Access Port From Lan With Wan IP

wolf1gr · August 21, 2019, 3:30pm

hello to all.

i’m having a litle problem accessing from internal network my PBX using my external ip with port

my setup is. isp modem(192.168.1.1) with static public ip(xxx.xxx.xxx.xxx) —> mikrotik router(172.16.1.1)
My pbx ip is 172.16.1.30 with port 5050.
At the isp modem i have config DMZ to 172.16.1.1 and i create rule at mikrotik nat to open port 5050
so i can access pbx when i’m away from the site with xxx.xxx.xxx.xxx:5050 and i can access pbx from internal network with 172.16.1.30:5050
The problem is that i can not access PBX from internal network using public ip xxx.xxx.xxx.xxx:5050.
I try to add nat like srcnat src.address 172.16.1.0/24 dst.address xxx.xxx.xxx.xxx udp 5050 action src-nat to addresses 172.16.1.30 to port 5050
but nothing.
what i’m doing wrong?
Thank you.

wolf1gr · August 21, 2019, 4:44pm

i find out that the problem was that i had in.interface ether 24, that is the port that is connected to the isp router, at the nat roule.
when i remove it i could access xxx.xxx.xxx:5050 from internal lan BUT i see another problem now…
Now i can not access from lan another site public ip that i use 5050 port ex. zzz.zzz.zzz.zzz:5050
until i change the in.interface it was working zzz.zzz.zzz.zzz:5050 and 172.16.1.30:5050 NOT xxx.xxx.xxx.xxx:5050
now it is working only xxx.xxx.xxx.xxx:5050 and 172.16.1.30:5050 and NOT zzz.zzz.zzz.zzz:5050

No No No after some tests i see that again it is not working at All. only from lan with lan ip
please any help will be good.

Sob · August 21, 2019, 5:01pm

What destination you specify, that’s what the rule will look for. If it’s only dst-port, it will match all connections to that port, incoming, outgoing, anything, no matter what the destination address is. Your setup is a little bit more complex than usual, so let’s take it step by step.

First part is connecting to forwarded port using WAN address from same LAN where server is. It can be solved with thing called hairpin NAT:

/ip firewall nat
add chain=srcnat src-address=<your lan subnet> dst-address=<your lan subnet> action=masquerade

(see https://wiki.mikrotik.com/wiki/Hairpin_NAT for detailed explanation what happens)

Next is how to specify destination. The best case is when you have static public address, then you can use dst-address=. If not, it’s possible to use dst-address-type=local. It matches all router’s addresses and it can have some unwanted side-effects, but it’s usually ok.

Finally with your setup, you need extra step, because public address is not directly on your router. In this case, you need to look for two destinations. First is 172.16.1.1, because that’s where the modem forwards stuff to, it will be used by connections from outside. And second is the public address, you need to intercept requests to it from LAN. You can either have two dstnat rules, or you can use one with dst-address-list parameter and a list where you’ll put both addresses.

wolf1gr · August 21, 2019, 5:19pm

What destination you specify, that’s what the rule will look for. If it’s only dst-port, it will match all connections to that port, incoming, outgoing, anything, no matter what the destination address is. Your setup is a little bit more complex than usual, so let’s take it step by step.

First part is connecting to forwarded port using WAN address from same LAN where server is. It can be solved with thing called hairpin NAT:
/ip firewall nat
add chain=srcnat src-address=<your lan subnet> dst-address=<your lan subnet> action=masquerade
(see https://wiki.mikrotik.com/wiki/Hairpin_NAT for detailed explanation what happens)

Next is how to specify destination. The best case is when you have static public address, then you can use dst-address=. If not, it’s possible to use dst-address-type=local. It matches all router’s addresses and it can have some unwanted side-effects, but it’s usually ok.

Finally with your setup, you need extra step, because public address is not directly on your router. In this case, you need to look for two destinations. First is 172.16.1.1, because that’s where the modem forwards stuff to, it will be used by connections from outside. And second is the public address, you need to intercept requests to it from LAN. You can either have two dstnat rules, or you can use one with dst-address-list parameter and a list where you’ll put both addresses.

so if i get it right i have to do
/ip firewall nat
add chain=srcnat src-address=172.16.1.0/24 dst-address=172.16.1.0/24 action=masquerade
and then what?
i have public static address lets call it xxx.xxx.xxx.xxx. my isp modem ip is 192.168.1.1 it goes to ether24 at MT with ip 192.168.1.250. the main mikrotik ip is 172.16.1.1

Sob · August 21, 2019, 5:44pm

Ok, I think I mixed up your LAN and the link between modem and router. And I also forgot to ask if you have NAT on RB, or if you have proper routing to LAN from modem.

So if 172.16.1.0/24 is LAN and 192.168.1.250/24 is on router’s WAN (link to modem), then you can either have two rules:

/ip firewall nat
add chain=dstnat dst-address=192.168.1.250 protocol=udp dst-port=5050 to-addresses=172.16.1.30
add chain=dstnat dst-address=xxx.xxx.xxx.xxx protocol=udp dst-port=5050 to-addresses=172.16.1.30

or:

/ip firewall address-list
add address=192.168.1.250 list=dstnat_addresses
add address=xxx.xxx.xxx.xxx list=dstnat_addresses
/ip firewall nat
add chain=dstnat dst-address-list=dstnat_addresses protocol=udp dst-port=5050 to-addresses=172.16.1.30

And in case you don’t have NAT on RB, you need the rule only for dst-address=xxx.xxx.xxx.xxx.

wolf1gr · August 21, 2019, 8:18pm

OK i will test it tomorrow and i will reply the results.
Thank you.

wolf1gr · August 22, 2019, 6:18am

Ok, I think I mixed up your LAN and the link between modem and router. And I also forgot to ask if you have NAT on RB, or if you have proper routing to LAN from modem.

So if 172.16.1.0/24 is LAN and 192.168.1.250/24 is on router’s WAN (link to modem), then you can either have two rules:
/ip firewall nat
add chain=dstnat dst-address=192.168.1.250 protocol=udp dst-port=5050 to-addresses=172.16.1.30
add chain=dstnat dst-address=xxx.xxx.xxx.xxx protocol=udp dst-port=5050 to-addresses=172.16.1.30
or:
/ip firewall address-list
add address=192.168.1.250 list=dstnat_addresses
add address=xxx.xxx.xxx.xxx list=dstnat_addresses
/ip firewall nat
add chain=dstnat dst-address-list=dstnat_addresses protocol=udp dst-port=5050 to-addresses=172.16.1.30
And in case you don’t have NAT on RB, you need the rule only for dst-address=xxx.xxx.xxx.xxx.

hello.
I test it but again i can not access xxx.xxx.xxx.xxx:5050
i dont know if it helps but from local network(172.16.1.xxx) i only see port 80 open that it goes to ISP modem if i try it at a browser.
here is my full config.

