Another port forwarding query

lostchild · November 8, 2011, 3:02pm

Hi Guys

I’ve searched many threads on port forwarding, but this one still has me very confused.

MT router has WAN interface with public IP P.P.P.P (ppoe connection to aDSL modem in bridge mode)

LAN has L.L.L.L/24, with a DHCP range of L.L.L.100 - L.L.L.150

A static IP address is allocated to a machine at L.L.L.10, this machine connects to a remote service on the internet using port 5545.

I have a universal “masquerade” rule in NAT that allows local devices to connect to the WAN/Internet, and this works fine. I have set a rule in NAT to allow the outside service to connect to L.L.L.10 via port 5545:

chain=dstnat action=dst-nat to-addresses=L.L.L.10 to-ports=5545 protocol=tcp dst-address=P.P.P.P dst-port=5545

I can see traffic coming in from the remote server (using Torch) but the responses from the local device get lost somewhere. When I use the MT packet sniffer, I see the response packets from the local device, but they do not make it to the WAN interface for some reason.

What am I not seeing here??

Thanks

sadeghrafie · November 8, 2011, 4:21pm

It seems to be correct with Mikrotik configuration although you must export all firewall, IP address, Interface and routes configuration too.
Are you sure about your Local PC and it’s firewall?
If this PC has other services like IIS, try to test it via port 80.

lostchild · November 8, 2011, 4:32pm

/ip route

 0 A S  0.0.0.0/0                          isp             1       
 1 ADC  ISP Gateway   Public IP   isp             0       
 2 A S  ;;; Static route to Axxxx server
        L.L.1.1/32                      192.168.10.2       1       
 3 A S  ;;; Static route to Oxxxxx server
        L.L.1.99/32                     192.168.10.2       1       
 4 A S  ;;; Static route to Mailserver
        L.L.1.100/32                    192.168.10.2       1       
 5 A S  ;;; Static route to Axxxxx
        L.L.1.134/32                    192.168.10.2       1       
 6 ADC  L.L.5.0/24      172.17.5.1      ether5             0       
 7 ADC  192.168.10.0/30    192.168.10.1    tunnel1            0

Explanation: I have an IPSec tunnel running, local address is 192.168.10.1. All static routes here point to devices at the other end of the tunnel, and all are working normally.

lostchild · November 8, 2011, 4:35pm

Thanks for your reply, sadeghrafie.

lostchild · November 8, 2011, 4:46pm

/ip firewall filter
add action=accept chain=input connection-state=established disabled=no
add action=accept chain=input connection-state="(unknown)" disabled=no
add action=accept chain=input disabled=no protocol=tcp src-port=5545


/ip firewall nat

add action=accept chain=srcnat disabled=no dst-address=remote public IP src-address=local public IP
add action=dst-nat chain=dstnat disabled=no dst-address=local public IP dst-port=5545 protocol=tcp to-addresses=L.L.5.10 to-ports=5545
add action=src-nat chain=srcnat disabled=no out-interface=isp src-address=L.L.5.10 to-addresses=local public IP
add action=masquerade chain=srcnat disabled=no out-interface=isp

The first NAT rule is to accomodate traffic for the IPSec VPN tunnel.

lostchild · November 8, 2011, 4:50pm

IP addresses:

 #   ADDRESS            NETWORK         INTERFACE                                
 0   ;;; LAN IP range on ether5
     L.L.5.1/24      L.L.5.0      ether5                                   
 1   ;;; Near end of IP tunnel
     192.168.10.1/30    192.168.10.0    tunnel1                                  
 2 D Public IP          ISP gateway IP  isp

lostchild · November 8, 2011, 4:52pm

Interfaces:

Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                                          TYPE             MTU   L2MTU
 0  R  ether1                                        ether            1300  1300 
 1     ether2                                        ether            1500  1598 
 2     ether3                                        ether            1500  1598 
 3     ether4                                        ether            1500  1598 
 4  R  ether5                                        ether            1500  1598 
 5  R  isp                                           pppoe-out        1300 
 6  R  tunnel1                                       ipip             1480

sadeghrafie · November 8, 2011, 5:04pm

Are you sure with this code?

add action=src-nat chain=srcnat disabled=no out-interface=isp src-address=L.L.5.10 to-addresses=local public IP

Why do you use this? Do you have more than 1 public IP address on your router?

lostchild · November 8, 2011, 5:22pm

sadeghrafie:

Are you sure with this code?
add action=src-nat chain=srcnat disabled=no out-interface=isp src-address=L.L.5.10 to-addresses=local public IP
Why do you use this? Do you have more than 1 public IP address on your router?

There is a single public IP on the WAN interface. I added the above rule to force L.L.5.10 to go out that way (in case something? was causing it to go elsewhere) but it seems to make no difference.

sadeghrafie · November 8, 2011, 5:30pm

If you want to force, you need to add mangle rule which detect packets from specific IP then mark route. In routes can use routing mark.
BTW, you have 0.0.0.0/0 gateway and the client goes over this for non routed destinations.
I can’t see any problem till now. Try to check the client when got enough permission.

lostchild · November 8, 2011, 5:42pm

Thanks sadeghrafie

I don’t think I’ll get admin permission on the machine in question. In any case, the machine is responding (see my comment on packet sniffer) but the traffic isn’t getting out of the MT.

lostchild · November 8, 2011, 9:47pm

Unless I’m missing something basic, I don’t see how mangle rules are necessary for this, but I’ll try it!

I’ve read the mangle wiki several times by now, and still can’t make any sense of it. Can anybody help me? I just need to be started in the right direction.

Thanks for any help!