Basic NAT for an application

dwabraxus · September 22, 2009, 5:27am

I am moving from PFsense to routerboard 450G.

I have the basics setup and just want to setup a few NAT rules for apps running on my internal network.
I already have Eth1 (Wan) setup with masquerade to Eth2(Lan).
All I want to do is create rules so that Xbox Live and another app can run without issues.

I am doing all my setup with winbox, FYI.
I setup under NAT 3 rules

Dst-nat using chain dst-nat protocol udp dst port 3074 in-interface eth1 → action dstnat forward to ip 192.168.100.20 (xbox)
Dst-nat using chain dst-nat protocol udp dst port 9029 in-interface eth1 → action dstnat forward to ip 192.168.100.10 (server)
Dst-nat using chain dst-nat protocol tcp dst port 9029 in-interface eth1 → action dstnat forward to ip 192.168.100.10 (server)

Also 3 Filter Rules

input chain, protocol udp, dst-port 3074, in-interface eth1, action allow
input chain, protocol udp, dst-port 9029, in-interface eth1, action allow
input chain, protocol tcp, dst-port 9029, in-interface eth1, action allow

Currently it does not work. Im sure i am just missing minor rule.
Please assist

Thx in advance

Pilgrim · September 22, 2009, 8:50am

I checked a similar port forwarding in my setup and I can’t see why it should not work. The setup in my router would look like below. I am sure that you already have considered that the filter rule must be placed high in the list before any rule that might drop the package e.g. a rule dropping all new connections not coming from your LAN.

rgs Pilgrim

NAT:

add action=dst-nat chain=dstnat comment=“” disabled=no dst-port=3074 in-interface=
eht1 protocol=tcp to-addresses=192.168.100.20

Filter:

add action=accept chain=forward comment=“” disabled=no dst-port=3074 protocol=tcp

yancho · September 22, 2009, 9:46am

You can type in terminal

/ip firewall nat print

and

/ip firewall filter print

to show us your firewall configuration.

dwabraxus · September 22, 2009, 3:44pm

NAT:
0 chain=dstnat action=dst-nat to-addresses=192.168.100.20 to-ports=3074
protocol=udp in-interface=ether1 dst-port=3074

1 chain=dstnat action=dst-nat to-addresses=192.168.100.8 to-ports=9029
protocol=tcp in-interface=ether1 dst-port=9029

2 chain=dstnat action=dst-nat to-addresses=192.168.100.8 to-ports=9029
protocol=udp in-interface=ether1 dst-port=9029

3 ;;; Added by webbox
chain=srcnat action=masquerade out-interface=ether1

FILTER:
0 ;;; Added by webbox
chain=input action=accept protocol=icmp

1 ;;; Xbox 360
chain=input action=accept protocol=udp in-interface=ether1 dst-port=3074

2 ;;; NAS
chain=input action=accept protocol=tcp in-interface=ether1 dst-port=9029

3 chain=input action=accept protocol=udp in-interface=ether1 dst-port=9029

4 ;;; Added by webbox
chain=input action=accept connection-state=established in-interface=ether1

5 ;;; Added by webbox
chain=input action=accept connection-state=related in-interface=ether1

6 ;;; Added by webbox
chain=input action=drop in-interface=ether1

7 ;;; Added by webbox
chain=forward action=jump jump-target=customer in-interface=ether1

8 ;;; Added by webbox
chain=customer action=accept connection-state=established

9 ;;; Added by webbox
chain=customer action=accept connection-state=related

10 ;;; Added by webbox
chain=customer action=drop

Thanks a lot for your support guys. I really appreciate a good forum with good people.

dwabraxus · September 23, 2009, 4:18am

Figured it all out.
I has set the filter to accept but not forward (Input vs Forward)

Once this was set it all worked great

Thx