Dst-nat, firewall

berrucas · February 5, 2019, 6:12am

Good morning, I have the following doubt. When I want to redirect a port is it also necessary to create a forward firewall rule that allows it?. For example the traffic that enters my IP publishes by port xxxx redirect it to the private IP 192.168.1.23 port xxxx. Then in the firewall rules create a forward rule that allows it. Thank you

zandhaas · February 5, 2019, 6:59am

This should do the trick.

/ip firewall nat add chain=dstnat action=dst-nat to-addresses=192.168.1.23 to-ports=xxxx protocol=tcp dst-address= dst-port=xxxx

mkx · February 5, 2019, 7:31am

Default configuration on most SOHO devices features the following FWrule:

/ip firewall filter
add action=drop chain=forward \
    comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN

This rule is at the bottom of rules and takes care of forwarded ports (from the nat section). However one needs to stick to interface list concept when configuring different interfaces manually (e.g. if you manually added PPPoE interface, you have to add pppoe-out1 interface to the WAN interface list).
If you have everything else in place, then it is enough to add port forwarding rule in NAT section and firewall will let traffic pass through.

berrucas · February 5, 2019, 10:44am

Let’s see if I understand. It can be done two different ways. Attached photos.

anav · February 5, 2019, 3:36pm

I wish ppooee and any variant thereof be abolished from the face of the earth, and capsman LOL… just kidding capsman is really good if you understand it (over my head).

I believe the correct format for destination rule looks more like…
/ip firewall nat
add chain=dstnat action=dst-nat in-interface=eth-01(wan-interface) dst port=xxxx protocol=tcp to-addresses=192.168.1.23

You don’t need to repeat the destination port in ‘to-ports’ unless you want to do port translation.
Finally yes as noted my mkx one needs a general rule in forward filter rules to allow the passage of dst-nat packets.

Mine is a bit different…
action=accept chain=forward connection-nat-state=dstnat
followed shortly by my last forward rule…
action=drop chain=forward

mkx · February 5, 2019, 3:58pm

Yup, it can be done in both ways. The first one is a bit awkward because you have to repeat a few settings (i.e. protocols, ports, …) for firewall filter rule. Which can be error prone.
If you have many ports forwarded, then the “mirrored” firewall filter rules grow in number as well, which might cause minor performance hit. The second way of doing it the single firewall filter rule covers all dst-nat rules.

berrucas · February 6, 2019, 12:18am

Thank you