its own firewall?
Top
 
User avatar
Ferrograph
Member Candidate
Member Candidate
Topic Author
Posts: 154
Joined: Wed Mar 07, 2012 4:05 am

Re: Simple one way UDP Port Forwarding NAT rule not working

Wed Jul 24, 2013 6:14 pm

Thanks for your time.
Is firewall on the RB allowing the NATed connection?
How can I check this?
Does the device you NAT to have a gateway configured?
Yes, its a PC and I can RDP and other stuff to it from outside.
Does the device you NAT to allow connections from other subnets if it has its own firewall?
Yes, as above other NATed services work ok. PC's own firewall is fully disabled.
Top
 
User avatar
tomaskir
Trainer
Trainer
Posts: 1162
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: Simple one way UDP Port Forwarding NAT rule not working

Wed Jul 24, 2013 8:56 pm

Is firewall on the RB allowing the NATed connection?
How can I check this?
This is probably blocking the connection. Look at the forward chain in firewall, or post "/ip firewall filter export compact".
Top
 
User avatar
Ferrograph
Member Candidate
Member Candidate
Topic Author
Posts: 154
Joined: Wed Mar 07, 2012 4:05 am

Re: Simple one way UDP Port Forwarding NAT rule not working

Thu Jul 25, 2013 1:15 am

This is probably blocking the connection. Look at the forward chain in firewall, or post "/ip firewall filter export compact".
/ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Accept established connections
chain=input action=accept connection-state=established

1 ;;; Forward established connections
chain=forward action=accept

2 ;;; Accept related connections
chain=input action=accept connection-state=related

3 ;;; Forward related connections
chain=forward action=accept connection-state=related

4 ;;; Drop invalid connections
chain=input action=drop connection-state=invalid

5 ;;; UDP
chain=input action=accept protocol=udp

6 ;;; From our LAN
chain=input action=accept src-address=192.168.4.0/24

7 ;;; Allow limited pings
chain=input action=accept protocol=icmp icmp-options=0:0-255 limit=50/5s,2

8 ;;; Drop excess pings
chain=input action=drop protocol=icmp

9 ;;; Allow Remote Winbox Connections
chain=input action=accept protocol=tcp dst-address-type=local dst-port=8291

10 ;;; Bandwidth Test
chain=input action=accept protocol=tcp dst-address-type=local dst-port=2000

11 ;;; Allow Webfig Connections
chain=input action=accept protocol=tcp src-address-type="" dst-address-type=local dst-port=81

12 X ;;; Allow Remote Webfig Connections
chain=input action=accept protocol=tcp src-address-type="" dst-address-type=local dst-port=8081

13 ;;; Allow PPTP Connections
chain=input action=accept protocol=tcp dst-port=1723

14 X ;;; Allow Web Proxy Connections
chain=input action=accept protocol=tcp dst-address-type=local dst-port=8080

15 ;;; Log everything else
chain=input action=log log-prefix="DROP INPUT"

16 ;;; Drop everything else
chain=input action=drop
Top
 
Rudios
Forum Veteran
Forum Veteran
Posts: 973
Joined: Mon Mar 11, 2013 12:58 pm
Location: The Netherlands

Re: Simple one way UDP Port Forwarding NAT rule not working

Thu Jul 25, 2013 11:30 am

This is probably blocking the connection. Look at the forward chain in firewall, or post "/ip firewall filter export compact".
/ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Accept established connections
chain=input action=accept connection-state=established

1 ;;; Forward established connections
chain=forward action=accept

2 ;;; Accept related connections
chain=input action=accept connection-state=related

3 ;;; Forward related connections
chain=forward action=accept connection-state=related

4 ;;; Drop invalid connections
chain=input action=drop connection-state=invalid

5 ;;; UDP
chain=input action=accept protocol=udp

6 ;;; From our LAN
chain=input action=accept src-address=192.168.4.0/24

7 ;;; Allow limited pings
chain=input action=accept protocol=icmp icmp-options=0:0-255 limit=50/5s,2

8 ;;; Drop excess pings
chain=input action=drop protocol=icmp

9 ;;; Allow Remote Winbox Connections
chain=input action=accept protocol=tcp dst-address-type=local dst-port=8291

10 ;;; Bandwidth Test
chain=input action=accept protocol=tcp dst-address-type=local dst-port=2000

11 ;;; Allow Webfig Connections
chain=input action=accept protocol=tcp src-address-type="" dst-address-type=local dst-port=81

12 X ;;; Allow Remote Webfig Connections
chain=input action=accept protocol=tcp src-address-type="" dst-address-type=local dst-port=8081

13 ;;; Allow PPTP Connections
chain=input action=accept protocol=tcp dst-port=1723

14 X ;;; Allow Web Proxy Connections
chain=input action=accept protocol=tcp dst-address-type=local dst-port=8080

15 ;;; Log everything else
chain=input action=log log-prefix="DROP INPUT"

16 ;;; Drop everything else
chain=input action=drop
If this is your complete firewall output, you need some serious thoughts.
Your second rule is allowing all traffic to pass through the router, so nothing is blocked!!!
Top
 
User avatar
Ferrograph
Member Candidate
Member Candidate
Topic Author
Posts: 154
Joined: Wed Mar 07, 2012 4:05 am

Re: Simple one way UDP Port Forwarding NAT rule not working

Thu Jul 25, 2013 12:20 pm

1 ;;; Forward established connections
chain=forward action=accept
If this is your complete firewall output, you need some serious thoughts.
Your second rule is allowing all traffic to pass through the router, so nothing is blocked!!!
Lol, off topic but, yes you are right. Its missing the connection-state=established bit. I got these rules from here: http://wiki.mikrotik.com/wiki/Securing_your_router Perhaps you can suggest some better rules?

