DST-NAT not working as it should

DennisOlof · November 2, 2017, 11:46pm

Hi.

Been running MikroTik RB433 for a while now, I do not have that much experience using the product, at least some know-how of networks
and have been using other devices like, watchguard, zywall but not in any advanced configuration. Mostly for basic firewall stuff.

Anyway it seems I can not get the DST-NAT function to work proper. Everything else with basic configuration of the firewall was
straight forward and not to difficult. I have been looking at " Learn RouterOS 2nd Edition Dennis Burgess", "
RouterOS By Example Stephen Discher", other information and videos. And I can not figure out what is wrong or if I am
missing something. Mikrotik is such a advanced route OS is is easy to get confused or get lost in the system it self.

I think there is something missing or wrong in IP → Firewall → Filter Rules, And the NAT page. DST-NAT seems to work
but only for some ports, and others not. Here is the configuration.

[admin@RB433AH] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Allow new, established, related connections from ether3 to ether1
chain=forward action=accept connection-state=established,related,new in-interface=ether3 log=no log-prefix=“”

1 ;;; Allow new, established, related connections from ether2 to ether1
chain=forward action=accept connection-state=established,related,new in-interface=ether2 log=no log-prefix=“”

2 ;;; Allow new, established, related connections from wlan1 to ether1
chain=forward action=accept connection-state=established,related,new in-interface=wlan1 log=no log-prefix=“”

3 ;;; Allow new, established, related connections from wlan2 to ether1
chain=forward action=accept connection-state=established,related,new in-interface=wlan2 log=no log-prefix=“”

4 ;;; Drop all invalid connections from ether3 to ether1
chain=forward action=drop connection-state=invalid in-interface=ether3 log=no log-prefix=“”

5 ;;; Drop all invalid connections from ether2 to ether1
chain=forward action=drop connection-state=invalid in-interface=ether2 log=no log-prefix=“”

6 ;;; Drop all invalid connections from wlan1 to ether1
chain=forward action=drop connection-state=invalid in-interface=wlan1 log=no log-prefix=“”

7 ;;; Drop all invalid connections from wlan2 to ether1
chain=forward action=drop connection-state=invalid in-interface=wlan2 log=no log-prefix=“”

8 ;;; Drop all other traffic from ether3
chain=forward action=drop in-interface=ether3 log=no log-prefix=“”

9 ;;; Drop all other traffic from ether2
chain=forward action=drop in-interface=ether2 log=no log-prefix=“”

10 ;;; Drop all other traffic from wlan1
chain=forward action=drop in-interface=wlan1 log=no log-prefix=“”

11 ;;; Drop all other traffic from wlan2
chain=forward action=drop in-interface=wlan2 log=no log-prefix=“”

12 ;;; Drop WAN UDP DNS requests to router
chain=input action=drop protocol=udp in-interface=ether1 dst-port=53 log=no log-prefix=“”

13 ;;; Drop WAN TCP DNS requests to router
chain=input action=drop protocol=tcp in-interface=ether1 dst-port=53 log=no log-prefix=“”

[admin@RB433AH] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Masquerade traffic from ether2 to ether1
chain=srcnat action=masquerade src-address=192.168.1.0/24 out-interface=ether1 log=no log-prefix=“”

1 ;;; Masquerade traffic from ether3 to ether1
chain=srcnat action=masquerade src-address=192.168.2.0/24 out-interface=ether1 log=no log-prefix=“”

2 ;;; Masquerade traffic from wlan1 to ether1
chain=srcnat action=masquerade src-address=192.168.3.0/24 out-interface=ether1 log=no log-prefix=“”

3 ;;; Masquerade traffic from wlan2 to ether1
chain=srcnat action=masquerade src-address=192.168.4.0/24 out-interface=ether1 log=no log-prefix=“”

