Basic Port Forward

Mikro123 · March 14, 2012, 12:26am

Doing my part to be a good forum member I have been researching this all day, and most of yesterday. Please excuse my ignorance as I’m new to this sort of thing, but really want to learn. I have used consumer routers in the past (Netgear, Linksys, Belkin) I am simply looking to forward SSH port 2230 to my computer. I have followed this http://wiki.mikrotik.com/wiki/Manual:Initial_Configuration#Port_forwarding using the web UI to the letter but still no luck. I fully realize there is probably some stupid mistake that I am making. Does anything have to be done to the firewall rules themselves or because NAT comes before in the chain it doesn’t matter?

Thanks Much!

-Manko

Mikro123 · March 14, 2012, 1:16am

Of course as soon as I make my post I figure it out…it’s working from outside my house but not inside so I assume a loopback issue. How is this accomplished in the NAT or in the Firewall?

cbrown · March 14, 2012, 1:20am

http://wiki.mikrotik.com/wiki/Hairpin_NAT

Mikro123 · March 14, 2012, 1:30am

Perfect! Fixed!! Thanks!!

cbrown · March 14, 2012, 1:32am

No problem.

Mikro123 · March 15, 2012, 4:38am

Right after I made that post I reset my router so that I could set it up again and make sure I understood what I did the first time. I am stuck again with the hairpin NAT issue. I thought it was the same as last time but no luck. Could someone please tell me what I’m doing wrong?

Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; default configuration
     chain=srcnat action=masquerade out-interface=ether1-gateway 

 1   chain=dstnat action=dst-nat to-addresses=192.168.0.1 to-ports=80 
     protocol=tcp in-interface=ether1-gateway dst-port=80 

 2   chain=srcnat action=masquerade protocol=tcp src-address=192.168.0.0/24 
     dst-address=192.168.0.1 out-interface=bridge-local dst-port=80

cbrown · March 15, 2012, 10:14am

Move rule zero to the end.

Mikro123 · March 15, 2012, 7:32pm

I now have the following configuration…

[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=dstnat action=dst-nat to-addresses=192.168.0.1 to-ports=80 
     protocol=tcp in-interface=ether1-gateway dst-port=80 

 1   chain=srcnat action=masquerade protocol=tcp src-address=192.168.0.0/24 
     dst-address=192.168.0.1 out-interface=bridge-local dst-port=80 

 2   chain=srcnat action=masquerade out-interface=ether1-gateway

but it still doesn’t work.

cbrown · March 15, 2012, 7:41pm

What exactly is the problem now? Maybe we are not looking in the right place.

Mikro123 · March 15, 2012, 9:00pm

The problem now is when I attempt to access the webserver from outside my house it works great! If I try to access the webserver using the local IP 192.168.0.1 it works great. If I try to access the webserver using the public IP from inside my house the connection breaks. The configuration I last posted was one I created by following the guide to create a hairpin nat which perfectly describes my problem but the published solution doesn’t seem to work.

Thanks again for all your help!!

cbrown · March 15, 2012, 9:06pm

On rule number 2 remove out-interface.

Mikro123 · March 16, 2012, 2:20am

[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=dstnat action=dst-nat to-addresses=192.168.0.1 to-ports=80 
     protocol=tcp in-interface=ether1-gateway dst-port=80 

 1   chain=srcnat action=masquerade protocol=tcp src-address=192.168.0.0/24 
     dst-address=192.168.0.1 out-interface=bridge-local dst-port=80 

 2   chain=srcnat action=masquerade

This is the configuration now but it still doesn’t work.

In the mean time I’ve also tried resetting the router, restarting the modem, switching the modem, and using a different webserver. Same problem, but I’m sure it’s the router.

reverged · March 16, 2012, 3:19am

Mikro123:

[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=dstnat action=dst-nat to-addresses=192.168.0.1 to-ports=80 
     protocol=tcp in-interface=ether1-gateway dst-port=80 

 1   chain=srcnat action=masquerade protocol=tcp src-address=192.168.0.0/24 
     dst-address=192.168.0.1 out-interface=bridge-local dst-port=80 

 2   chain=srcnat action=masquerade
This is the configuration now but it still doesn’t work.

In the mean time I’ve also tried resetting the router, restarting the modem, switching the modem, and using a different webserver. Same problem, but I’m sure it’s the router.

