Double NAT RB3011 to Ubiquiti UDM

o4kly · February 19, 2022, 3:22pm

Hi all,
I’ve been struggling with a problem for days now.

It looks like this:
pppoe (WANIP Deutsche Telekom)
|
RB3011 192.168.247.30
| 192.168.247.0/24
Ubiquiti UDM 192.168.247.1
| 192.168.119.0/24
Nextcloud 192.168.119.7

These are the filter and NAT rules:

/ip firewall filter
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=
established,related,untracked in-interface=ether1
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN” in-interface-list=!LAN
add action=accept chain=forward comment=“Allow dst-nat forward connection state new” connection-nat-state=dstnat connection-state=
new in-interface-list=WAN
add action=accept chain=forward comment=“nextcloud dst-nat” dst-address=192.168.247.1 dst-port=443 in-interface=ether1 protocol=
tcp
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new
in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=“Forwarding rule” disabled=yes dst-address=WANIP dst-port=443 in-interface=bridge
protocol=tcp to-addresses=192.168.247.1 to-ports=443
add action=dst-nat chain=dstnat disabled=yes dst-address=WANIP dst-port=10002 in-interface=ether1 protocol=tcp
to-addresses=192.168.247.1 to-ports=10002
add action=dst-nat chain=dstnat comment=nextcloud dst-address=WANIP dst-port=443 in-interface=ether1 protocol=tcp
to-addresses=192.168.247.1 to-ports=443

So I guess you already know, what the problem is - the portforwarding doesn’t work.

What am I doing wrong!?

Thank you for your help in advance.

Best,
Markus

o4kly · February 19, 2022, 5:54pm

I’m wondering, if on Saturdays this is not the right question or if my problem is not eplained good enough?

404Network · February 20, 2022, 4:33pm

Hahaha, yes those that work during the week want to spend their free time answering forum questions early Saturday (edit: indeed it is Sunday, so how times flys on a weekend LOL). Lucky for you already gotten my exercise in for the day and have had two coffees.
First thing if those are your real Public IP addresses just put in fake ones or xx.yy.zz.cc for example.

So you get public IP
MT device has a lan structure of
IP address 192.168.247.1 network 192.168.247.0 dns-server=192.168.427.1

The UBiquiti device is what acting as what, Access Point on the LAn, or Router on the LAN…
Assuming double NAT I will think its acting as a router.

(1) Therefore its LANIP on the MT subnet is the same as its WANIP which is 192.168.247**.1** ???

First thing I would do, is move this to another number as it looks suspiciously like the IP address of the network and maybe not suited for a device.
I could be wrong, and usually am when it comes to subnetting and understanding IP addresses etc ( evil teachers here whose sole aim in life is to confuse newbies )

So lets move that to 192.168.247.10 (and set it static in the DHCP lease).

(2) The forward chain is NOT the place for rules normally suited for the input chain or properly suited for Destination NAT Rules.
AKA remove this rule…
add action=accept chain=forward comment=“nextcloud dst-nat” dst-address=192.168.247.1 dst-port=443 in-interface=ether1 protocol=\

(3) Assuming users are coming in on port 443, not for use on the router but for use on a server on the ubiquiti. Therefore we need to forward the incoming port to the ubiquiti.
Thus you need two things , the general forward chain firewall rule allowing dst-nat traffic to pass through the firewall DONE!!!
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new
in-interface-list=WAN

Then you need a Destination NAT rule to pass the incoming traffic to the ubiquiti.
The general concept you have is correct here…the format just needs slight tweaking.
First of all you stated that your IP address is FIXED/ STATIC. Kewl I didnt know pppoe provided static fixed IP addresses.
add action=dst-nat chain=dstnat dst-address=wanip dst-port=443,10002 protocol=tcp
to-addresses=192.168.247.10

IF the pppoe address is not static, will change aka dynamic then
add action=dst-nat chain=dstnat in-interface-list=WAN dst-port=443,10002 protocol=tcp
to-addresses=192.168.247.10

o4kly · February 20, 2022, 5:59pm

Thank you for your reply. Very much appreciated!

This is, what it looks like at the moment:

add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked in-interface=ether1
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN” in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=(WANIP) dst-port=443 protocol=tcp to-addresses=192.168.247.1

I double-checked the point with the .1 and meanwhile changed it to .58, but didn’t change anything.
When I try to access my nextcloud server, the browser keeps loading, loading, loading and times out after a while.
I can see in the counters, that there is traffic going on. I played around with “Torch” yesterday and for me it looks like the WANIP never passes “ether1” where the pppoe is connected to.

And yes - as a business customer you can get a static IP in Germany from Deutsche Telekom.
I also double-checked, if something changes, if I go the In-Interface-Route … same issue.

So, what the heck is going on here?

Maybe one thing, what maybe wasn’t clear enough mentioned before: My client calling the nextcloud server sits on the same subnet, meaning both - the server and myself - are behind the Ubiquiti on the same subnet, what is then of course the same IP for the MT (192.168.247.1). The internal LAN behind the ubiquiti is 192.168.119.0/24.

P.S.: Today is Sunday - I’ll remove the real IPs later on today

404Network · February 20, 2022, 6:20pm

Okay.
So I need to see the complete config then
/export hide-sensitive file=anynameyouwish

So, lets get this straight.
a. YOu are behind the ubiquiti
b. Server is behind ubiquiti
c. client, which may be you. also sits behind the ubiquiti.

The obvious question is if you dont have external users why not just use LANIPs from ubiquiti user to ubiquiti server??? Why try to connect to the server based on the WANIP of the mikrotik??

404Network · February 20, 2022, 6:27pm

In any case you may need a hairpin nat rule so your config looks like this…
/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.247.0/24 src-address=192.168.247.0/24
add action=src-nat chain=srcnat out-interface-list=WAN to-addresses=WANIP ( the more correct format for fixed IP )

o4kly · February 20, 2022, 10:35pm

Man, you cannot imagine how happy I am! It works - thank you! thank you! thank you! …
I missed the 2nd line of the hairpin-NAT last night.

Oh man, thank you!

o4kly · February 20, 2022, 10:45pm

So there are reasons for this “architecture”.
There are more than only the nextcloud server, where I i.e. use SMB internally. I’m thinking about connecting the servers with a 2nd nic to the transfer network 192.168.247.0/24 and only those, where we need portfwd i.e. for letsencrypt cert refresh, smtp, etc.
there are 2 other local LANs and we have customer systems in house for repair on a regular basis. so on the one hand we are using this unneccessary complexity to test things, but on the other hand there are reupirements behind it.

once again - thank you for your help! made my day(s)
Best,
Markus

404Network · February 21, 2022, 12:28am

No worries all documented here see item E. - https://forum.mikrotik.com/viewtopic.php?t=182373