It still leaves me with the problem of my UDP packets not making it through the firewall. Any suggestions on that?
Top
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6263
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: Simple one way UDP Port Forwarding NAT rule not working

Thu Jul 25, 2013 12:25 pm

most simple stuff you can look up in default configuration examples that are posted on the wiki for SOHO routers here:
http://wiki.mikrotik.com/wiki/Manual:De ... igurations

FW there is good and protects your router and hosts behind it.
Top
 
User avatar
Ferrograph
Member Candidate
Member Candidate
Topic Author
Posts: 154
Joined: Wed Mar 07, 2012 4:05 am

Re: Simple one way UDP Port Forwarding NAT rule not working

Thu Jul 25, 2013 12:38 pm

most simple stuff you can look up in default configuration examples that are posted on the wiki for SOHO routers here:
http://wiki.mikrotik.com/wiki/Manual:De ... igurations

FW there is good and protects your router and hosts behind it.
Thanks for that.

After a bit more reading is it rule #4 that is blocking the UDP packets as they will be unsolicited and therefore classified invalid-connection and dropped? I didnt see any blocked messages of this type in the log but then perhaps the errant forwarding rule was loosing the packets?
Top
 
Rudios
Forum Veteran
Forum Veteran
Posts: 973
Joined: Mon Mar 11, 2013 12:58 pm
Location: The Netherlands

Re: Simple one way UDP Port Forwarding NAT rule not working

Thu Jul 25, 2013 1:00 pm

most simple stuff you can look up in default configuration examples that are posted on the wiki for SOHO routers here:
http://wiki.mikrotik.com/wiki/Manual:De ... igurations

FW there is good and protects your router and hosts behind it.
Thanks for that.

After a bit more reading is it rule #4 that is blocking the UDP packets as they will be unsolicited and therefore classified invalid-connection and dropped? I didnt see any blocked messages of this type in the log but then perhaps the errant forwarding rule was loosing the packets?
Rule 4 is for your input chain, so traffic with the router as it's destination. Since you have a NAT rule, the src-address is different and therefor the forward chain should be hit.
You only have 2 rules there. I suggest you update your forward chain.
Something like

ros code

/ip firewall filter
add chain=forward comment="Accept established connections" connection-state=established
add chain=forward comment="Accept related connections" connection-state=related
add chain=forward comment="Allow traffic from Local network" in-interface=<local-bridge> src-address=<local-lan-segment>
add chain=forward comment="Allow port 5000" dst-address=192.168.4.10 dst-port=5000 in-interface=<your-wan-int> protocol=udp
add action=log chain=forward comment="Log everything else" disabled=yes log-prefix="IPv4 Drop forward:"
add action=drop chain=forward comment="Drop everything else"
Top
 
User avatar
Ferrograph
Member Candidate
Member Candidate
Topic Author
Posts: 154
Joined: Wed Mar 07, 2012 4:05 am

Re: Simple one way UDP Port Forwarding NAT rule not working

Thu Jul 25, 2013 5:48 pm

Rule 4 is for your input chain, so traffic with the router as it's destination. Since you have a NAT rule, the src-address is different and therefor the forward chain should be hit.
You only have 2 rules there. I suggest you update your forward chain.
Something like

ros code

/ip firewall filter
add chain=forward comment="Accept established connections" connection-state=established
add chain=forward comment="Accept related connections" connection-state=related
add chain=forward comment="Allow traffic from Local network" in-interface=<local-bridge> src-address=<local-lan-segment>
add chain=forward comment="Allow port 5000" dst-address=192.168.4.10 dst-port=5000 in-interface=<your-wan-int> protocol=udp
add action=log chain=forward comment="Log everything else" disabled=yes log-prefix="IPv4 Drop forward:"
add action=drop chain=forward comment="Drop everything else"
I think there are some holes in my understanding of each rule, the chain and its purpose. If I try to think about this in terms of traffic and destinations, which rules and chains takes care or allow what? Ive taken a guess based on what Ive learned recently...