# aug/22/2019 08:59:01 by RouterOS 6.43.12
# software id = QTG9-JYE9
#
# model = CRS326-24G-2S+
# serial number = xxxxxxxxx
/interface bridge
add admin-mac=xxxxxxxxxxxxxxxxx auto-mac=no fast-forward=no name=\
    bridge_Guests
add admin-mac=xxxxxxxxxxxxxx auto-mac=no fast-forward=no name=bridge_HR
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=ether8 ] speed=100Mbps
set [ find default-name=ether9 ] speed=100Mbps
set [ find default-name=ether10 ] speed=100Mbps
set [ find default-name=ether11 ] speed=100Mbps
set [ find default-name=ether12 ] speed=100Mbps
set [ find default-name=ether13 ] speed=100Mbps
set [ find default-name=ether14 ] speed=100Mbps
set [ find default-name=ether15 ] speed=100Mbps
set [ find default-name=ether16 ] speed=100Mbps
set [ find default-name=ether17 ] speed=100Mbps
set [ find default-name=ether18 ] speed=100Mbps
set [ find default-name=ether19 ] speed=100Mbps
set [ find default-name=ether20 ] speed=100Mbps
set [ find default-name=ether21 ] speed=100Mbps
set [ find default-name=ether22 ] mac-address=xxxxxxxxxxxxx speed=100Mbps
set [ find default-name=ether23 ] speed=100Mbps
set [ find default-name=ether24 ] speed=100Mbps
set [ find default-name=sfp-sfpplus1 ] speed=10Gbps
set [ find default-name=sfp-sfpplus2 ] speed=10Gbps
/interface l2tp-server
add name=l2tp-in1 user=vpn
/interface vlan
add interface=ether23 name=vlan10_HR vlan-id=10
add interface=ether23 name=vlan20_Guests vlan-id=20
/interface bonding
add mode=802.3ad name=bonding1 slaves=ether21,ether22 transmit-hash-policy=\
    layer-2-and-3
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp_pool_HR ranges=172.16.1.100-172.16.1.250
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=dhcp_pool_Guests ranges=172.16.2.50-172.16.2.250
/ip dhcp-server
add address-pool=dhcp_pool_HR disabled=no interface=bridge_HR name=\
    dhcp_srv_HR
add address-pool=dhcp_pool_Guests disabled=no interface=bridge_Guests name=\
    dhcp_srv_Guests
/ppp profile
set *0 bridge=bridge_HR
set *FFFFFFFE bridge=bridge_HR local-address=172.16.1.1 remote-address=\
    dhcp_pool_HR
/interface bridge port
add bridge=bridge_HR interface=ether1
add bridge=bridge_HR interface=ether2
add bridge=bridge_HR interface=ether3
add bridge=bridge_HR interface=ether4
add bridge=bridge_HR interface=ether5
add bridge=bridge_HR interface=ether6
add bridge=bridge_HR interface=ether7
add bridge=bridge_HR interface=ether8
add bridge=bridge_HR interface=ether9
add bridge=bridge_HR interface=ether10
add bridge=bridge_HR interface=ether11
add bridge=bridge_HR interface=ether12
add bridge=bridge_HR interface=ether13
add bridge=bridge_HR interface=ether14
add bridge=bridge_HR interface=ether15
add bridge=bridge_HR interface=ether16
add bridge=bridge_HR interface=ether17
add bridge=bridge_HR interface=ether18
add bridge=bridge_HR interface=ether19
add bridge=bridge_HR interface=ether20
add bridge=bridge_HR disabled=yes interface=ether21
add bridge=bridge_HR disabled=yes interface=ether22
add bridge=bridge_HR disabled=yes interface=ether23
add bridge=bridge_HR disabled=yes interface=ether24
add bridge=bridge_HR interface=sfp-sfpplus1
add bridge=bridge_HR interface=sfp-sfpplus2
add bridge=bridge_HR interface=vlan10_HR
add bridge=bridge_Guests interface=vlan20_Guests
add bridge=bridge_HR interface=bonding1
/interface bridge settings
set use-ip-firewall=yes
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add interface=ether24 list=WAN
add interface=bridge_HR list=LAN
add interface=bridge_Guests list=LAN
add interface=l2tp-in1 list=LAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=172.16.1.1/24 interface=bridge_HR network=172.16.1.0
add address=172.16.2.1/24 interface=bridge_Guests network=172.16.2.0
add address=192.168.1.250/24 interface=ether24 network=192.168.1.0
add address=192.168.1.250/24 disabled=yes interface=ether24 network=\
    192.168.1.0
/ip arp
add address=172.16.1.222 interface=bridge_HR mac-address=xxxxxxxxxxxxx
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid interface=ether24
/ip dhcp-server network
add address=172.16.1.0/24 dns-server=172.16.1.2,8.8.8.8 gateway=172.16.1.1 \
    netmask=24
add address=172.16.2.0/24 dns-server=172.16.2.1,8.8.8.8 gateway=172.16.2.1 \
    netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,172.16.1.1
/ip dns static
add address=172.16.1.2 name=xxxxx

/ip firewall filter
add action=drop chain=input comment=\
    "Drop new connections from blacklisted IP's to this router" \
    connection-state=new in-interface=ether24 src-address-list=blacklist
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp \
    src-port=""
add action=accept chain=input comment="allow IPsec NAT" dst-port=1723 \
    protocol=tcp src-port=""
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp \
    src-port=""
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=\
    WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    172.16.1.0/24
add action=accept chain=dstnat dst-address=192.168.1.250 dst-port=5050 \
    protocol=udp to-addresses=172.16.1.30
add action=accept chain=dstnat dst-address=xxx.xxx.xxx.xxx dst-port=5050 \
    protocol=udp to-addresses=172.16.1.30
add action=dst-nat chain=dstnat comment="Grandstream SIP" dst-port=5050 \
    in-interface=ether24 protocol=udp to-addresses=172.16.1.30 to-ports=5050
add action=dst-nat chain=dstnat comment="Grandstream SIP" dst-port=5050 \
    protocol=udp to-addresses=172.16.1.30 to-ports=5050
/ip firewall service-port
set sip disabled=yes ports=5065,5066
/ip ipsec peer
add exchange-mode=main-l2tp generate-policy=port-strict passive=yes
/ip route
add distance=1 gateway=192.168.1.1
/ppp secret
add name=vpn
/system clock
set time-zone-name=Europe/Athens
/system identity
set name=xxxxxxxxxx
/system logging
add topics=ipsec
/system ntp client
set enabled=yes server-dns-names=\
    0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org
/system routerboard settings
set boot-os=router-os

Sob · August 22, 2019, 11:40am

Oops, my bad, the rules I posted should have action=dst-nat, but they had no action, so it turned into default action=accept. And when you change it, you don’t need the last two rules anymore.

wolf1gr · August 23, 2019, 8:50am

so if what i did is:

ip firewall nat
add action=dst-nat chain=dstnat dst-address=192.168.1.250 dst-port=5050
protocol=udp to-addresses=172.16.1.30
add action=dst-nat chain=dstnat dst-address=xxx.xxx.xxx.xxx dst-port=5050
protocol=udp to-addresses=172.16.1.30

but it is not working again.
what im doing wrong?

Sob · August 23, 2019, 11:55am

“Not working” is not very useful info, it needs more details. Look at rules’ counters, do they increase when you try to connect? Use either Tools->Torch and look for udp/5050 packets, or add logging rules to prerouting and postrouting, e.g.:

/ip firewall mangle
add chain=prerouting protocol=udp dst-port=5050 action=log log-prefix=step1
add chain=postrouting protocol=udp dst-port=5050 action=log log-prefix=step2
add chain=prerouting protocol=udp src-port=5050 action=log log-prefix=step3
add chain=postrouting protocol=udp src-port=5050 action=log log-prefix=step4

The goal is to find what exactly happens and where it fails.

wolf1gr · August 24, 2019, 7:59pm

“Not working” is not very useful info, it needs more details. Look at rules’ counters, do they increase when you try to connect? Use either Tools->Torch and look for udp/5050 packets, or add logging rules to prerouting and postrouting, e.g.:
/ip firewall mangle
add chain=prerouting protocol=udp dst-port=5050 action=log log-prefix=step1
add chain=postrouting protocol=udp dst-port=5050 action=log log-prefix=step2
add chain=prerouting protocol=udp src-port=5050 action=log log-prefix=step3
add chain=postrouting protocol=udp src-port=5050 action=log log-prefix=step4
The goal is to find what exactly happens and where it fails.

