Filter / NAT Issues

RouterOS Beginner Basics
1

I’ve been struggling for weeks to get Filters and NAT working properly. I am using a RB3011 as a Router/Gateway with 1G fiber SFP WAN. I cannot get any traffic to pass to the NAT. The router has very basic configs on it at this point.

I’ve been setting up Filters and NAT’s to align with all the tutorials i’ve found and i get ZERO packets beyond the masquerade in the NAT. For some simple tests with a bananapi i’m trying to forward port 80 to an internal IP.

Looking for some direction here. Thanks

Filter:
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward

1 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection
connection-state=established,related log=no log-prefix=“”

2 ;;; defconf: accept established,related
chain=forward action=accept
connection-state=established,related log=no log-prefix=“”

3 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid log=no
log-prefix=“”

4 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new
connection-nat-state=!dstnat in-interface=WAN log=no
log-prefix=“”

5 chain=input action=accept protocol=icmp log=no log-prefix=">

6 chain=input action=accept connection-state=established
log=no log-prefix=“”

7 chain=input action=accept connection-state=related log=no
log-prefix=“”

8 chain=input action=drop in-interface=WAN log=no
log-prefix=“”

NAT:
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface=WAN log=no
log-prefix=“”

1 chain=dstnat action=dst-nat to-addresses=192.168.88.29
to-ports=80 protocol=tcp in-interface=WAN dst-port=80
log=no log-prefix=“”

2

Hi,

Try adding dst-address=your public ip to that last nat rule of yours

3

That would only make the rule more restrictive - as written it will work for any destination IP so long as the packet arrives on the WAN interface…
i.e. it can only make it less likely to match a packet, and not more likely.

Your rules are set up right for what you want to do - which makes me think the problem is not with the Mikrotik itself - the ISP could be blocking inbound traffic to port 80, the device behind the Mikrotik could be configured in a way that doesn’t work with this configuration, or your WAN configuration could be different than the usual…

Questions:

If you go to ipchicken.com from a browser inside your LAN, does it give the same IP address that’s on the WAN interface of your Mikrotik?
This is the most common issue with dstnat-related threads on the forum here… the Mikrotik not having the real public IP…
If they don’t match, then some other device will need to also be doing DSTnat from the real public IP (on IPChicken) back to the WAN IP of your Mikrotik…

Other possible problems—

Is your WAN interface really called WAN just like in the rules you posted?
Is the router’s public IP address actually on the interface called WAN?
(I assume so since you can surf the internet using the masquerade rule which also calls the interface WAN)
Does your WAN have multiple public IP addresses, or just a single one provided by your ISP?

4

Thank you both for the response.

Let me answer these questions:

  1. SPF1 one is named WAN in the interface section.
  2. IP is correct, and matches what is displayed with validating at IPChicken. I’ve also found some port testing sites and they all indicate the port is not open.
  3. WAN is only a single IP.

Ok… So i’ve just found out the WAN IP is configured to allow only established connections… Now i understand. Its the ISP side that is blocking traffic if its not an established connection. Its not the 3011 after all, and i’m not crazy after 2 days of fighting with the box only to find out its upstream path is the root cause.

Thank you for the feedback. After all, i have a VERY good understanding of how to configure the system now, thats positive.