4 ;;; Forward traffic from Internet to a internal IP address on ether3
chain=dstnat action=dst-nat to-addresses=192.168.2.250 to-ports=9881-9888 protocol=tcp in-interface=ether1 dst-port=9881-9888 log=no log-prefix=“”

5 ;;; Forward traffic from Internet to a internal IP address on ether3
chain=dstnat action=dst-nat to-addresses=192.168.2.250 to-ports=9881-9888 protocol=udp in-interface=ether1 dst-port=9881-9888 log=no log-prefix=“”

6 ;;; Forward traffic from Internet to a internal IP address on ether3
chain=dstnat action=dst-nat to-addresses=192.168.2.250 to-ports=563 protocol=tcp in-interface=ether1 dst-port=563 log=no log-prefix=“”

7 ;;; Forward traffic from Internet to a internal IP address on ether3
chain=dstnat action=dst-nat to-addresses=192.168.2.250 to-ports=563 protocol=udp in-interface=ether1 dst-port=563 log=no log-prefix=“”

8 ;;; Forward traffic from Internet to a internal IP address on ether3
chain=dstnat action=dst-nat to-addresses=192.168.2.250 to-ports=54630 protocol=tcp in-interface=ether1 dst-port=54630 log=no log-prefix=“”

9 ;;; Forward traffic from Internet to a internal IP address on ether3
chain=dstnat action=dst-nat to-addresses=192.168.2.250 to-ports=54630 protocol=udp in-interface=ether1 dst-port=54630 log=no log-prefix=“”

10 ;;; Forward traffic from Internet to a internal IP address on ether3
chain=dstnat action=dst-nat to-addresses=192.168.2.250 to-ports=113 protocol=tcp in-interface=ether1 dst-port=113 log=no log-prefix=“”

11 ;;; Forward traffic from Internet to a internal IP address on ether3
chain=dstnat action=dst-nat to-addresses=192.168.2.250 to-ports=113 protocol=udp in-interface=ether1 dst-port=113 log=no log-prefix=“”

12 ;;; Forward traffic from Internet to a internal IP address on ether3
chain=dstnat action=dst-nat to-addresses=192.168.2.250 to-ports=1024-1094 protocol=tcp in-interface=ether1 dst-port=1024-1094 log=no log-prefix=“”

13 ;;; Forward traffic from Internet to a internal IP address on ether3
chain=dstnat action=dst-nat to-addresses=192.168.2.250 to-ports=1024-1094 protocol=udp in-interface=ether1 dst-port=1024-1094 log=no log-prefix=“”

14 ;;; Forward traffic from Internet to a internal IP address on ether3
chain=dstnat action=dst-nat to-addresses=192.168.2.250 to-ports=6660-6669 protocol=tcp in-interface=ether1 dst-port=6660-6669 log=no log-prefix=“”

15 ;;; Forward traffic from Internet to a internal IP address on ether3
chain=dstnat action=dst-nat to-addresses=192.168.2.250 to-ports=6660-6669 protocol=udp in-interface=ether1 dst-port=6660-6669 log=no log-prefix=“”

I know that I could combine the UDP and TCP things and just forward anything regardless of protocol.

When I do port tests from sites on the Internet, some ports are open, others not. I just wand the ports to be open regardless
and forward any traffic the a specific internal IP. There are specific services that do not work otherwise that I use.

Anyway, can someone help with this. Any help is appreciated. Need more info I can provide that.

Anumrak · November 3, 2017, 6:52am

For ports opening to the world for router itself, you need firewall filter. For dstnat port to internal host you need firewall nat.

DennisOlof · November 5, 2017, 7:31pm

Hmm, after some research and actually switching to a zyxel usg firewall it turned out that my mikrotik configuration need
to be improved but over all there was not wrong.

The mikrotik wiki on DST-NAT is correct, and my open ports are open, the sneaky part was that for some service on internet
that can “test” these ports, you need to have the P2P program running so it can respond on that port. I consider this
problem solved for now.

And when I am done with the zyxel device I am switching back to Mikrotik, much better device.