OK i will see it tomorrow…
Thank you very much.

wolf1gr · August 25, 2019, 3:50pm

“Not working” is not very useful info, it needs more details. Look at rules’ counters, do they increase when you try to connect? Use either Tools->Torch and look for udp/5050 packets, or add logging rules to prerouting and postrouting, e.g.:
/ip firewall mangle
add chain=prerouting protocol=udp dst-port=5050 action=log log-prefix=step1
add chain=postrouting protocol=udp dst-port=5050 action=log log-prefix=step2
add chain=prerouting protocol=udp src-port=5050 action=log log-prefix=step3
add chain=postrouting protocol=udp src-port=5050 action=log log-prefix=step4
The goal is to find what exactly happens and where it fails.

no the counters dont increase
ok here are the resaults

18:45:44 firewall,info step3 prerouting: in:bridge_HR(ether20) out:(unknown 0), src-mac xx:xx:xx:xx:xx, proto UDP, 172.16.1.30:5050->xxx.xxx.xxx.xxx:32320, NAT (172.16.1.30:5050->192.168.1.250:5050)->xxx.xxx.xxx.xxx:32320, len 1211 
18:45:44 firewall,info step4 postrouting: in:(unknown 0)(ether20) out:ether24, src-mac xx:xx:xx:xx:xx, proto UDP, 172.16.1.30:5050->xxx.xxx.xxx.xxx:32320, NAT (172.16.1.30:5050->192.168.1.250:5050)->xxx.xxx.xxx.xxx:32320, len 1211 
18:45:44 firewall,info step1 prerouting: in:ether24 out:(unknown 0), src-mac xx:xx:xx:xx:xx, proto UDP, xxx.xxx.xxx.xxx:32320->192.168.1.250:5050, NAT xxx.xxx.xxx.xxx:32320->(192.168.1.250:5050->172.16.1.30:5050), len 514 
18:45:44 firewall,info step2 postrouting: in:(unknown 0) out:bridge_HR, src-mac xx:xx:xx:xx:xx, proto UDP, xxx.xxx.xxx.xxx:32320->172.16.1.30:5050, NAT xxx.xxx.xxx.xxx:32320->(192.168.1.250:5050->172.16.1.30:5050), len 514 
18:45:54 firewall,info step3 prerouting: in:bridge_HR(ether20) out:(unknown 0), src-mac xx:xx:xx:xx:xx, proto UDP, 172.16.1.30:5050->xxx.xxx.xxx.xxx:32320, NAT (172.16.1.30:5050->192.168.1.250:5050)->xxx.xxx.xxx.xxx:32320, len 1210 
18:45:54 firewall,info step4 postrouting: in:(unknown 0)(ether20) out:ether24, src-mac xx:xx:xx:xx:xx, proto UDP, 172.16.1.30:5050->xxx.xxx.xxx.xxx:32320, NAT (172.16.1.30:5050->192.168.1.250:5050)->xxx.xxx.xxx.xxx:32320, len 1210 
18:45:54 firewall,info step1 prerouting: in:ether24 out:(unknown 0), src-mac xx:xx:xx:xx:xx, proto UDP, xxx.xxx.xxx.xxx:32320->192.168.1.250:5050, NAT xxx.xxx.xxx.xxx:32320->(192.168.1.250:5050->172.16.1.30:5050), len 514 
18:45:54 firewall,info step2 postrouting: in:(unknown 0) out:bridge_HR, src-mac xx:xx:xx:xx:xx, proto UDP, xxx.xxx.xxx.xxx:32320->172.16.1.30:5050, NAT xxx.xxx.xxx.xxx:32320->(192.168.1.250:5050->172.16.1.30:5050), len 514 
18:46:04 firewall,info step3 prerouting: in:bridge_HR(ether20) out:(unknown 0), src-mac xx:xx:xx:xx:xx, proto UDP, 172.16.1.30:5050->xxx.xxx.xxx.xxx:32320, NAT (172.16.1.30:5050->192.168.1.250:5050)->xxx.xxx.xxx.xxx:32320, len 1211 
18:46:04 firewall,info step4 postrouting: in:(unknown 0)(ether20) out:ether24, src-mac xx:xx:xx:xx:xx, proto UDP, 172.16.1.30:5050->xxx.xxx.xxx.xxx:32320, NAT (172.16.1.30:5050->192.168.1.250:5050)->xxx.xxx.xxx.xxx:32320, len 1211 
18:46:04 firewall,info step1 prerouting: in:ether24 out:(unknown 0), src-mac xx:xx:xx:xx:xx, proto UDP, xxx.xxx.xxx.xxx:32320->192.168.1.250:5050, NAT xxx.xxx.xxx.xxx:32320->(192.168.1.250:5050->172.16.1.30:5050), len 515 
18:46:04 firewall,info step2 postrouting: in:(unknown 0) out:bridge_HR, src-mac xx:xx:xx:xx:xx, proto UDP, xxx.xxx.xxx.xxx:32320->172.16.1.30:5050, NAT xxx.xxx.xxx.xxx:32320->(192.168.1.250:5050->172.16.1.30:5050), len 515 
18:46:14 firewall,info step3 prerouting: in:bridge_HR(ether20) out:(unknown 0), src-mac xx:xx:xx:xx:xx, proto UDP, 172.16.1.30:5050->xxx.xxx.xxx.xxx:32320, NAT (172.16.1.30:5050->192.168.1.250:5050)->xxx.xxx.xxx.xxx:32320, len 1211 
18:46:14 firewall,info step4 postrouting: in:(unknown 0)(ether20) out:ether24, src-mac xx:xx:xx:xx:xx, proto UDP, 172.16.1.30:5050->xxx.xxx.xxx.xxx:32320, NAT (172.16.1.30:5050->192.168.1.250:5050)->xxx.xxx.xxx.xxx:32320, len 1211 
18:46:14 firewall,info step1 prerouting: in:ether24 out:(unknown 0), src-mac xx:xx:xx:xx:xx, proto UDP, xxx.xxx.xxx.xxx:32320->192.168.1.250:5050, NAT xxx.xxx.xxx.xxx:32320->(192.168.1.250:5050->172.16.1.30:5050), len 515 
18:46:14 firewall,info step2 postrouting: in:(unknown 0) out:bridge_HR, src-mac xx:xx:xx:xx:xx, proto UDP, xxx.xxx.xxx.xxx:32320->172.16.1.30:5050, NAT xxx.xxx.xxx.xxx:32320->(192.168.1.250:5050->172.16.1.30:5050), len 515

hope you see the problem… i don’t

Sob · August 25, 2019, 5:52pm

This is some already established connection from elsewhere. Let’s try slightly different config:

/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=new dst-address=1.1.1.1 dst-port=5050 log=yes log-prefix=new new-connection-mark=debug passthrough=yes protocol=udp src-address=172.16.1.99
add action=log chain=prerouting connection-mark=debug log-prefix=req-in src-address=172.16.1.99
add action=log chain=postrouting connection-mark=debug log-prefix=req-out src-address=172.16.1.99
add action=log chain=prerouting connection-mark=debug log-prefix=resp-in src-address=172.16.1.30
add action=log chain=postrouting connection-mark=debug log-prefix=resp-out src-address=172.16.1.30
/ip firewall nat
add action=dst-nat chain=dstnat connection-mark=debug dst-address=1.1.1.1 dst-port=5050 log=yes log-prefix=dstnat protocol=udp to-addresses=172.16.1.30
add action=masquerade chain=srcnat connection-mark=debug dst-address=172.16.1.0/24 dst-port=5050 log=yes log-prefix=hairpin protocol=udp src-address=172.16.1.0/24

You’ll have duplicate dstnat rule, but it’s only for testing. Replace 172.16.1.99 with address of device you use for testing, and 1.1.1.1 with your public address.

And this is what you should see in log when you connect from 172.16.1.99 to 1.1.1.1 (with your addresses):

19:39:15 firewall,info new prerouting: in:bridge_HR out:(unknown 0), proto UDP, 172.16.1.99:51524->1.1.1.1:5050
19:39:15 firewall,info req-in prerouting: in:bridge_HR out:(unknown 0), proto UDP, 172.16.1.99:51524->1.1.1.1:5050
19:39:15 firewall,info dstnat dstnat: in:bridge_HR out:(unknown 0), proto UDP, 172.16.1.99:51524->1.1.1.1:5050
19:39:15 firewall,info req-out postrouting: in:(unknown 0) out:bridge_HR, proto UDP, 172.16.1.99:51524->172.16.1.30:5050, NAT 172.16.1.99:51524->(1.1.1.1:5050->172.16.1.30:5050)
19:39:15 firewall,info hairpin srcnat: in:(unknown 0) out:bridge_HR, proto UDP, 172.16.1.99:51524->172.16.1.30:5050, NAT 172.16.1.99:51524->(1.1.1.1:5050->172.16.1.30:5050)
19:39:15 firewall,info resp-in prerouting: in:bridge_HR out:(unknown 0), proto UDP, 172.16.1.30:5050->172.16.1.1:51524, NAT (172.16.1.30:5050->1.1.1.1:5050)->(172.16.1.1:51524->172.16.1.99:51524)
19:39:15 firewall,info resp-out postrouting: in:(unknown 0) out:bridge_HR, proto UDP, 172.16.1.30:5050->172.16.1.99:51524, NAT (172.16.1.30:5050->1.1.1.1:5050)->(172.16.1.1:51524->172.16.1.99:51524)

gotsprings · August 26, 2019, 12:35am

I didn’t read the whole thing..

