dstnat/port forwarding not working

alex1020 · August 26, 2015, 4:24pm

I have recently bought a RB2011UiAS-2HnD-IN for our Office,
Everything is working except dstnat ( to connect a pc from outside)
For testing I have disabled all other filters and rules and this is the only active rule :

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=3389 in-interface=pppoe-out1 \
    protocol=tcp to-addresses=192.168.1.101 to-ports=3389

When connecting from outside it timeouts after 10 seconds but I see Packets and Bytes are changed for this rule…
Also I see following log for this rule :

20:45:05 firewall,info dstnat: in:pppoe-out1 out:(none), proto TCP (SYN), MY_PC_IP:49321->WAN_IP:3389, len 52

I can ping 192.168.1.101 from Mikrotik and the PC doesn’t have any firewall .

At home I have a RB450 and the dstnat works without any problem using the same rule…
Thanks

alex1020 · August 26, 2015, 5:43pm

Extra info

/ip route print detail
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 0 ADS  dst-address=0.0.0.0/0 gateway=ADSL_GATEWAY_IP gateway-status=ADSL_GATEWAY_IP reachable via  pppoe-out1 distance=0 scope=30 target-scope=10 

 1   S  dst-address=0.0.0.0/0 gateway=pppoe-out1 gateway-status=pppoe-out1 reachable distance=1 scope=30 target-scope=10 

 2 ADC  dst-address=192.168.1.0/24 pref-src=192.168.1.100 gateway=bridge-local gateway-status=bridge-local reachable distance=0 scope=10 

 3 ADC  dst-address=192.168.10.0/24 pref-src=192.168.10.153 gateway=ether1-gateway gateway-status=ether1-gateway reachable distance=0 scope=10 

 4  DC  dst-address=192.168.11.0/24 pref-src=192.168.11.1 gateway=wlan_guest gateway-status=wlan_guest unreachable distance=255 scope=10 

 5 ADC  dst-address=ADSL_GATEWAY_IP/32 pref-src=ADSL_WAN_IPgateway=pppoe-out1 gateway-status=pppoe-out1 reachable distance=0 scope=10

/interface> print
Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                                TYPE       ACTUAL-MTU L2MTU  MAX-L2MTU MAC-ADDRESS      
 0  R  ether1-gateway                      ether            1500  1598       4074 4C:5E:0C:C7:AB:95
 1  RS ether2                              ether            1500  1598       4074 4C:5E:0C:C7:AB:96
 2   S ether3                              ether            1500  1598       4074 4C:5E:0C:C7:AB:97
 3   S ether4                              ether            1500  1598       4074 4C:5E:0C:C7:AB:98
 4   S ether5                              ether            1500  1598       4074 4C:5E:0C:C7:AB:99
 5   S ether6-master-local                 ether            1500  1598       2028 4C:5E:0C:C7:AB:9A
 6   S ether7-slave-local                  ether            1500  1598       2028 4C:5E:0C:C7:AB:9B
 7   S ether8-slave-local                  ether            1500  1598       2028 4C:5E:0C:C7:AB:9C
 8   S ether9-slave-local                  ether            1500  1598       2028 4C:5E:0C:C7:AB:9D
 9   S ether10-slave-local                 ether            1500  1598       2028 4C:5E:0C:C7:AB:9E
10   S sfp1                                ether            1500  1598       4074 4C:5E:0C:C7:AB:94
11   S wlan1                               wlan             1500  1600            4C:5E:0C:C7:AB:9F
12     wlan_guest                          wlan             1500  1600            4E:5E:0C:C7:AB:9F
13  R  bridge-local                        bridge           1500  1598            4C:5E:0C:C7:AB:96
14  R  pppoe-out1                          pppoe-out        1430

alex1020 · August 26, 2015, 8:49pm

Added following rules :

/ip firewall filter
add action=log chain=forward dst-port=3389 protocol=tcp
/ip firewall mangle
add action=log chain=prerouting dst-port=3389 protocol=tcp
add action=log chain=postrouting dst-port=3389 protocol=tcp

