NAT port forwarding does not work

borislav · Tue Mar 12, 2024 6:00 pm

Hello,

Whole day I'm trying to forward a port to specific IP address in my internal network. I tried everything, including router reset and start over, but no result.
I'm attaching my current config, I hope somebody helps.

[admin@MikroTik] > /export hide-sensitive
# 2024-03-12 17:58:00 by RouterOS 7.13.5
# software id = E9JX-26SU
#
# model = RB5009UG+S+
# serial number = HF70963S8VZ
/interface bridge
add admin-mac=78:9A:18:8A:20:9D auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.240.10-192.168.240.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes forward=no
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=sfp-sfpplus1 list=WAN
/ip address
add address=192.168.240.1/24 comment=defconf interface=bridge network=192.168.240.0
/ip dhcp-client
add add-default-route=no comment=defconf interface=ether1
add add-default-route=no interface=sfp-sfpplus1
/ip dhcp-server lease
add address=192.168.240.250 client-id=ff:d2:e5:ab:65:0:2:0:0:ab:11:3d:7e:8a:9b:4c:a8:db:12 mac-address=04:32:01:9F:30:EE server=defconf
add address=192.168.240.251 mac-address=38:68:DD:85:14:F1 server=defconf
/ip dhcp-server network
add address=192.168.240.0/24 comment=defconf dns-server=192.168.240.1 gateway=192.168.240.1
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=xx.xx.xx.xx list=admin_access
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input src-address-list=admin_access
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
    in-interface-list=WAN
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=2222 protocol=tcp to-addresses=192.168.240.250 to-ports=22
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=xx.xx.xx.xx pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10 vrf-interface=sfp-sfpplus1
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=xx.xx.xx.xx pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10 vrf-interface=ether1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.240.0/24,xx.xx.xx.xx/32
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Sofia
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

mkx · Tue Mar 12, 2024 6:18 pm

And from where are you trying to use the forwarded port? Public internet? Or from inside your LAN?

erlinden · Tue Mar 12, 2024 6:20 pm

Think on your dst-nat rule you are missing:

in-interface-list=WAN

Besides:
Are you indeed having 2 internet connections?
Why do you have all these IPv6 lines while you are not running IPv6?

mkx · Tue Mar 12, 2024 6:32 pm

Think on your dst-nat rule you are missing:
Code: Select all
in-interface-list=WAN

Nah, this omission only makes DST-NAT rule more greedy. It doesn't make it non-working. Would it be useful to include this addition? Depends if @OP needs to use NAT-ed port from inside LAN or not.

anav · Tue Mar 12, 2024 9:19 pm

Do you mean, knowing the actual traffic flow requirements and perhaps a network diagram would help.............. gee....... where have I heard that before? Certainly not in th non-existent First Post Process LOL.

borislav · Tue Mar 12, 2024 9:29 pm

Sorry, I wrote the post in a hurry at the end of the working hours.

I’ll describe my setup more detailed now, although without the required diagram, as I am typing on my phone ATM.

I have a Linux server behind my router, which job doesn’t concern us at the moment. I want to access this server from WAN to SSH, from certain IP addresses.
I had the same config tested on my other router, worked without any problems. I compared both routers’ configs, but couldn’t see where the problem was. I hope somebody will open my eyes for a stupid typo somewhere, or I’ve messed up a rule that I cannot see…

Yes, I have two ISPs, one is for backup.
There are ipv6 tables because this is the default config. I didn’t know what else to do at 5 p.m. so I reset the router with default configuration to see if this will fix my problem. Well, it didn’t.

Edit: before you ask me, yes, I’ve allowed ssh on the server.

erlinden · Tue Mar 12, 2024 9:36 pm

Is the firewall rule hit?
How are you testing?

anav · Tue Mar 12, 2024 9:40 pm

Other than adding in-interface-list=LAN on the dstnat rule for completeness, there seems to be no reason at all for not reaching the server from the outside.
- Are you sure you have a publicly reachable IP address??
- Are you sure the server doesnt have its own firewall settings ( like if on a PC ).

borislav · Tue Mar 12, 2024 9:51 pm

I test it from another IP (I have two routers with two independent ISPs)
Both have a static IP address, public too. I can access the MikroTik with winbox, so that works.
I can see a connection when I try to connect from the other ISP, but Putty keeps denying.