When local net goes back to local net on local interface… That is what the hairpin Nat rule needs to have.

wolf1gr · August 26, 2019, 3:32pm

This is some already established connection from elsewhere. Let’s try slightly different config:

/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=new dst-address=1.1.1.1 dst-port=5050 log=yes log-prefix=new new-connection-mark=debug passthrough=yes protocol=udp src-address=172.16.1.99
add action=log chain=prerouting connection-mark=debug log-prefix=req-in src-address=172.16.1.99
add action=log chain=postrouting connection-mark=debug log-prefix=req-out src-address=172.16.1.99
add action=log chain=prerouting connection-mark=debug log-prefix=resp-in src-address=172.16.1.30
add action=log chain=postrouting connection-mark=debug log-prefix=resp-out src-address=172.16.1.30
/ip firewall nat
add action=dst-nat chain=dstnat connection-mark=debug dst-address=1.1.1.1 dst-port=5050 log=yes log-prefix=dstnat protocol=udp to-addresses=172.16.1.30
add action=masquerade chain=srcnat connection-mark=debug dst-address=172.16.1.0/24 dst-port=5050 log=yes log-prefix=hairpin protocol=udp src-address=172.16.1.0/24

You’ll have duplicate dstnat rule, but it’s only for testing. Replace 172.16.1.99 with address of device you use for testing, and 1.1.1.1 with your public address.

And this is what you should see in log when you connect from 172.16.1.99 to 1.1.1.1 (with your addresses):

19:39:15 firewall,info new prerouting: in:bridge_HR out:(unknown 0), proto UDP, 172.16.1.99:51524->1.1.1.1:5050
19:39:15 firewall,info req-in prerouting: in:bridge_HR out:(unknown 0), proto UDP, 172.16.1.99:51524->1.1.1.1:5050
19:39:15 firewall,info dstnat dstnat: in:bridge_HR out:(unknown 0), proto UDP, 172.16.1.99:51524->1.1.1.1:5050
19:39:15 firewall,info req-out postrouting: in:(unknown 0) out:bridge_HR, proto UDP, 172.16.1.99:51524->172.16.1.30:5050, NAT 172.16.1.99:51524->(1.1.1.1:5050->172.16.1.30:5050)
19:39:15 firewall,info hairpin srcnat: in:(unknown 0) out:bridge_HR, proto UDP, 172.16.1.99:51524->172.16.1.30:5050, NAT 172.16.1.99:51524->(1.1.1.1:5050->172.16.1.30:5050)
19:39:15 firewall,info resp-in prerouting: in:bridge_HR out:(unknown 0), proto UDP, 172.16.1.30:5050->172.16.1.1:51524, NAT (172.16.1.30:5050->1.1.1.1:5050)->(172.16.1.1:51524->172.16.1.99:51524)
19:39:15 firewall,info resp-out postrouting: in:(unknown 0) out:bridge_HR, proto UDP, 172.16.1.30:5050->172.16.1.99:51524, NAT (172.16.1.30:5050->1.1.1.1:5050)->(172.16.1.1:51524->172.16.1.99:51524)

ok i make copy from rules that have udp and make it tcp because i did not see anything in log and i think that it is working now.
This is what i get…