I see following logs (multiple times) :

aug/27 01:16:30 firewall,info prerouting: in:pppoe-out1 out:(none), proto TCP (SYN), MY_IP:59883->ADSL_WAN_IP:3389, len 52 
aug/27 01:16:30 firewall,info dstnat: in:pppoe-out1 out:(none), proto TCP (SYN), MY_IP:59883->ADSL_WAN_IP:3389, len 52 
aug/27 01:16:30 firewall,info forward: in:pppoe-out1 out:bridge-local, proto TCP (SYN), MY_IP:59883->192.168.1.101:3389, NAT MY_IP:59883->(ADSL_WAN_IP:3389->192.168.1.101:3389), len 52 
aug/27 01:16:30 firewall,info postrouting: in:(none) out:bridge-local, proto TCP (SYN), MY_IP:59883->192.168.1.101:3389, NAT MY_IP:59883->(ADSL_WAN_IP:3389->192.168.1.101:3389), len 52 
aug/27 01:16:33 firewall,info prerouting: in:pppoe-out1 out:(none), proto TCP (SYN), MY_IP:59883->ADSL_WAN_IP:3389, NAT MY_IP:59883->(ADSL_WAN_IP:3389->192.168.1.101:3389), len 52 
aug/27 01:16:33 firewall,info forward: in:pppoe-out1 out:bridge-local, proto TCP (SYN), MY_IP:59883->192.168.1.101:3389, NAT MY_IP:59883->(ADSL_WAN_IP:3389->192.168.1.101:3389), len 52 
aug/27 01:16:33 firewall,info postrouting: in:(none) out:bridge-local, proto TCP (SYN), MY_IP:59883->192.168.1.101:3389, NAT MY_IP:59883->(ADSL_WAN_IP:3389->192.168.1.101:3389), len 52

Sob · August 26, 2015, 9:30pm

To me, it looks like successfully forwarded SYN packets. If 192.168.1.101 is alive (it must be, if you can ping it from router) and its port 3389 is not firewalled (I have to trust you here) and service on port 3389 is running (I hope you tested it from LAN), it should have responded to first one.

For the lack of better ideas, 192.168.1.101 does have default gateway set to router’s address (192.168.1.100 it seems), right?

alex1020 · August 27, 2015, 6:57am

Yes , 192.168.1.101 has default gateway address of router which is 192.168.1.100 …
I also tried with other pcs which running http and ftp servers , still no success

Before installing the Mikrotik We were using a ADSL Modem and its Port Forwarding feature and there was no any problem …

ISP didn’t change .. I have just created PPPOE connection inside Mikrotik …
Router IP is the same as old ADSL Model IP

How can I trace the problem ?

Sob · August 27, 2015, 2:12pm

According to log, forwarding is working and forwarded packets should go out via bridge-local (I don’t see anything that could prevent it, except bridge filters, but you most likely do not use any). To be sure, you can use Tools->Torch on bridge-local and you should see packets for 192.168.1.101:3389. You can also try packet sniffer on 192.168.1.101, to see if anything arrives for 3389.

alex1020 · August 27, 2015, 3:22pm

I installed Mikrotik OS (free) on a PC and I just created pppoe / NAT for LAN and dstnat and it worked !
I think the problem is related to routing …
I can reset all configs on the Mikrotik and do it from start but I will be happy to fix it and find the Issue …

This is my current routing :

#      DST-ADDRESS           PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                            ADSL_GATEWAY_IP           0
 1  DS  0.0.0.0/0                            192.168.10.100            1
 3 ADC  192.168.1.0/24       192.168.1.100   bridge-local              0
 4 ADC  192.168.10.0/24      192.168.10.153  ether1-gateway            0
 6 ADC  ADSL_GATEWAY_IP/32   ADSL_WAN_IP     pppoe-out1                0

Do you see any problem ?

Anyway this routing on Mikrotik OS (testing box) which dstnat is working on it … :

#      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          91.98.0.1                 0
 1 DS   0.0.0.0/0                          192.168.10.154            1
 2 ADC  192.168.10.0/24    192.168.10.154  ether1                    0
 3 ADC  91.98.0.1/32       ADSL_WAN_IP     pppoe-out1                0

JJCinAZ · August 27, 2015, 4:45pm

Do you have a Src-NAT catching that RDP traffic when it shouldn’t be?

Sob · August 27, 2015, 5:01pm

Second router is not part of LAN (192.168.1.0/24), so I don’t know how it could work with it. But I assume it’s just copy & paste error and the line is missing. Except this, I don’t see any difference, so routing does not look like the problem.

You didn’t write if you checked if packets are successfully leaving the router (using Tool->Torch). If you do that, do you see only Tx, both Rx&Tx or nothing?

Another idea (which means that I wouldn’t trust you about disabling all filter rules) is that the problem might be in the other direction. If you add these rules (almost the same as previous ones, except these are for src-port instead of dst-port, to catch reply packets), do they produce anything in log?

/ip firewall filter
add action=log chain=forward src-port=3389 protocol=tcp
/ip firewall mangle
add action=log chain=prerouting src-port=3389 protocol=tcp
add action=log chain=postrouting src-port=3389 protocol=tcp