A simple port forwarding

tien · May 27, 2016, 11:50pm

Hi All,
I have a few Mikrotik 750GL running routerOS 6.35.2 and here is a simple task that I need to do:
The Mikrotik got an IP of 192.168.1.21 for its WAN port. Its LAN network is 192.168.88.1/24 and all I would like to do is to route all web request on port 80 from network 192.168.1.1/24 to a host within MikroTik LAN with the IP 192.168.88.68. So here is what I have set up for DSTNAT

[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
chain=srcnat action=masquerade out-interface=ether1-gateway

1 chain=dstnat action=dst-nat to-addresses=192.168.88.68 to-ports=80 protocol=tcp
dst-address=192.168.1.21 in-interface=ether1-gateway dst-port=80

I took this straight out from the manual. Yet it did not work at all. Anyone have any idea what else do I need to add for this simple forwarding task to work?

Thanks,

tien · May 31, 2016, 9:21pm

Anyone? Please help.
One more note, the same router with the same NAT rule was working on RouterOS 4.x and then after I upgrade the firmware to 6.35.2 it stop working.

k6ccc · June 1, 2016, 11:23pm

Are you trying to access the web page from the internet, from something on the 192.168.1.0 LAN, or something on the 192.168.88.0 LAN? All three have different answers.

If you are trying from a device on the internet, you will need to set up port forwarding in whatever router is NATing your internet address to the 192.168.1.0 LAN.
If you are trying to access the web page from a device on the 192.168.1.0 LAN, it should work. Your NAT rule appears to be correct (unless I missed something, or you have a firewall rule that is blocking it).
If you are trying from some device on the 192.168.88.0 LAN, it will depend on what IP you are trying to reach. If you are trying to point to the 192.168.1.21 address, you will need to set up a hairpin NAT rule in the MikroTik. If you are trying to point to the 192.168.88.68 address, you should get to the web server just fine.

Jim

tien · June 2, 2016, 5:12pm

Thanks Jim,
192.168.1.23 is the WAN address for the RT450 router. The LAN subnet for RT450 is 192.168.88.0. All I would like to do is to have any client from within 192.168.1.0/24 to be able to hit the web server on port 80 of the host 192.168.88.68 on the RT450 LAN port.
Here is my firewall filter (this came from default setting after reset)

[admin@MikroTik] > ip fire fil pr
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward

1 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp

2 ;;; defconf: accept established,related
chain=input action=accept connection-state=established,related

3 ;;; defconf: drop all from WAN
chain=input action=drop in-interface=ether1

4 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related

5 ;;; defconf: accept established,related
chain=forward action=accept connection-state=established,related

6 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid

7 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat
in-interface=ether1

This must be the simplest thing yet turn out to be almost impossible!

artemk · June 2, 2016, 8:03pm

tien, you filtering everything except icmp and established connections in “input” chain

try to disable rule #3 and check if this helps.
If it is - create rule which would allow incoming traffic to tcp port 80, BEFORE rule #3.

tien · June 3, 2016, 6:52pm

artemk,
I did disable rule 3 and still nothing.

ZeroByte · June 3, 2016, 7:42pm

Input chain rules are not used when filtering NAT pinhole traffic.
Forward chain rules are.

If you want to find out whether it’s a filter rule, then make a forward chain rule:
/ip firewall filter add chain=forward action=accept

Then move this rule to the very top of the list. (delete it once finished testing, of course)

If suddenly, things are working, then your firewall filter is to blame. If things don’t improve, then it’s not the filter.

tien · June 3, 2016, 10:56pm

Is there a way to move the rule via ssh command line or webfig interface?
Thanks,

ZeroByte · June 3, 2016, 11:43pm

Yes to both but I forget the command line method. Pretty sure there are up/down arrows for moving rule -or even possible to drag/drop them with the mouse.

tien · June 3, 2016, 11:59pm

Mouse drag drop seem to work thanks. Now only if I can make this port forward thing to work! Shouldn’t this be the simplest thing?

ZeroByte · June 4, 2016, 12:09am

Haven’t read back over the thread, so excuse this question if it’s already been answered: are you doing any policy routing / any kind of load balancing multiple ISPs or anything in the mangle table?