hAP ac2 connection to server within LAN from outside

Torsion · April 24, 2022, 11:16am

Hello,
I am developing client-server application; the question is how to properly forward traffic (TCP/UDP) to and from server.
I have created a NAT rule as follows:
Chain: dstnat
Protocol: 6 (tcp)
Dst. Port: 4296 (my server on local machine is listening on that port)
Action: dst-nat
To Addresses: 192.168.88.253 (this is server’s address in my LAN).

To test, I launch my client app on mobile (via cellular network, not from local Wi-Fi, to make the test more clean) - and on Rate Graph panel I see bytes incoming. The question is, which rule do I need to add, to make my server able to respond back to Internet? Thanks!

Sob · April 24, 2022, 3:50pm

For start, you should fix dstnat rule, because this one takes all connections to specified port, incoming and outgoing ones. Add either dst-address= if you have static one or dst-address-type=local if it’s dynamic.

After that, connection must be allowed through firewall filter, and it depends on what you have there now. Factory default firewall already handles it, but if you have something else, you may need:

/ip firewall filter
add chain=forward connection-nat-state=dstnat action=accept

anav · April 24, 2022, 8:28pm

https://forum.mikrotik.com/viewtopic.php?t=179343

Torsion · April 30, 2022, 4:14am

Thanks Sob and anav!
Let’s elaborate this a little bit more for old fossils like me. If I understand the whole mechanics right, now it looks like this:

1.Mobile (or whatever Internet) client sends packet to WAN.
2.DST-NAT rule substitutes DST with LAN-addressed machine.
3.Server responds with DST copied from arrived packet’s SRC.
4.Now my task is to write a rule that substitutes wan.ip as SRC?
This hAP’s web interface has so many options when you design a rule so I’m a little bit lost(
(wan.ip == static.ip in this context)

Sob · April 30, 2022, 10:08am

No, this last part is automatic. Router tracks all connections, remembers all their original and new sources and destinations, and recognizes packets that belong together as one connection. You can see this data in IP->Firewall->Connections (WegFig doesn’t seem to show everything at once, I have to click on each item; WinBox allows to show all columns). So if there was packet from mobile.ip to static.ip and dstnat changed destination to lan.ip, then when response comes from lan.ip to mobile.ip, connection tracking recognizes that it belongs to that connection, and automatically changes source from lan.ip to static.ip.

Zacharias · April 30, 2022, 12:07pm

To add to what @sob said,
Indeed the connection tracking Table keeps track of all the connections that are taking place to the Router.
So it knows if a packet was Source Nated, Dst Nated etc…
In that example, the router knows the packet was dst nated and it will un-nat that connection. The same happens in the case of src nated packets.

Torsion · May 2, 2022, 3:05am

This last automatic part doesn’t work, unfortunately. I don’t have connection.

anav · May 2, 2022, 11:17am

Easy to say, but without seeing your config, its impossible to know.
/export hide-sensitive file=anynameyouwish

Sob · May 2, 2022, 11:33am

I’m sure it’s not that. When you’re testing it, counters for this dstnat rule increase, right? You can add some logging rules to see if server is responding at all:

/ip firewall mangle
add chain=postrouting dst-address=192.168.88.253 protocol=tcp dst-port=4296 action=log log-prefix="to-server"
add chain=prerouting src-address=192.168.88.253 protocol=tcp src-port=4296 action=log log-prefix="from-server"

Torsion · May 14, 2022, 7:24am

According to Wireshark server does respond:

Here IP in filter is mobile IP.

# may/14/2022 10:36:15 by RouterOS 6.48.1
# software id = BIQC-9UQV
#
# model = RBD52G-5HacD2HnD
# serial number = CDFF0D7F7F0C
/interface bridge
add admin-mac=08:55:31:B7:0E:90 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=MikroTik-B70E94 station-roaming=enabled wireless-protocol=\
    802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid="Imperial Network" \
    station-roaming=enabled wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=forward connection-nat-state=dstnat
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=195.91.236.13 dst-port=4296 \
    protocol=tcp to-addresses=192.168.88.253
/system clock
set time-zone-name=Europe/Moscow
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

anav · May 14, 2022, 1:05pm

I see nothing that would be blocking your traffic on the MT config, so I have to start thinking about your ISp connection.