18:16:15 firewall,info new prerouting: in:bridge_HR(ether2) out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), 172.16.1.222:53233->xxx.xxx.xxx.xxx:5050, len 52 
18:16:15 firewall,info req-in prerouting: in:bridge_HR(ether2) out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), 172.16.1.222:53233->xxx.xxx.xxx.xxx:5050, len 52 
18:16:15 firewall,info dstnat dstnat: in:bridge_HR(ether2) out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), 172.16.1.222:53233->xxx.xxx.xxx.xxx:5050, len 52 
18:16:15 firewall,info req-out postrouting: in:(unknown 0)(ether2) out:bridge_HR, src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), 172.16.1.222:53233->172.16.1.30:5050, NAT 172.16.1.222:53233->(xxx.xxx.xxx.xxx:5050->172.16.1.30:5050), len 52 
18:16:15 firewall,info resp-in prerouting: in:bridge_HR(ether20) out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN,ACK), 172.16.1.30:5050->172.16.1.1:53233, NAT (172.16.1.30:5050->xxx.xxx.xxx.xxx:5050)->(172.16.1.1:53233->172.16.1.222:53233), len 52 
18:16:15 firewall,info resp-out postrouting: in:(unknown 0)(ether20) out:bridge_HR, src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN,ACK), 172.16.1.30:5050->172.16.1.222:53233, NAT (172.16.1.30:5050->xxx.xxx.xxx.xxx:5050)->(172.16.1.1:53233->172.16.1.222:53233), len 52 
18:16:15 firewall,info req-in prerouting: in:bridge_HR(ether2) out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK), 172.16.1.222:53233->xxx.xxx.xxx.xxx:5050, NAT (172.16.1.222:53233->172.16.1.1:53233)->(xxx.xxx.xxx.xxx:5050->172.16.1.30:5050), len 40 
18:16:15 firewall,info req-out postrouting: in:(unknown 0)(ether2) out:bridge_HR, src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK), 172.16.1.222:53233->172.16.1.30:5050, NAT (172.16.1.222:53233->172.16.1.1:53233)->(xxx.xxx.xxx.xxx:5050->172.16.1.30:5050), len 40 
18:16:16 firewall,info req-in prerouting: in:bridge_HR(ether2) out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK,FIN), 172.16.1.222:53233->xxx.xxx.xxx.xxx:5050, NAT (172.16.1.222:53233->172.16.1.1:53233)->(xxx.xxx.xxx.xxx:5050->172.16.1.30:5050), len 40 
18:16:16 firewall,info req-out postrouting: in:(unknown 0)(ether2) out:bridge_HR, src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK,FIN), 172.16.1.222:53233->172.16.1.30:5050, NAT (172.16.1.222:53233->172.16.1.1:53233)->(xxx.xxx.xxx.xxx:5050->172.16.1.30:5050), len 40 
18:16:16 firewall,info new prerouting: in:bridge_HR(ether2) out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), 172.16.1.222:53234->xxx.xxx.xxx.xxx:5050, len 52 
18:16:16 firewall,info req-in prerouting: in:bridge_HR(ether2) out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), 172.16.1.222:53234->xxx.xxx.xxx.xxx:5050, len 52 
18:16:16 firewall,info dstnat dstnat: in:bridge_HR(ether2) out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), 172.16.1.222:53234->xxx.xxx.xxx.xxx:5050, len 52 
18:16:16 firewall,info req-out postrouting: in:(unknown 0)(ether2) out:bridge_HR, src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), 172.16.1.222:53234->172.16.1.30:5050, NAT 172.16.1.222:53234->(xxx.xxx.xxx.xxx:5050->172.16.1.30:5050), len 52 
18:16:16 firewall,info resp-in prerouting: in:bridge_HR(ether20) out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN,ACK), 172.16.1.30:5050->172.16.1.1:53234, NAT (172.16.1.30:5050->xxx.xxx.xxx.xxx:5050)->(172.16.1.1:53234->172.16.1.222:53234), len 52 
18:16:16 firewall,info resp-out postrouting: in:(unknown 0)(ether20) out:bridge_HR, src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN,ACK), 172.16.1.30:5050->172.16.1.222:53234, NAT (172.16.1.30:5050->xxx.xxx.xxx.xxx:5050)->(172.16.1.1:53234->172.16.1.222:53234), len 52 
18:16:16 firewall,info req-in prerouting: in:bridge_HR(ether2) out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK), 172.16.1.222:53234->xxx.xxx.xxx.xxx:5050, NAT (172.16.1.222:53234->172.16.1.1:53234)->(xxx.xxx.xxx.xxx:5050->172.16.1.30:5050), len 40 
18:16:16 firewall,info req-out postrouting: in:(unknown 0)(ether2) out:bridge_HR, src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK), 172.16.1.222:53234->172.16.1.30:5050, NAT (172.16.1.222:53234->172.16.1.1:53234)->(xxx.xxx.xxx.xxx:5050->172.16.1.30:5050), len 40 
18:16:16 firewall,info req-in prerouting: in:bridge_HR(ether2) out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK,PSH), 172.16.1.222:53234->xxx.xxx.xxx.xxx:5050, NAT (172.16.1.222:53234->172.16.1.1:53234)->(xxx.xxx.xxx.xxx:5050->172.16.1.30:5050), len 44 
18:16:16 firewall,info req-out postrouting: in:(unknown 0)(ether2) out:bridge_HR, src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK,PSH), 172.16.1.222:53234->172.16.1.30:5050, NAT (172.16.1.222:53234->172.16.1.1:53234)->(xxx.xxx.xxx.xxx:5050->172.16.1.30:5050), len 44 
18:16:16 firewall,info resp-in prerouting: in:bridge_HR(ether20) out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK), 172.16.1.30:5050->172.16.1.1:53234, NAT (172.16.1.30:5050->xxx.xxx.xxx.xxx:5050)->(172.16.1.1:53234->172.16.1.222:53234), len 40 
18:16:16 firewall,info resp-out postrouting: in:(unknown 0)(ether20) out:bridge_HR, src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK), 172.16.1.30:5050->172.16.1.222:53234, NAT (172.16.1.30:5050->xxx.xxx.xxx.xxx:5050)->(172.16.1.1:53234->172.16.1.222:53234), len 40 
18:16:16 firewall,info resp-in prerouting: in:bridge_HR(ether20) out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK), 172.16.1.30:5050->172.16.1.1:53233, NAT (172.16.1.30:5050->xxx.xxx.xxx.xxx:5050)->(172.16.1.1:53233->172.16.1.222:53233), len 40 
18:16:16 firewall,info resp-out postrouting: in:(unknown 0)(ether20) out:bridge_HR, src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK), 172.16.1.30:5050->172.16.1.222:53233, NAT (172.16.1.30:5050->xxx.xxx.xxx.xxx:5050)->(172.16.1.1:53233->172.16.1.222:53233), len 40 
18:16:16 firewall,info resp-in prerouting: in:bridge_HR(ether20) out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK,FIN), 172.16.1.30:5050->172.16.1.1:53233, NAT (172.16.1.30:5050->xxx.xxx.xxx.xxx:5050)->(172.16.1.1:53233->172.16.1.222:53233), len 40 
18:16:16 firewall,info resp-out postrouting: in:(unknown 0)(ether20) out:bridge_HR, src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK,FIN), 172.16.1.30:5050->172.16.1.222:53233, NAT (172.16.1.30:5050->xxx.xxx.xxx.xxx:5050)->(172.16.1.1:53233->172.16.1.222:53233), len 40 
18:16:16 firewall,info req-in prerouting: in:bridge_HR(ether2) out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK), 172.16.1.222:53233->xxx.xxx.xxx.xxx:5050, NAT (172.16.1.222:53233->172.16.1.1:53233)->(xxx.xxx.xxx.xxx:5050->172.16.1.30:5050), len 40 
18:16:16 firewall,info req-out postrouting: in:(unknown 0)(ether2) out:bridge_HR, src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK), 172.16.1.222:53233->172.16.1.30:5050, NAT (172.16.1.222:53233->172.16.1.1:53233)->(xxx.xxx.xxx.xxx:5050->172.16.1.30:5050), len 40 
18:16:17 firewall,info req-in prerouting: in:bridge_HR(ether2) out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK,FIN), 172.16.1.222:53234->xxx.xxx.xxx.xxx:5050, NAT (172.16.1.222:53234->172.16.1.1:53234)->(xxx.xxx.xxx.xxx:5050->172.16.1.30:5050), len 40 
18:16:17 firewall,info req-out postrouting: in:(unknown 0)(ether2) out:bridge_HR, src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK,FIN), 172.16.1.222:53234->172.16.1.30:5050, NAT (172.16.1.222:53234->172.16.1.1:53234)->(xxx.xxx.xxx.xxx:5050->172.16.1.30:5050), len 40 
18:16:17 firewall,info new prerouting: in:bridge_HR(ether2) out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), 172.16.1.222:53235->xxx.xxx.xxx.xxx:5050, len 52 
18:16:17 firewall,info req-in prerouting: in:bridge_HR(ether2) out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), 172.16.1.222:53235->xxx.xxx.xxx.xxx:5050, len 52 
18:16:17 firewall,info dstnat dstnat: in:bridge_HR(ether2) out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), 172.16.1.222:53235->xxx.xxx.xxx.xxx:5050, len 52 
18:16:17 firewall,info req-out postrouting: in:(unknown 0)(ether2) out:bridge_HR, src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), 172.16.1.222:53235->172.16.1.30:5050, NAT 172.16.1.222:53235->(xxx.xxx.xxx.xxx:5050->172.16.1.30:5050), len 52 
18:16:17 firewall,info resp-in prerouting: in:bridge_HR(ether20) out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN,ACK), 172.16.1.30:5050->172.16.1.1:53235, NAT (172.16.1.30:5050->xxx.xxx.xxx.xxx:5050)->(172.16.1.1:53235->172.16.1.222:53235), len 52 
18:16:17 firewall,info resp-out postrouting: in:(unknown 0)(ether20) out:bridge_HR, src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN,ACK), 172.16.1.30:5050->172.16.1.222:53235, NAT (172.16.1.30:5050->xxx.xxx.xxx.xxx:5050)->(172.16.1.1:53235->172.16.1.222:53235), len 52 
18:16:17 firewall,info req-in prerouting: in:bridge_HR(ether2) out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK), 172.16.1.222:53235->xxx.xxx.xxx.xxx:5050, NAT (172.16.1.222:53235->172.16.1.1:53235)->(xxx.xxx.xxx.xxx:5050->172.16.1.30:5050), len 40 
18:16:17 firewall,info req-out postrouting: in:(unknown 0)(ether2) out:bridge_HR, src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK), 172.16.1.222:53235->172.16.1.30:5050, NAT (172.16.1.222:53235->172.16.1.1:53235)->(xxx.xxx.xxx.xxx:5050->172.16.1.30:5050), len 40 
18:16:17 firewall,info req-in prerouting: in:bridge_HR(ether2) out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK,PSH), 172.16.1.222:53235->xxx.xxx.xxx.xxx:5050, NAT (172.16.1.222:53235->172.16.1.1:53235)->(xxx.xxx.xxx.xxx:5050->172.16.1.30:5050), len 58 
18:16:17 firewall,info req-out postrouting: in:(unknown 0)(ether2) out:bridge_HR, src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK,PSH), 172.16.1.222:53235->172.16.1.30:5050, NAT (172.16.1.222:53235->172.16.1.1:53235)->(xxx.xxx.xxx.xxx:5050->172.16.1.30:5050), len 58 
18:16:17 firewall,info resp-in prerouting: in:bridge_HR(ether20) out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK), 172.16.1.30:5050->172.16.1.1:53235, NAT (172.16.1.30:5050->xxx.xxx.xxx.xxx:5050)->(172.16.1.1:53235->172.16.1.222:53235), len 40 
18:16:17 firewall,info resp-out postrouting: in:(unknown 0)(ether20) out:bridge_HR, src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK), 172.16.1.30:5050->172.16.1.222:53235, NAT (172.16.1.30:5050->xxx.xxx.xxx.xxx:5050)->(172.16.1.1:53235->172.16.1.222:53235), len 40 
18:16:17 firewall,info resp-in prerouting: in:bridge_HR(ether20) out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK,FIN), 172.16.1.30:5050->172.16.1.1:53234, NAT (172.16.1.30:5050->xxx.xxx.xxx.xxx:5050)->(172.16.1.1:53234->172.16.1.222:53234), len 40 
18:16:17 firewall,info resp-out postrouting: in:(unknown 0)(ether20) out:bridge_HR, src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK,FIN), 172.16.1.30:5050->172.16.1.222:53234, NAT (172.16.1.30:5050->xxx.xxx.xxx.xxx:5050)->(172.16.1.1:53234->172.16.1.222:53234), len 40 
18:16:17 firewall,info req-in prerouting: in:bridge_HR(ether2) out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK), 172.16.1.222:53234->xxx.xxx.xxx.xxx:5050, NAT (172.16.1.222:53234->172.16.1.1:53234)->(xxx.xxx.xxx.xxx:5050->172.16.1.30:5050), len 40 
