Hi there!
Please help me to find why my port forwarding on Mikrotik doesnt work.
I setup:
Chain dstnat
Protocol udp
Dst. Port 49068
In.Interface ether1
Action netmap
To Address 192.168.10.200
To Ports 6000
But when I try to send packages from external network router doesnt forward they in local.
In this case, the log record only one record.
Please help.
Use action=dst-nat instead of the netmap. I believe netmap requires both dst-address and to-address and is intended to forward port for port.
Thanks, 2frogs.
I tried, but it doesnt work.
Got the same one log message.
That log just states that the router received a request to port 49068 from the internet, which is what is supposed to happen. It looks like your device at 192.168.10.200 is not responding to the request. Have you checked that it responds to port 6000 from the local LAN?
Yes, device with address 192.168.10.200 responds in the local network
You ALSO need to pass the relevant traffic in Filter rules, in addition to dstnat.
You can arrange this with a single rule to allow dstnat traffic.
I add filter rule:
chain: input
Protocol: udp
Dst.Port: 49068
Action: accept
It doesnt help.
chain=forward
And order matters! You have to put accepts above drops according to chains…
Normally the default forward drop has a “connection nat state”=!dst-nat.
Change chain, order and set “connection nat state”=!dst-nat.
Unfortunately, doesnt help.
I suspect your NAT rule isn’t working. From my experience, once my NAT rules worked properly, there was no need to add firewall rule as well. From my understanding, NAT happens first.
Try setting Dst. Address Type = local in the NAT rules. That’s what did it for me.
I agree with you, RLithgo.
But I spent on it for almost two weeks on it. Who knows, maybe a filter would help.
Your proposal has not helped too (.
Maybe, it is not possible to setup udp forwarding?
Filter rules is not needed with dstnat.
Are you 100% sure your server is responding on 49068.
If its a Windows or linux server try
netstat -noa
look for
udp 0.0.0.0:49068 .
or
udp 127.0.0.1:49068 .
Is there a firewall turned on. Default its turned on on Windows. Turn it off for test. If ok, turn FW on and make a rule on the server for the port or application.
Do you have other NAT rules working?
Do you have other NAT rules to this server working?
Incorrect. There is a default filter rule that blocks incoming traffic from ether1 EXCEPT dstnat traffic.
Once you have deleted that and built some other defense against outside traffic you again need to
cater for the dstnat traffic.
I am new to this so like to learn.
Here is my filter rule:
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; defconf: accept established,related
chain=input action=accept connection-state=established,related
2 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related
3 ;;; defconf: accept established,related
chain=forward action=accept connection-state=established,related
4 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
5 ;;; Drop ICMP on outside IF
chain=input action=drop protocol=icmp in-interface=ether1 log=no log-prefix=""
6 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1
7 ;;; PPTP VPN
chain=input action=accept protocol=tcp in-interface=ether1 dst-port=1723 port="" log=no log-prefix=""
8 ;;; L2TP VPN
chain=input action=accept protocol=udp in-interface=ether1 dst-port=500,1701,4500 log=no log-prefix=""
9 XI ;;; L2TP VPN
chain=input action=accept protocol=ipsec-esp in-interface=ether1 log=no log-prefix=""
10 ;;; defconf: drop all from WAN
chain=input action=drop in-interface=ether1 log=yes log-prefix="rule_10"
I have several port from wan to lan open (port tcp/80 udp/514) etc.
Form list above I do see lot of traffic logged in rule 0, but guess that is made just for informational purpose.
What rule lets the traffic trough? Is it the fasttrack stuff?
Yes. But it is not a server. I control device via phone. In local network it works fine.
But when I try remote control (from the other network) I doesnt see packages from my remote phone in local network.
Is there a firewall turned on. Default its turned on on Windows. Turn it off for test. If ok, turn FW on and make a rule on the server for the port or application.
There are no firewalls. And I doesnt see packages from external.
Do you have other NAT rules working?
No. It is my first port forwarding experience.
Do you have other NAT rules to this server working?
No
I should have caught this sooner, but you also need a return path from the server to remote client. Since you changed the incoming from port 49068 to 6000, you would need the opposite for the return since the client is expecting port 49068.
/ip firewall nat add chain=src-nat sec-address=192.168.10.200 src-port=6000 out-interface=ether1 to-port=49068
I am not 100% on the code, it’s been a while since I have had to change ports…
Not really, that’s what conntrack is for, if there’s NAT in one direction, it automatically takes care about the other one.
Filter rules from few posts back don’t block it either, the only blocking rule is #6, but it does not apply to dstnated packets.
Anyway, this should be extremely easy to debug, especially for someone who can use Wireshark. Do the similar at router (either use Tools->Torch in interfaces or add logging rules in prerouting/forward/postrouting chains). When you connect from to :49068, you must see:
If this all works, the problem is not in router. Most likely 192.168.10.200 does not allow packets from non-LAN addresses or doesn’t have correct default gateway.
Thanks, Sob.
In the local network:
I tried Torch.
But I didn’t get anything from him, while Wireshark showed me packages.
In the remote network:
I set checkbox “log” in my forwarding rule. But I get only one log message, then I send first package from phone from external
I dont anderstand what it is mean.
Most likely 192.168.10.200 does not allow packets from non-LAN addresses
But I doesnt see any packages in Wireshark from external network
or doesn’t have correct default gateway.
It has gateway address 192.168.10.1 – address of my router
Try it with logging rules. If you have this dstnat rule:
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=49068 in-interface=ether1-gateway log=yes \
protocol=udp to-addresses=192.168.10.200 to-ports=6000
Then add these rules and put them at top before all other rules:
/ip firewall filter
add action=log chain=forward dst-address=192.168.10.200 dst-port=6000 protocol=udp
/ip firewall mangle
add action=log chain=prerouting dst-port=49068 in-interface=ether1-gateway protocol=udp
add action=log chain=postrouting dst-address=192.168.10.200 dst-port=6000 protocol=udp
Then try to connect and this is what you should see:
21:09:11 firewall,info prerouting: in:ether1-gateway out:(none), src-mac xx:xx:xx:xx:xx:xx, proto UDP, <src-addr>:<src-port>-><your-public-addr>:49068, len xx
21:09:11 firewall,info dstnat: in:ether1-gateway out:(none), src-mac xx:xx:xx:xx:xx:xx, proto UDP, <src-addr>:<src-port>-><your-public-addr>:49068, len xx
21:09:11 firewall,info forward: in:ether1-gateway out:bridge-local, src-mac xx:xx:xx:xx:xx:xx, proto UDP, <src-addr>:<src-port>->192.168.10.200:6000, NAT <src-addr>:<src-port>->(<your-public-addr>:49068->192.168.10.200:6000), len xx
21:09:11 firewall,info postrouting: in:(none) out:bridge-local, src-mac xx:xx:xx:xx:xx:xx, proto UDP, <src-addr>:<src-port>->192.168.10.200:6000, NAT <src-addr>:<src-port>->(<your-public-addr>:49068->192.168.10.200:6000), len xx
Thanks, Sob.
I got a lot of messages about forwarding.
But:
Maybe it is something wrong with my udp packeges and they die in router befor leave him?