# LAN<-Cloud: Return traffic. CHAIN=Input
# LAN->Cloud: New, established & related outbound TCP (browsing, mail, etc). CHAIN=forward?
# LAN<-Cloud: Services. NAT+CHAIN=Forward because NAT changed the dst-addr. If the forward rule is disabled services cant be reached?
# LAN<-Cloud: Unsolicited but desired inbound UDP packets (like my video stream) CHAIN=Forward but specific port dts-addr?
Top
 
Rudios
Forum Veteran
Forum Veteran
Posts: 973
Joined: Mon Mar 11, 2013 12:58 pm
Location: The Netherlands

Re: Simple one way UDP Port Forwarding NAT rule not working

Thu Jul 25, 2013 8:29 pm

Input chain is used for traffic destined for the router. The forward chain is traffic passing the router. The direction is not important. In respect to NAT, incoming connections are destined to the router but since NAT comes first and filter later, the forward chain will be hit.
Hope ok clears out your thoughts.

P.s. I will post more detailed filter I have later.

If you have no special requirements, the following firewall rules are advised.

ros code

/ip firewall filter
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid
add chain=input comment="Accept established connections" connection-state=established
add chain=input comment="Accept related connections" connection-state=related
add chain=input comment="Allow access from local network" in-interface=br-PrivateNetwork src-address=192.168.25.0/24
add action=log chain=input comment="Log everything else" disabled=yes log-prefix="IPv4 Drop input:"
add action=drop chain=input comment="Drop everything else"

add action=drop chain=forward comment="Drop invalid connections" connection-state=invalid
add chain=forward comment="Accept established connections" connection-state=established
add chain=forward comment="Accept related connections" connection-state=related
add chain=forward comment="Allow traffic from Local network" in-interface=br-PrivateNetwork src-address=192.168.25.0/24
add action=log chain=forward comment="Log everything else" disabled=yes log-prefix="IPv4 Drop forward:"
add action=drop chain=forward comment="Drop everything else"
And for internet to work a NAT masquerade rule is needed

ros code

/ip firewall nat
add action=masquerade chain=srcnat comment="Masquerade internal to outside IP" out-interface=pppoe-wan src-address=192.168.25.0/24
One of my special requirements is to reach my webserver (local ip = 192.168.25.5) from the outside world. Therefor I have created the following NAT rule.

ros code

/ip firewall nat
add action=dst-nat chain=dstnat comment="Forward tcp:80 to webserver" dst-address=w.x.y.z dst-port=80 protocol=tcp to-addresses=192.168.25.5 to-ports=80
And in order to reach the router itself from the outside on a different port than 80, lets say 1080 I have the following NAT rule

ros code

/ip firewall nat
add action=dst-nat chain=dstnat comment="Forward tcp:1080 to Router:80" dst-address=w.x.y.z dst-port=1080 protocol=tcp to-addresses=192.168.25.254 to-ports=80
And for the traffic to actually reach my webserver I have the following firewall rule

ros code

/ip firewall filter
add chain=forward comment="Allow http connection to webserver from outside" dst-address=192.168.25.5 dst-port=80 in-interface=pppoe-wan protocol=tcp
And for traffic to reach the router the following firewall rule is needed

ros code

/ip firewall filter
add chain=input comment="Allow http access to router from outside" dst-port=80 in-interface=pppoe-wan protocol=tcp
I again hope you understand my config.
I have learned myself to get used to group the firewall rules by chain. So first are all my input chain rules, and after that, are my forward chain rules.
And for the last rules to work they should be in order before the final drop rule.
So in one go my firewall nat and filter is as follows

ros code

/ip firewall nat
add action=masquerade chain=srcnat comment="Masquerade internal to outside IP" out-interface=pppoe-wan src-address=192.168.25.0/24
add action=dst-nat chain=dstnat comment="Forward tcp:80 to webserver" dst-address=w.x.y.z dst-port=80 protocol=tcp to-addresses=192.168.25.5 to-ports=80
add action=dst-nat chain=dstnat comment="Forward tcp:1080 to Router:80" dst-address=w.x.y.z dst-port=1080 protocol=tcp to-addresses=192.168.25.254 to-ports=80

/ip firewall filter
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid
add chain=input comment="Accept established connections" connection-state=established
add chain=input comment="Accept related connections" connection-state=related
add chain=input comment="Allow access from local network" in-interface=br-PrivateNetwork src-address=192.168.25.0/24
add chain=input comment="Allow http access to router from outside" dst-port=80 in-interface=pppoe-wan protocol=tcp
add action=log chain=input comment="Log everything else" disabled=yes log-prefix="IPv4 Drop input:"
add action=drop chain=input comment="Drop everything else"

add action=drop chain=forward comment="Drop invalid connections" connection-state=invalid
add chain=forward comment="Accept established connections" connection-state=established
add chain=forward comment="Accept related connections" connection-state=related
add chain=forward comment="Allow traffic from Local network" in-interface=br-PrivateNetwork src-address=192.168.25.0/24
add chain=forward comment="Allow http connection to webserver from outside" dst-address=192.168.25.5 dst-port=80 in-interface=pppoe-wan protocol=tcp
add action=log chain=forward comment="Log everything else" disabled=yes log-prefix="IPv4 Drop forward:"
add action=drop chain=forward comment="Drop everything else"
Top
Post Reply

Who is online

Users browsing this forum: Bing [Bot], intania, rmenkveld and 203 guests
  4. RouterOS
  5. General