18:16:17 firewall,info req-out postrouting: in:(unknown 0)(ether2) out:bridge_HR, src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK), 172.16.1.222:53234->172.16.1.30:5050, NAT (172.16.1.222:53234->172.16.1.1:53234)->(xxx.xxx.xxx.xxx:5050->172.16.1.30:5050), len 40 
18:16:19 firewall,info req-in prerouting: in:bridge_HR(ether2) out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK,FIN), 172.16.1.222:53235->xxx.xxx.xxx.xxx:5050, NAT (172.16.1.222:53235->172.16.1.1:53235)->(xxx.xxx.xxx.xxx:5050->172.16.1.30:5050), len 40 
18:16:19 firewall,info req-out postrouting: in:(unknown 0)(ether2) out:bridge_HR, src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK,FIN), 172.16.1.222:53235->172.16.1.30:5050, NAT (172.16.1.222:53235->172.16.1.1:53235)->(xxx.xxx.xxx.xxx:5050->172.16.1.30:5050), len 40 
18:16:19 firewall,info new prerouting: in:bridge_HR(ether2) out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), 172.16.1.222:53236->xxx.xxx.xxx.xxx:5050, len 52 
18:16:19 firewall,info req-in prerouting: in:bridge_HR(ether2) out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), 172.16.1.222:53236->xxx.xxx.xxx.xxx:5050, len 52 
18:16:19 firewall,info dstnat dstnat: in:bridge_HR(ether2) out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), 172.16.1.222:53236->xxx.xxx.xxx.xxx:5050, len 52 
18:16:19 firewall,info req-out postrouting: in:(unknown 0)(ether2) out:bridge_HR, src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), 172.16.1.222:53236->172.16.1.30:5050, NAT 172.16.1.222:53236->(xxx.xxx.xxx.xxx:5050->172.16.1.30:5050), len 52 
18:16:19 firewall,info resp-in prerouting: in:bridge_HR(ether20) out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN,ACK), 172.16.1.30:5050->172.16.1.1:53236, NAT (172.16.1.30:5050->xxx.xxx.xxx.xxx:5050)->(172.16.1.1:53236->172.16.1.222:53236), len 52 
18:16:19 firewall,info resp-out postrouting: in:(unknown 0)(ether20) out:bridge_HR, src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN,ACK), 172.16.1.30:5050->172.16.1.222:53236, NAT (172.16.1.30:5050->xxx.xxx.xxx.xxx:5050)->(172.16.1.1:53236->172.16.1.222:53236), len 52 
18:16:19 firewall,info req-in prerouting: in:bridge_HR(ether2) out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK), 172.16.1.222:53236->xxx.xxx.xxx.xxx:5050, NAT (172.16.1.222:53236->172.16.1.1:53236)->(xxx.xxx.xxx.xxx:5050->172.16.1.30:5050), len 40 
18:16:19 firewall,info req-out postrouting: in:(unknown 0)(ether2) out:bridge_HR, src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK), 172.16.1.222:53236->172.16.1.30:5050, NAT (172.16.1.222:53236->172.16.1.1:53236)->(xxx.xxx.xxx.xxx:5050->172.16.1.30:5050), len 40 
18:16:19 firewall,info req-in prerouting: in:bridge_HR(ether2) out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK,PSH), 172.16.1.222:53236->xxx.xxx.xxx.xxx:5050, NAT (172.16.1.222:53236->172.16.1.1:53236)->(xxx.xxx.xxx.xxx:5050->172.16.1.30:5050), len 128 
18:16:19 firewall,info req-out postrouting: in:(unknown 0)(ether2) out:bridge_HR, src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK,PSH), 172.16.1.222:53236->172.16.1.30:5050, NAT (172.16.1.222:53236->172.16.1.1:53236)->(xxx.xxx.xxx.xxx:5050->172.16.1.30:5050), len 128 
18:16:19 firewall,info resp-in prerouting: in:bridge_HR(ether20) out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK), 172.16.1.30:5050->172.16.1.1:53236, NAT (172.16.1.30:5050->xxx.xxx.xxx.xxx:5050)->(172.16.1.1:53236->172.16.1.222:53236), len 40 
18:16:19 firewall,info resp-out postrouting: in:(unknown 0)(ether20) out:bridge_HR, src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK), 172.16.1.30:5050->172.16.1.222:53236, NAT (172.16.1.30:5050->xxx.xxx.xxx.xxx:5050)->(172.16.1.1:53236->172.16.1.222:53236), len 40 
18:16:19 firewall,info resp-in prerouting: in:bridge_HR(ether20) out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK,FIN), 172.16.1.30:5050->172.16.1.1:53235, NAT (172.16.1.30:5050->xxx.xxx.xxx.xxx:5050)->(172.16.1.1:53235->172.16.1.222:53235), len 40 
18:16:19 firewall,info resp-out postrouting: in:(unknown 0)(ether20) out:bridge_HR, src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK,FIN), 172.16.1.30:5050->172.16.1.222:53235, NAT (172.16.1.30:5050->xxx.xxx.xxx.xxx:5050)->(172.16.1.1:53235->172.16.1.222:53235), len 40 
18:16:19 firewall,info req-in prerouting: in:bridge_HR(ether2) out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK), 172.16.1.222:53235->xxx.xxx.xxx.xxx:5050, NAT (172.16.1.222:53235->172.16.1.1:53235)->(xxx.xxx.xxx.xxx:5050->172.16.1.30:5050), len 40 
18:16:19 firewall,info req-out postrouting: in:(unknown 0)(ether2) out:bridge_HR, src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK), 172.16.1.222:53235->172.16.1.30:5050, NAT (172.16.1.222:53235->172.16.1.1:53235)->(xxx.xxx.xxx.xxx:5050->172.16.1.30:5050), len 40 
18:16:20 firewall,info req-in prerouting: in:bridge_HR(ether2) out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK,FIN), 172.16.1.222:53236->xxx.xxx.xxx.xxx:5050, NAT (172.16.1.222:53236->172.16.1.1:53236)->(xxx.xxx.xxx.xxx:5050->172.16.1.30:5050), len 40 
18:16:20 firewall,info req-out postrouting: in:(unknown 0)(ether2) out:bridge_HR, src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK,FIN), 172.16.1.222:53236->172.16.1.30:5050, NAT (172.16.1.222:53236->172.16.1.1:53236)->(xxx.xxx.xxx.xxx:5050->172.16.1.30:5050), len 40 
18:16:20 firewall,info new prerouting: in:bridge_HR(ether2) out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), 172.16.1.222:53238->xxx.xxx.xxx.xxx:5050, len 52 
18:16:20 firewall,info req-in prerouting: in:bridge_HR(ether2) out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), 172.16.1.222:53238->xxx.xxx.xxx.xxx:5050, len 52 
18:16:20 firewall,info dstnat dstnat: in:bridge_HR(ether2) out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), 172.16.1.222:53238->xxx.xxx.xxx.xxx:5050, len 52 
18:16:20 firewall,info req-out postrouting: in:(unknown 0)(ether2) out:bridge_HR, src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), 172.16.1.222:53238->172.16.1.30:5050, NAT 172.16.1.222:53238->(xxx.xxx.xxx.xxx:5050->172.16.1.30:5050), len 52 
18:16:20 firewall,info resp-in prerouting: in:bridge_HR(ether20) out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN,ACK), 172.16.1.30:5050->172.16.1.1:53238, NAT (172.16.1.30:5050->xxx.xxx.xxx.xxx:5050)->(172.16.1.1:53238->172.16.1.222:53238), len 52 
18:16:20 firewall,info resp-out postrouting: in:(unknown 0)(ether20) out:bridge_HR, src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN,ACK), 172.16.1.30:5050->172.16.1.222:53238, NAT (172.16.1.30:5050->xxx.xxx.xxx.xxx:5050)->(172.16.1.1:53238->172.16.1.222:53238), len 52 
18:16:20 firewall,info req-in prerouting: in:bridge_HR(ether2) out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK), 172.16.1.222:53238->xxx.xxx.xxx.xxx:5050, NAT (172.16.1.222:53238->172.16.1.1:53238)->(xxx.xxx.xxx.xxx:5050->172.16.1.30:5050), len 40 
18:16:20 firewall,info req-out postrouting: in:(unknown 0)(ether2) out:bridge_HR, src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK), 172.16.1.222:53238->172.16.1.30:5050, NAT (172.16.1.222:53238->172.16.1.1:53238)->(xxx.xxx.xxx.xxx:5050->172.16.1.30:5050), len 40 
18:16:20 firewall,info req-in prerouting: in:bridge_HR(ether2) out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK,PSH), 172.16.1.222:53238->xxx.xxx.xxx.xxx:5050, NAT (172.16.1.222:53238->172.16.1.1:53238)->(xxx.xxx.xxx.xxx:5050->172.16.1.30:5050), len 150 
18:16:20 firewall,info req-out postrouting: in:(unknown 0)(ether2) out:bridge_HR, src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK,PSH), 172.16.1.222:53238->172.16.1.30:5050, NAT (172.16.1.222:53238->172.16.1.1:53238)->(xxx.xxx.xxx.xxx:5050->172.16.1.30:5050), len 150 
18:16:20 firewall,info resp-in prerouting: in:bridge_HR(ether20) out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK), 172.16.1.30:5050->172.16.1.1:53238, NAT (172.16.1.30:5050->xxx.xxx.xxx.xxx:5050)->(172.16.1.1:53238->172.16.1.222:53238), len 40 
18:16:20 firewall,info resp-out postrouting: in:(unknown 0)(ether20) out:bridge_HR, src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK), 172.16.1.30:5050->172.16.1.222:53238, NAT (172.16.1.30:5050->xxx.xxx.xxx.xxx:5050)->(172.16.1.1:53238->172.16.1.222:53238), len 40 
18:16:20 firewall,info resp-in prerouting: in:bridge_HR(ether20) out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK,FIN), 172.16.1.30:5050->172.16.1.1:53236, NAT (172.16.1.30:5050->xxx.xxx.xxx.xxx:5050)->(172.16.1.1:53236->172.16.1.222:53236), len 40 
18:16:20 firewall,info resp-out postrouting: in:(unknown 0)(ether20) out:bridge_HR, src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK,FIN), 172.16.1.30:5050->172.16.1.222:53236, NAT (172.16.1.30:5050->xxx.xxx.xxx.xxx:5050)->(172.16.1.1:53236->172.16.1.222:53236), len 40 
18:16:20 firewall,info req-in prerouting: in:bridge_HR(ether2) out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK), 172.16.1.222:53236->xxx.xxx.xxx.xxx:5050, NAT (172.16.1.222:53236->172.16.1.1:53236)->(xxx.xxx.xxx.xxx:5050->172.16.1.30:5050), len 40 
18:16:20 firewall,info req-out postrouting: in:(unknown 0)(ether2) out:bridge_HR, src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK), 172.16.1.222:53236->172.16.1.30:5050, NAT (172.16.1.222:53236->172.16.1.1:53236)->(xxx.xxx.xxx.xxx:5050->172.16.1.30:5050), len 40 
18:16:22 firewall,info req-in prerouting: in:bridge_HR(ether2) out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK,FIN), 172.16.1.222:53238->xxx.xxx.xxx.xxx:5050, NAT (172.16.1.222:53238->172.16.1.1:53238)->(xxx.xxx.xxx.xxx:5050->172.16.1.30:5050), len 40 
18:16:22 firewall,info req-out postrouting: in:(unknown 0)(ether2) out:bridge_HR, src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK,FIN), 172.16.1.222:53238->172.16.1.30:5050, NAT (172.16.1.222:53238->172.16.1.1:53238)->(xxx.xxx.xxx.xxx:5050->172.16.1.30:5050), len 40 
18:16:22 firewall,info resp-in prerouting: in:bridge_HR(ether20) out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK,FIN), 172.16.1.30:5050->172.16.1.1:53238, NAT (172.16.1.30:5050->xxx.xxx.xxx.xxx:5050)->(172.16.1.1:53238->172.16.1.222:53238), len 40 
18:16:22 firewall,info resp-out postrouting: in:(unknown 0)(ether20) out:bridge_HR, src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK,FIN), 172.16.1.30:5050->172.16.1.222:53238, NAT (172.16.1.30:5050->xxx.xxx.xxx.xxx:5050)->(172.16.1.1:53238->172.16.1.222:53238), len 40 
18:16:22 firewall,info req-in prerouting: in:bridge_HR(ether2) out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK), 172.16.1.222:53238->xxx.xxx.xxx.xxx:5050, NAT (172.16.1.222:53238->172.16.1.1:53238)->(xxx.xxx.xxx.xxx:5050->172.16.1.30:5050), len 40 
18:16:22 firewall,info req-out postrouting: in:(unknown 0)(ether2) out:bridge_HR, src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK), 172.16.1.222:53238->172.16.1.30:5050, NAT (172.16.1.222:53238->172.16.1.1:53238)->(xxx.xxx.xxx.xxx:5050->172.16.1.30:5050), len 40

