DST-NAT Problem

Toady · June 29, 2010, 7:38pm

Hi Guys,

I’ve been struggling now for days googling and trying to figure out how to get my dst-nat working so hope someone here can shed some light on what I could possibly be doing wrong.

Ok, the scenario:

I want to access the services running on my pc from the internet, i.e. sabnzb, utorrent, ftp and vnc.

The current setup of my internet is as follows:

PC (172.18.42.97) – RB (PPPoE) – src-nat – Internet

I have managed to setup my dyndns on the rb and all seems to be working on that front. My problem now lies that when I put in the dst-nat to forward the specific ports to my pc ip it just doesn’t work. No packets are even picked up by the nat.

My current dst-nat setting, which someone helped me setup is as follows:

 6   chain=dstnat action=dst-nat to-addresses=172.18.42.97 to-ports=80 
     protocol=tcp in-interface=mweb dst-port=80

I have only set port 80 for now to test.
Am i doing something wrong here? If any more info is required I’ll be more than happy to give it

Thanks

bafh · June 30, 2010, 8:41am

Yes you are.
Destination address is the WAN IP and in action you point to your internal IP and port.

ditonet · June 30, 2010, 8:56am

Hi,

Use port mapping for every service you need.
In this case (port 80) your rule should be:

/ip firewall nat add chain=dstnat dst-port=80 action=dst-nat protocol=tcp to-address=your_PC_IP_address to-port=80

Set similar rules for every service. Don’t set ‘full’ DST-NAT to your PC.

Regards, Grzegorz.

bafh · June 30, 2010, 10:26am

Faced similar problem today. Once again bigear-fatglasses coders changed something radically, without any reason, just for da hell of it. Now dst-nat is not working if dst address is given. removing it - works fine.
Why da %$* do they do that??? I have 4.6 on that RB. Before that I had quite many, since 3. version. Changes like that are NOT in changelog and appeared in DNS, masquerade and now - dst-nat.

roadracer96 · June 30, 2010, 3:05pm

Has worked for me in 4.5/4.6/5.0b2/b3/b4.

Toady · June 30, 2010, 4:34pm

Tried all the above suggestions and it’s still not working. That’s what’s bugging me though, everything seems correct but for some reason it will just not work.

Don’t know if it’s the setup I currently use to get inet from my pc or what but something is missing somewhere.

Do I need some sort of forwarding on my pc to return the requests sent to it? Sorry I am pretty clueless when it comes to natting on ROS

Btw: Using ROS 3.19

roadracer96 · June 30, 2010, 4:36pm

You do have an associated firewall rule, right?

Toady · June 30, 2010, 4:42pm

If you mean firewall filter rules then nope? Should I

roadracer96 · June 30, 2010, 4:50pm

Yes. You need to have a rule like this:

/ip firewall filter in-interface=(in interface) dst-address=(nat ip address) protocol=tcp port=XXX connection-state=new action=accept

Pada · July 1, 2010, 7:02am

Toady, just bear in mind that when you setup that port forward (dst-nat rule) that you won’t be able to test it from within your network, since you haven’t done any NAT Loopback (aka hairpin NAT). You would have to test it from the Internet! Usually we specify an ‘in-interface’ or ‘dst-address’ in the dst-nat rule. If you don’t do that, then you’re going to be redirecting all traffic going to TCP port 80 to your PC.

Here’s a quick example that I’ve posted for the hairpin NAT: http://forum.mikrotik.com/t/wan-services-not-available-to-local-users-please-help/32923/1