Rule 0 from the wiki:

/ip firewall nat
add chain=dstnat dst-address=1.1.1.1 protocol=tcp dst-port=80 \
  action=dst-nat to-address=192.168.1.2

Do not specify the in-interface because you want to dst-nat to your local server for all in-interfaces. As you have it, Rule 0 lets a lan request for 1.1.1.1:80 go out ether1-gateway. Which is not what you want.

Rule 1 takes care of src-nat when the request comes from the lan only.

Rule 2 add: “out-interface=ether1-gateway” You don’t want to src-nat everything, only what goes out ether1-gateway.

If you access the internet more than the internal server, move rule 2 before rule 1. Less processing.

Mikro123 · March 16, 2012, 5:42am

@All the people who have offered advice thank you so much!!! You’re willingness to share your intelligence has significantly lessened my blood pressure. In particular reverged thanks so much for not only helping me fix the problem but explaining why so I can learn.

Thanks again!!

macsrwe · June 17, 2013, 6:59pm

Source of confusion: I believe poster did not mean “rule NUMBER 2,” but “the second rule,” which is the rule numbered 1.

Au3ak · August 30, 2013, 9:31am

I have the same problem!I spoke with my girlfriend and told her to open the address with chosen port by me!Everything works!I tried to open local host with special port!Works!But when I try to open public IP from my house nothing is happened!Just connect to …and stuck!

jhgorse · February 25, 2017, 5:15am

FWIW, I’ve been stuck on this 3 times now and it’s a learning experience every time I solve it. So, for the record:

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=WAN
add action=masquerade chain=srcnat dst-address=192.168.88.0/24 out-interface=!WAN protocol=tcp src-address=192.168.88.0/24
add action=dst-nat chain=dstnat dst-port=222 log-prefix=ssh protocol=tcp to-addresses=192.168.88.160 to-ports=22

Masq IPs that go out to the WAN.
We srcnat everything from localnet to localnet going out anything but the WAN. It is probably overspecified here, but it works inside and out.
Port forward WAN:222 to 192.168.88.160:22.

EDIT: I thought I tested this. Apparently didn’t from outside network. IT DOES NOT WORK FOR INCOMING TRAFFIC PORT FORWARDING.

For the life of me, I cannot debug this firewall. Nothing works as expected. Input chain port 444? Nothing. Ever.

I have wasted enough of my time on it. I think I am going to trash this mikrotik and get something that can do port forwarding sensibly. This isn’t fun anymore.

EDIT: Is it turned on. Is it plugged in. DDNS was not up to date. External tests obviously fail.

I reverted to a previous implementation of the hairpin NAT which generally makes more sense to me and integrated it with the default configuration of the mikrotik:

/ip firewall> export
# mar/02/2017 16:51:09 by RouterOS 6.38.3
# software id = A7N0-8U7V
#
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=accept chain=input comment="default configuration" log-prefix=icmp protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=established disabled=yes protocol=tcp
add action=accept chain=input disabled=yes dst-port=21 protocol=tcp
add action=accept chain=input dst-port=3074 protocol=udp
add action=accept chain=output dst-port=53 log-prefix=dns_out protocol=udp
add action=drop chain=input comment="block external telnet/ssh" dst-port=22,23 in-interface=WAN protocol=tcp
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=accept chain=input disabled=yes dst-port=53 in-interface=WAN protocol=udp
add action=accept chain=input in-interface=!WAN src-address=192.168.88.0/24
add action=drop chain=input comment="Drop Invalid connections" connection-state=invalid log=yes log-prefix=d_invalid
add action=accept chain=input comment="defconf: drop all from WAN" disabled=yes in-interface=WAN log-prefix="drop eth1"
add action=drop chain=input comment="Drop everything else" log=yes log-prefix="dae: "
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log=yes log-prefix=d_invalid_fwd:
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=WAN log=yes \
    log-prefix=d_wan:
/ip firewall nat
add action=masquerade chain=srcnat comment="hairpin nat" dst-address=!192.168.88.1 src-address=192.168.88.0/24
add action=dst-nat chain=dstnat disabled=yes dst-address=!192.168.88.1 dst-port=21 protocol=tcp to-addresses=192.168.88.239 to-ports=21
add action=dst-nat chain=dstnat comment="fwd xbox live to xbox\?.15" dst-address=!192.168.88.1 dst-address-type=local dst-port=3074 protocol=udp to-addresses=\
    192.168.88.15 to-ports=3074

soonwai · February 25, 2017, 6:08am

An alternative to Hairpin NAT is Split DNS which is what I use.