and i think that it is working now…(i’m not at the site and i’m working with VPN and teamviewer)
so i will check it in 2 days that i will go there.
at the hairpin rule i dont see any counters to change. counter change at /firewall nat at:

/ip firewall nat
add action=dst-nat chain=dstnat connection-mark=debug dst-address=1.1.1.1 dst-port=5050 log=yes log-prefix=dstnat protocol=tcp to-addresses=172.16.1.30

what do you see at the log?

p.s. for every rule i must do the same? like this?

/ip firewall nat
add action=dst-nat chain=dstnat connection-mark=debug dst-address=1.1.1.1 dst-port=PORT log=yes log-prefix=dstnat protocol=tcp to-addresses=LOCAL IP

Sob · August 26, 2019, 9:33pm

Well, if for whole time the mistake was using udp instead of tcp, you can go back before we started playing with logging rules and only fix the protocol:

/ip firewall nat
add chain=dstnat dst-address=192.168.1.250 protocol=tcp dst-port=5050 to-addresses=172.16.1.30
add chain=dstnat dst-address=xxx.xxx.xxx.xxx protocol=tcp dst-port=5050 to-addresses=172.16.1.30

And about the harpin NAT rule, a correct universal one would be this:

/ip firewall nat
add action=masquerade chain=srcnat src-address=172.16.1.0/24 dst-address=172.16.1.0/24

But the required srcnat was already done by this existing rule that I assume was first:

/ip firewall nat
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=172.16.1.0/24

So as long as you keep this one, you don’t need the other.

wolf1gr · August 28, 2019, 3:16pm

Well, if for whole time the mistake was using udp instead of tcp, you can go back before we started playing with logging rules and only fix the protocol:
/ip firewall nat
add chain=dstnat dst-address=192.168.1.250 protocol=tcp dst-port=5050 to-addresses=172.16.1.30
add chain=dstnat dst-address=xxx.xxx.xxx.xxx protocol=tcp dst-port=5050 to-addresses=172.16.1.30
And about the harpin NAT rule, a correct universal one would be this:
/ip firewall nat
add action=masquerade chain=srcnat src-address=172.16.1.0/24 dst-address=172.16.1.0/24
But the required srcnat was already done by this existing rule that I assume was first:
/ip firewall nat
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=172.16.1.0/24
So as long as you keep this one, you don’t need the other.

