Having trouble with possible DNAT

WookieeFer · May 27, 2020, 12:52am

Hello all, I have tried searching everywhere and have read lots of forums but I am still stuck, so decided to ask myself about my case hoping someone could help me solve.
The Problem(s):

I wish to connect to a server hosted in DigitalOcean via SSH, I have tried using Putty (on Windows) and SSH through Terminal (on Macbook Pro), but my connection gets timed out.
Some online games for PC show a “Strict NAT type” message and the game session gets disconnected every often

My setup:
ISP---->Fiber to Ethernet converter---->(10.16.1.107)Mikrotik Router---->TP-Link Decos (Act as Access Points)---->Windows and MacOS laptops(192.168.0.178 all with static IPs)

What I’ve tried:

I have tried connecting directly my computer to the ethernet cable from the fiber converter (bypassing my Mikrotik router and APs), but no luck.
I made some NAT rules on my Mikrotik router but still no luck.
I have also enabled Upnp on my Mikrotik router, rules are created automatically as I open a game but no traffic is generated or shown on the rule counters.
I have tried using a VPN on Windows (TunnelBear) and can confirm that the SSH connection works and also the NAT type on games change from strict to moderate.

These are the rules I have tried so far with no luck:
/ip firewall nat
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat comment=SSH dst-address=10.16.1.107 dst-port=22 in-interface=ether1-WAN protocol=tcp to-addresses=192.168.0.178 to-ports=22
add action=dst-nat chain=dstnat comment=WarzonePortUDP dst-address=10.16.1.107 dst-port=3074 in-interface=ether1-WAN protocol=udp to-addresses=192.168.0.178 to-ports=3074
add action=dst-nat chain=dstnat comment=WarzonePortTCP dst-address=10.16.1.107 dst-port=3074 in-interface=ether1-WAN protocol=tcp to-addresses=192.168.0.178 to-ports=3074

/ip firewall filter
/////////Some bunch of other rules/////////
add action=accept chain=forward comment=“Test NAT Games” connection-nat-state=dstnat dst-address=192.168.0.178 dst-port=3074 protocol=udp
add action=accept chain=forward comment=“Test NAT SSH” connection-nat-state=dstnat dst-address=192.168.0.178 dst-port=22 protocol=tcp

I have no trouble at all somewhere else (Different location and ISP) and I was told by my ISP that there are no ports blocked or restricted so I should not have any trouble, also that they assign a private IP address to their clients so they alredy do NAT. Could it be an ISP thing or my own network? I appreciate any advice and sorry for any bad English. Thanks all!!

P.D. If needed this is my config file:
https://1drv.ms/u/s!AoNWL7MJ-0tsuGTjKKKA56IHEmnR?e=Zg0owe

anav · May 27, 2020, 11:30am

There should be no issue for you to reach any external server via Putty.
However if you have a firewall error it can happen.
Suggest post entire config
/export hide-sensitive file=anynameyouwish

Sob · May 27, 2020, 11:59am

About dstnat/UPnP, if 10.16.1.107 is your real WAN address, then it’s no surprise that it doesn’t work, because it’s private one. So even if you configure everything correctly on your router, it still won’t work, because it’s not possible to reach this address from internet.

WookieeFer · May 27, 2020, 6:47pm

Thanks for your answer.. So in this case theres nothing I can do on my network side? I mean, should I ask my ISP for something else? They just say that there are no restrictions on the ports at all, maybe should I ask them for port forwarding? (I think that has sense, if not please correct me) Thanks so much!

WookieeFer · May 27, 2020, 6:49pm

Thanks! I will post my configuration once I get home..

Sob · May 27, 2020, 9:13pm

Ideally you want public address and have it directly on your router. Downside is that ISPs often charge extra for it. On top of that, many only reserve it for you and don’t give it to you directly (NAT 1:1). It’s not a problem when you need to forward some static ports, but probably won’t work with UPnP (*).

(*) I’m not exactly sure here. The problem is that UPnP client also gets public address from UPnP server (your router) and if it’s not there directly, router doesn’t know it. Maybe some could use other means to detect it, it would make sense, since NAT 1:1 is relatively common, but I don’t know if they really do.

WookieeFer · May 28, 2020, 12:28am

Thank you, Here you can check the config File:

https://1drv.ms/u/s!AoNWL7MJ-0tsuGTjKKKA56IHEmnR?e=Zg0owe

anav · May 28, 2020, 2:38am

(1) Get rid of this rule.
/interface detect-internet
set detect-interface-list=all

(2) You are missing the ip pool, ip dhcp-server and ip dhcp-server network for your other subnet???

(3) Wont hurt to set this to LAN vice none.
/ip neighbor discovery-settings
set discover-interface-list=none

(4) Missing interface list members
/ip interface members
add interface=ether5 list=LAN
add interface=BR_DECO list=LAN
add interface=ether1-WAN list=WAN

(5) Why are these rules here?? Never seen them before…
add action=fasttrack-connection chain=forward comment=“Fasttrack DNS - TCP”
dst-port=53 protocol=tcp
add action=fasttrack-connection chain=forward comment=“Fasttrack DNS - UDP”
dst-port=53 protocol=udp

(6) This one is puzzling, allow source-address-list of NOT support???
add action=drop chain=input comment=“Block all access to the winbox - except t
o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUP
PORT ADDRESS LIST” disabled=yes dst-port=8291 protocol=tcp
src-address-list=!support
Why the eff does anyone make such an obtuse non clear garbage rule.
This is much clearer and simple.
add action=accept chain=input src-address-list=support comment=“allow admin access”

Okay I see that you do have this later - but who can read such a butt phuck ugly order of rules.
Also with a drop rule at the end of the input chain that !support rule is twit useless anyway.

(7) Why were these separated… they should be on one rule…
add action=accept chain=input comment=“Accept to established connections”
connection-state=established
add action=accept chain=input comment=“Accept to related connections”
connection-state=related
add action=accept chain=input comment=“Accept to established-related connections”
connection-state=established,related

Okay I am starting to think that you copied some firewall settings from some garbage site on youtube.
Your Order Is a complete mess, put input rules in order and then forward chain rules.
Suggest you resest your FW rules to default and start over.
Get the destination nat working then add all the other crap back in.

(8) This should be in ip nat, not forward chain
add action=accept chain=forward comment=“NAT CodWarzone”
connection-nat-state=dstnat dst-address=192.168.0.178 dst-port=3074
protocol=udp

(9) Sourcenat rule is setup for a dynamic IP. Looks like you have a fixed static WANIP
/ip firewall nat
add action=src-nat chain=srcnat out-interface=ether1-WAN to-address=10.16.1.107

add action=dst-nat chain=dstnat comment=“NAT Test CodWarzone” dst-address=10.16.1.107
dst-port=3074 in-interface=ether1-WAN protocol=udp to-addresses=
192.168.0.178 to-ports=3074

(10) you need a port forwarding rule in forward chain, the default set of firewall rules provides that.
Or you can add
add chain=forward action=accept connection-nat-state=dstnat
connection-state=new in-interface-list=WAN

WookieeFer · May 28, 2020, 2:50am

Yes, Im sorry about the messy rules, I obtained them from an official Mikrotik website about securing the router. But even disabling most of them (For testing purposes) I still had the same behaviour. I will correct the steps you mention and see how it goes. Thank you so much..

WookieeFer · July 3, 2020, 2:45pm

At the end I just decided to try with a different Internet Service Provider, I am using the same equipment and the same configurations as before without any problem. So apparently it was a problem in the ISP side. Thanks all…