Yes, the server has firewall, but as I said, I’ve enabled ssh from anywhere, so that shouldn’t be the problem. I can access it via ssh from LAN. I even made an IPsec tunnel between both routers and could access the server through it (that is before I reset with default config).

Just for information, the server is a brand new Lenovo ThinkSystem SR630 v2. I’m starting to wonder if it has some setting that bugs the whole thing.

anav · Tue Mar 12, 2024 9:58 pm

Accessing the server from your other WAN connection is of course going to be problematic.......
Think of the logic......... You come in WAN2 ( not the primary WAN ) lets say you reach the server, the response will go out WAN1 the primary WAN.
The return will be coming from a different source address ( not the original destination address ) and thus will be rejected.

Please use your truly separate cellular connection to test, or perhaps ask a friend to test from their internet connection.
Im assuming that you simply want to use the main WAN all the time and WAN2 is purely a backup, in which case nothing special need be done.
If you want to access any server on WAN2 while WAN1 is still up then you need to do some work!

By the way, accessing winbox from the internet directly is a terrible idea.

borislav · Tue Mar 12, 2024 10:26 pm

Accessing the server from your other WAN connection is of course going to be problematic.......
Think of the logic......... You come in WAN2 ( not the primary WAN ) lets say you reach the server, the response will go out WAN1 the primary WAN.
The return will be coming from a different source address ( not the original destination address ) and thus will be rejected.

Please use your truly separate cellular connection to test, or perhaps ask a friend to test from their internet connection.
Im assuming that you simply want to use the main WAN all the time and WAN2 is purely a backup, in which case nothing special need be done.
If you want to access any server on WAN2 while WAN1 is still up then you need to do some work!

By the way, accessing winbox from the internet directly is a terrible idea.

No, you got me wrong. I am trying to access from entirely separate router with entirely separate ISP. Like if I’m trying to access my office from my home.

I have restricted access with winbox only to my own IP addresses

anav · Tue Mar 12, 2024 10:47 pm

Then it should just work??

borislav · Tue Mar 12, 2024 10:51 pm

Then it should just work??

Exactly! But it doesn’t.
I’ll work more on this tomorrow and give an update. Thank you for now.

anav · Tue Mar 12, 2024 11:03 pm

The only thing i would consider adding is the following................... but should not make any difference.
/ip dns
set allow-remote-requests=yes servers=1.1.1.1

Can you confirm you are accessing the SPFPLUS WAN, and have you tried from your cellphone??

borislav · Wed Mar 13, 2024 7:38 am

To both of your questions: yes.

I will try later today your suggestion, though I agree with you

mkx · Wed Mar 13, 2024 8:01 am

Are you sure that your ISP line is completely transparent? I.e. are you sure your ISP doesn't filter ingress connections?

borislav · Wed Mar 13, 2024 11:07 am

ok, I tried again, made a new configuration of the router from scratch. Again the same problem.

What I have found until now:
1. I connected the server i am trying to access via SSH to my other router (Router 2). I immediately succeeded to connect via SSH with the same port forwarding rule like in Router 1.
2. I tried switching to my second ISP (ISP 2) on my problematic router, and again connection is refused.
3. Every time I try to connect via SSH, no matter if from another router, or my cellphone mobile network, I can see the connection established in the Firewall connections, I can also see packets in the dst-nat rule of the port, but no matter all of that, I cannot access.
4. I tried with adding 1.1.1.1 to DNS servers, allowed remote requests, added in interface list WAN... again no result.
5. Called my ISP (ISP 1). They assured me that I am receiving a fully transparent service.

I am attaching a diagram of the setup.

borislav · Wed Mar 13, 2024 11:15 am

I'm attaching the current configuration of Router 1.