Thank you very much.
Now i can access local lan port inside lan with public ip.
one problem now i see…
i can not connect to another site 5050 port from this network (zzz.zzz.zzz.zzz:5050)
e.x.with my mobile phone if i conect to internet with 4G i can access zzz.zzz.zzz.zzz:5050 but when i connect to this lan(with public ip xxx.xxx.xxx.xxx) i can not…

Sob · August 28, 2019, 3:48pm

Try posting your nat rules again, maybe there’s something left that shouldn’t be there.

wolf1gr · August 31, 2019, 8:19am

Ok here you are…

/ip firewall filter
add action=drop chain=input comment=\
    "Drop new connections from blacklisted IP's to this router" \
    connection-state=new in-interface=ether24 src-address-list=blacklist
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="allow ISP Modem to HR(vlan10)" \
    dst-address=10.0.10.1 src-address=172.16.1.0/24
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp \
    src-port=""
add action=accept chain=input comment="allow IPsec NAT" dst-port=1723 \
    protocol=tcp src-port=""
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp \
    src-port=""
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=new dst-address=\
    xxx.xxx.xxx.xxx dst-port=5050 log=yes log-prefix=new new-connection-mark=\
    debug passthrough=yes protocol=udp src-address=172.16.1.222
add action=mark-connection chain=prerouting connection-state=new dst-address=\
    xxx.xxx.xxx.xxx dst-port=5050 log=yes log-prefix=new new-connection-mark=\
    debug passthrough=yes protocol=tcp src-address=172.16.1.222
add action=log chain=prerouting connection-mark=debug log-prefix=req-in \
    src-address=172.16.1.222
add action=log chain=postrouting connection-mark=debug log-prefix=req-out \
    src-address=172.16.1.222
add action=log chain=prerouting connection-mark=debug log-prefix=resp-in \
    src-address=172.16.1.30
add action=log chain=postrouting connection-mark=debug log-prefix=resp-out \
    src-address=172.16.1.30
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=\
    WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    172.16.1.0/24
add action=dst-nat chain=dstnat dst-address=192.168.1.250 dst-port=5050 \
    protocol=udp to-addresses=172.16.1.30
add action=dst-nat chain=dstnat dst-address=xxx.xxx.xxx.xxx dst-port=5050 \
    protocol=udp to-addresses=172.16.1.30
add action=dst-nat chain=dstnat comment="Grandstream SIP" dst-port=5050 \
    in-interface=ether24 protocol=udp to-addresses=172.16.1.30 to-ports=5050
add action=dst-nat chain=dstnat comment="Grandstream SIP" dst-port=5050 \
    protocol=udp to-addresses=172.16.1.30 to-ports=5050
add action=dst-nat chain=dstnat comment="Grandstream SIP" dst-port=5050 \
    in-interface=ether24 protocol=tcp to-addresses=172.16.1.30 to-ports=5050
add action=dst-nat chain=dstnat comment="Grandstream TLS" dst-port=5061 \
    in-interface=ether24 protocol=udp to-addresses=172.16.1.30 to-ports=5061
add action=dst-nat chain=dstnat comment="Grandstream TLS" dst-port=5061 \
    in-interface=ether24 protocol=tcp to-addresses=172.16.1.30 to-ports=5061
add action=dst-nat chain=dstnat comment="Grandstream RTP" dst-port=\
    30000-40000 in-interface=ether24 protocol=udp to-addresses=172.16.1.30 \
    to-ports=30000-40000
add action=dst-nat chain=dstnat comment="Server iDrac" dst-port=5900 \
    in-interface=ether24 protocol=udp to-addresses=172.16.1.3 to-ports=5900
add action=dst-nat chain=dstnat comment="Server iDrac" dst-port=5902 \
    in-interface=ether24 protocol=tcp to-addresses=172.16.1.3 to-ports=5902
add action=dst-nat chain=dstnat comment="wol logistirio1" dst-port=4000 \
    in-interface=ether24 protocol=udp to-addresses=172.16.1.222 to-ports=9
add action=dst-nat chain=dstnat comment="Server iDrac" dst-port=5900 \
    in-interface=ether24 protocol=tcp to-addresses=172.16.1.3 to-ports=5900
add action=dst-nat chain=dstnat comment="Soft1 SQL" dst-port=7419 \
    in-interface=ether24 protocol=udp src-address=zzz.zzz.zzz.zzz to-addresses=\
    172.16.1.2 to-ports=1433
add action=dst-nat chain=dstnat comment="Soft1 SQL" dst-port=7419 \
    in-interface=ether24 protocol=tcp src-address=zzz.zzz.zzz.zzz to-addresses=\
    172.16.1.2 to-ports=1433
add action=dst-nat chain=dstnat comment="mnfsrv rdc" dst-port=3392 \
    in-interface=ether24 protocol=tcp src-address=zzz.zzz.zzz.zzz to-addresses=\
    172.16.1.2 to-ports=3389
add action=dst-nat chain=dstnat comment="mnfsrv Soft1" dst-port=22001 \
    in-interface=ether24 protocol=tcp src-address=zzz.zzz.zzz.zzz to-addresses=\
    172.16.1.2 to-ports=22001
add action=dst-nat chain=dstnat connection-mark=debug dst-address=\
    xxx.xxx.xxx.xxx dst-port=5050 log=yes log-prefix=dstnat protocol=udp \
    to-addresses=172.16.1.30
add action=dst-nat chain=dstnat connection-mark=debug dst-address=\
    xxx.xxx.xxx.xxx dst-port=5050 log=yes log-prefix=dstnat protocol=tcp \
    to-addresses=172.16.1.30
add action=masquerade chain=srcnat connection-mark=debug dst-address=\
    172.16.1.0/24 dst-port=5050 log=yes log-prefix=hairpin protocol=udp \
    src-address=172.16.1.0/24
add action=masquerade chain=srcnat connection-mark=debug dst-address=\
    172.16.1.0/24 dst-port=5050 log=yes log-prefix=hairpin protocol=tcp \
    src-address=172.16.1.0/24
/ip firewall service-port
set sip disabled=yes ports=5065,5066

Thank you very much.

Sob · August 31, 2019, 3:54pm

Ok, let’s clean it up. Get rid of everything in “/ip firewall mangle”, it was only for debugging. Then remove (or just only disable at first and remove later when everything works) these:

/ip firewall nat
...
add action=dst-nat chain=dstnat dst-address=192.168.1.250 dst-port=5050 protocol=udp to-addresses=172.16.1.30
add action=dst-nat chain=dstnat dst-address=xxx.xxx.xxx.xxx dst-port=5050 protocol=udp to-addresses=172.16.1.30
add action=dst-nat chain=dstnat comment="Grandstream SIP" dst-port=5050 in-interface=ether24 protocol=udp to-addresses=172.16.1.30 to-ports=5050
add action=dst-nat chain=dstnat comment="Grandstream SIP" dst-port=5050 protocol=udp to-addresses=172.16.1.30 to-ports=5050
add action=dst-nat chain=dstnat comment="Grandstream SIP" dst-port=5050 in-interface=ether24 protocol=tcp to-addresses=172.16.1.30 to-ports=5050
...
add action=dst-nat chain=dstnat connection-mark=debug dst-address=xxx.xxx.xxx.xxx dst-port=5050 log=yes log-prefix=dstnat protocol=udp to-addresses=172.16.1.30
add action=dst-nat chain=dstnat connection-mark=debug dst-address=xxx.xxx.xxx.xxx dst-port=5050 log=yes log-prefix=dstnat protocol=tcp to-addresses=172.16.1.30
add action=masquerade chain=srcnat connection-mark=debug dst-address=172.16.1.0/24 dst-port=5050 log=yes log-prefix=hairpin protocol=udp src-address=172.16.1.0/24
add action=masquerade chain=srcnat connection-mark=debug dst-address=172.16.1.0/24 dst-port=5050 log=yes log-prefix=hairpin protocol=tcp src-address=172.16.1.0/24

And replace them with these:

/ip firewall nat
add chain=dstnat dst-address=192.168.1.250 protocol=tcp dst-port=5050 to-addresses=172.16.1.30
add chain=dstnat dst-address=192.168.1.250 protocol=udp dst-port=5050 to-addresses=172.16.1.30
add chain=dstnat dst-address=xxx.xxx.xxx.xxx protocol=tcp dst-port=5050 to-addresses=172.16.1.30
add chain=dstnat dst-address=xxx.xxx.xxx.xxx protocol=udp dst-port=5050 to-addresses=172.16.1.30

So any connection to 192.168.1.250 (where modem forwards port 5050 to) or xxx.xxx.xxx.xxx (your public address), both tcp and udp (just to be sure) will go to 172.16.1.30. That’s what you want. And nothing else will be affected.