Basic port forwarding not working

emaringolo · August 29, 2012, 2:28am

I’m having problems setting up a simple port forwarding from my public IP interface to an internal private IP.

I’m trying to forward the port 3306 (MySQL) to the internal IP 192.168.73.109:3306.

Because I was unable to do it, I also tested forwarding the port 8080 to 192.168.73.109:80.

There shouldn’t be anything else required, just the nat rule, without requiring a filter rule to accept it (which, btw, I tried too).

If I scan the ports from the outside it only show the service ports as opened, everything else is closed.

Any clue will be appreciated.

This is the export of the simple rules I have so far.

Note: I have an IPSec tunnel going from 192.168.73.0/24 to 192.168.44.0/24, that’s the only rule you’re going to see there.

/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
    tcp-close-wait-timeout=10s tcp-established-timeout=1d \
    tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
    tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=log chain=input disabled=no dst-port=8080 in-interface=pppoe-arnet \
    log-prefix=HTTP protocol=tcp
add action=accept chain=input disabled=no dst-port=8080 in-interface=\
    pppoe-arnet protocol=tcp
add action=accept chain=input disabled=no src-address=192.168.44.0/24
add action=accept chain=input comment="default configuration" disabled=no \
    protocol=icmp
add action=accept chain=input comment="default configuration" \
    connection-state=established disabled=no
add action=drop chain=input comment="default configuration" disabled=no \
    in-interface=ether1-gateway

/ip firewall nat
add action=dst-nat chain=dst-nat disabled=no dst-address-type=local dst-port=\
    8080 in-interface=pppoe-arnet protocol=tcp to-addresses=192.168.73.109 \
    to-ports=80
add action=log chain=dst-nat disabled=no dst-address-type=local dst-port=3306 \
    in-interface=pppoe-arnet log-prefix="MYSQL NAT" protocol=tcp
add action=dst-nat chain=dst-nat disabled=no dst-address-type=local dst-port=\
    3306 in-interface=pppoe-arnet protocol=tcp to-addresses=192.168.73.109
add action=accept chain=srcnat disabled=no dst-address=192.168.44.0/24 \
    src-address=192.168.73.0/24
add action=masquerade chain=srcnat comment="default configuration" disabled=\
    no out-interface=pppoe-arnet

/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no

rjickity · August 29, 2012, 11:23am

did you manually type in the chain name on those? the chain should be dstnat and not dst-nat. Try this and see if the counter increments when you attempt to connect

add action=dst-nat chain=dstnat disabled=no dst-port=3307 in-interface=pppoe-arnet protocol=tcp to-addresses=192.168.73.105

emaringolo · August 29, 2012, 12:06pm

OMG

I don’t remember having typed that, I think I copy-pasted a rule and then copied the other ones in Winbox.

That was issue I was having. I replaced the “dst-nat” by “dstnat” (the actual chain) and it worked.

I spent 3 hours trying to figure what was wrong.

Thank you very much.