[admin@MikroTik] > /export hide-sensitive
# 2024-03-13 11:12:20 by RouterOS 7.13.5
# software id = E9JX-26SU
#
# model = RB5009UG+S+
# serial number = HF70963S8VZ
/interface bridge
add arp=proxy-arp name=bridge1
/interface list
add name=LAN
add name=WAN
/ip pool
add name=pool1 ranges=192.168.240.10-192.168.240.254
/ip dhcp-server
add address-pool=pool1 interface=bridge1 name=dhcp
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
/ipv6 settings
set disable-ipv6=yes forward=no
/interface list member
add interface=ether1 list=WAN
add interface=sfp-sfpplus1 list=WAN
/ip address
add address=192.168.240.1/24 interface=bridge1 network=192.168.240.0
/ip dhcp-client
add add-default-route=no interface=sfp-sfpplus1
add add-default-route=no interface=ether1
/ip dhcp-server lease
add address=192.168.240.251 mac-address=38:68:DD:85:14:F1 server=dhcp
add address=192.168.240.250 client-id=\
    ff:d2:e5:ab:65:0:2:0:0:ab:11:3d:7e:8a:9b:4c:a8:db:12 mac-address=\
    04:32:01:9F:30:EE server=dhcp
add address=192.168.240.253 client-id=1:d8:d0:90:b:dd:6e mac-address=\
    D8:D0:90:0B:DD:6E server=dhcp
/ip dhcp-server network
add address=192.168.240.0/24 gateway=192.168.240.1
/ip dns
set allow-remote-requests=yes servers=192.168.240.1,1.1.1.1
/ip firewall address-list
add address=192.168.240.0/24 list=admin_access
/ip firewall filter
add action=accept chain=input comment="Accept established, related" \
    connection-state=established,related,untracked
add action=accept chain=input comment="Accept admin access" protocol=tcp \
    src-address-list=admin_access src-port=8291
add action=accept chain=input comment="Accept ping" protocol=icmp
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=drop chain=input comment="Drop all not from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment="Accept established, related" \
    connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
add action=drop chain=forward comment="Drop all not dst-natted" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=10022 in-interface-list=WAN protocol=\
    tcp to-addresses=192.168.240.250 to-ports=22
add action=masquerade chain=srcnat out-interface-list=WAN
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    xx.xx.xx.xx pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10 vrf-interface=sfp-sfpplus1
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
    xx.xx.xx.xx pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10 vrf-interface=ether1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.240.0/24
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Sofia
/system note
set show-at-login=no

anav · Wed Mar 13, 2024 4:17 pm

Sorry but your explanations are more confusing then clarifying.
I have no clue at all what you are doing or have attempted and I am getting tired of waiting for decent information.

Let see if we can make sense of it.
What make is router 2? ( assuming its in a separate location in the house and gets its feed from ISP2 and its not connected to the network fed by Router 1 )

So from PC behind Router 2 and ISP2 you can reach the SSH server behind R1 which is connected to ISP1?
So from behind Router 1, assuming a differenent PC, and ISP1 you cannot reach the SSH server on the SAME LAN?

mkx · Wed Mar 13, 2024 7:58 pm

Does ssh server, by any chance, run its own firewall?

NAT port forwarding does not work

NAT port forwarding does not work

Re: NAT port forwarding does not work

Re: NAT port forwarding does not work

Re: NAT port forwarding does not work

Re: NAT port forwarding does not work

Re: NAT port forwarding does not work

Re: NAT port forwarding does not work

Re: NAT port forwarding does not work

Re: NAT port forwarding does not work

Re: NAT port forwarding does not work

Re: NAT port forwarding does not work

Re: NAT port forwarding does not work

Re: NAT port forwarding does not work

Re: NAT port forwarding does not work

Re: NAT port forwarding does not work

Re: NAT port forwarding does not work

Re: NAT port forwarding does not work

Re: NAT port forwarding does not work

Re: NAT port forwarding does not work

Re: NAT port forwarding does not work

Who is online