Help me with port forwarding troubleshooting

slavikf · November 8, 2024, 5:41am

1st time Mikrotik user, got CCR2004-1G-12S+2XS.

I connected Mikrotik to ATT Fiber directly on sfp-sfpplus1. Used QuickSet to get started. Had to fix DHCP server network.
Router IP is 192.168.0.2
Networks is 192.168.0.0/24

Also, did few more steps to get access to ATT SFP module web interface:

/ip address add address=192.168.11.2/24 interface=sfp-sfpplus1
/ip route print
    DST-ADDRESS      GATEWAY       DISTANCE
DAc 192.168.0.0/24   bridge1              0
DAc 192.168.11.0/24  sfp-sfpplus1         0
# Clone Mac for ATT
/interface ethernet set sfp-sfpplus1 mac-address=ac:8f:a9:31:**:**

Internet works, I can browser web sites.

Then I added 2 port forwarding rules and I see this:

/ip firewall nat print
Flags: X - disabled, I - invalid; D - dynamic 
 0    chain=srcnat action=masquerade out-interface-list=WAN 
 1    chain=dstnat action=dst-nat to-addresses=192.168.0.202 to-ports=80 protocol=tcp in-interface-list=WAN dst-port=80 
 2    chain=dstnat action=dst-nat to-addresses=192.168.0.202 to-ports=443 protocol=tcp in-interface-list=WAN dst-port=443

But external requests to port 80 or 443 getting no response.

I tried logs:

/ip firewall nat set [find where chain=dstnat and dst-port=80] log=yes log-prefix="HTTP-FWD "

But getting no logs.

I used Torch and I can see incoming requests (mostly to port 443) - see screenshot. Not sure, how to interpret it.

What do I miss? How can I troubleshoot it?

slavikf · November 8, 2024, 5:51am

By the way, currently I have ATT router, and port forwarding on it works. So, my IP is not CG-NAT’d.

Also, in the logs, I can see that there are requests coming externally to the router, trying to login / brute-force … So, the requests are coming from outside, just need to figure out how to do port forwarding.

01:02:32 system,error,critical login failure for user root from 112.103.94.202 via telnet
00:24:10 system,error,critical login failure for user admin from 40.118.145.212 via ssh
00:24:31 system,error,critical login failure for user root from 120.240.244.235 via ssh
00:27:49 echo: system,error,critical login failure for user admin from 103.102.230.5 via api
00:27:49 echo: system,error,critical login failure for user admin from 103.102.230.5 via api

anovojr · November 8, 2024, 6:15am

Here are a few things you could check:

Firewall Rules: Also ensure you have firewall rules that allow traffic on ports 80 and 443 to the internal IP of your instance, 192.168.0.202. Sometimes just the Firewall rules can prevent the access even if you configured the NAT rules properly.

Interface Lists: Ensure that you briefly verify that sfp-sfpplus1 interface is visible on your WAN side. If it is not the case, the specified NAT rules may not affect the incoming traffic in your network.

slavikf · November 8, 2024, 6:20am

Firewall Rules:

I have 0 (Zero) firewall rules. That means, that everything is open (allow). Right?
I understand, that eventually I’ll need to close / limit few things, but i’m ok to have everything open while troubleshooting. Right?

Interface Lists

Does that mean this:

/interface list member print
# LIST  INTERFACE   
0 WAN   sfp-sfpplus1
1 LAN   bridge1

Or anything else?

erlinden · November 8, 2024, 7:04am

Can you show your config?

/export file=anynameyoulike

Remove serial and any other private info, post between code tags by using the </> button.

anav · November 8, 2024, 12:38pm

Depends, is your device connected directly to the internet and not behind an ISP router??

If public facing then,
YES to first question, NO to the second question.

Smart move, put back in default firewall rules, adjust them as necessary for needed traffic and then carry on with testing if connected to the network.

slavikf · November 8, 2024, 3:34pm

Here it is:

# 2024-11-08 10:29:44 by RouterOS 7.16.1
# software id = ZAQF-UBCR
#
# model = CCR2004-1G-12S+2XS

/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] mac-address=AC:8F:A9:31:**:** \
    sfp-ignore-rx-los=yes
/interface list
add name=WAN
add name=LAN
/ip pool
add name=dhcp ranges=192.168.0.40-192.168.0.150
/ip dhcp-server
add address-pool=dhcp interface=bridge1 name=dhcp1
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=sfp-sfpplus2
add bridge=bridge1 interface=sfp-sfpplus3
add bridge=bridge1 interface=sfp-sfpplus4
add bridge=bridge1 interface=sfp-sfpplus5
add bridge=bridge1 interface=sfp-sfpplus6
add bridge=bridge1 interface=sfp-sfpplus7
add bridge=bridge1 interface=sfp-sfpplus8
add bridge=bridge1 interface=sfp-sfpplus9
add bridge=bridge1 interface=sfp-sfpplus10
add bridge=bridge1 interface=sfp-sfpplus11
add bridge=bridge1 interface=sfp-sfpplus12
add bridge=bridge1 interface=sfp28-1
add bridge=bridge1 interface=sfp28-2
/interface list member
add interface=sfp-sfpplus1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.0.2/24 interface=bridge1 network=192.168.0.0
add address=192.168.11.2/24 interface=sfp-sfpplus1 network=192.168.11.0
/ip dhcp-client
add interface=sfp-sfpplus1
/ip dhcp-server lease
add address=192.168.0.44 comment=ub3090 mac-address=26:25:81:8B:DA:EA
add address=192.168.0.74 comment=t5820 mac-address=98:B7:85:1F:37:B5
add address=192.168.0.83 comment=t7920 mac-address=98:B7:85:1E:DC:F6
add address=192.168.0.88 comment=p5000 mac-address=86:BA:F1:28:E6:D2
add address=192.168.0.90 comment=Amcrest mac-address=9C:8E:CD:24:72:EE
add address=192.168.0.91 comment="RLC-810A street" mac-address=\
    EC:71:DB:0E:1A:BA
add address=192.168.0.101 comment=ds1621xs+ mac-address=00:11:32:EA:FD:03
add address=192.168.0.102 comment="psalm VM" mac-address=02:11:32:2E:95:E9
add address=192.168.0.103 comment=qb-win mac-address=B6:94:6F:A1:67:68
add address=192.168.0.109 comment="edsace loft" mac-address=00:D1:64:0B:0A:09
add address=192.168.0.110 comment=doorbell mac-address=EC:71:DB:2D:55:CF
add address=192.168.0.112 comment="RLC-1212A kitchen" mac-address=\
    EC:71:DB:3C:AB:41
add address=192.168.0.131 comment=Brother mac-address=30:05:5C:8F:6D:02
add address=192.168.0.138 comment=ds1812 mac-address=00:11:32:13:6B:64
add address=192.168.0.147 comment="aruba switch" mac-address=\
    BC:D7:A5:7E:64:E0
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.2 gateway=192.168.0.2 \
    netmask=24
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment=web80 dst-port=80 in-interface-list=\
    WAN protocol=tcp to-addresses=192.168.0.202 to-ports=80
add action=dst-nat chain=dstnat dst-port=443 in-interface-list=WAN protocol=\
    tcp to-addresses=192.168.0.202 to-ports=443
/system clock
set time-zone-name=America/New_York
/system note
set show-at-login=no

slavikf · November 8, 2024, 3:47pm

What is “direct”?
With Mikrotik, I used this guide to bypass ATT router:
https://pon.wiki/guides/masquerade-as-the-att-inc-bgw320-500-505-on-xgs-pon-with-the-bfw-solutions-was-110/

So, I’m NOT using ISP router.
I have ATT Fiber line going to WS-110 SFP+ module, which inserted to sfp-sfpplus1 port of Mikrotik.

Internet works, - I’m using it from my laptop, which is connected via Ethernet to sfp-sfpplus7.

Port forwarding doesn’t work.

Smart move, put back in default firewall rules, adjust them as necessary for needed traffic and then carry on with testing if connected to the network.

I do not have any firewall rules. Only firewall NAT rules.

erlinden · November 8, 2024, 3:54pm

/ip address
add address=192.168.0.2/24 interface=bridge1 network=192.168.0.0
add address=192.168.11.2/24 interface=sfp-sfpplus1 network=192.168.11.0
/ip dhcp-client
add interface=sfp-sfpplus1

From the above, I get the feeling that on the sfp you set an IP manually and you get an IP through DHCP. As there is no /ip route specified, it is probably dynamically set through DHCP as well.

Your router, or at least services like telnet and ssh are publically available, hence you are either in DMZ or have a public IP.

What you should do:

Add firewall rules:

/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat in-interface-list=WAN

After that, we will continue. Hopefully you haven’t been compromised yet (any other users created)?

[Update] Aah, you have confirmed that your router is public facing…without firewall filter rules.

slavikf · November 12, 2024, 5:15am

I added firewalls rules, as suggessted above, and port forwarding still doesn’t work.
Tried few other firewall settings - can’t make port forward to work.

Here is how I see connections on Firewall:

 /ip firewall/connection print
Flags: S - SEEN-REPLY; A - ASSURED; C - CONFIRMED; F - FASTTRACK; s - SRCNAT; d - DSTNAT
Columns: PROTOCOL, SRC-ADDRESS, DST-ADDRESS, TCP-STATE, TIMEOUT, ORIG-RATE, REPL-RATE, ORIG-PACKETS, REPL-PACKETS, ORIG-BYTES, REPL-BYTES
  #        PROTOCOL  SRC-ADDRESS            DST-ADDRESS           TCP-STATE    TIMEOUT    ORIG-RATE  REPL-RATE  ORIG-PACKETS  REPL-PACKETS  ORIG-BYTES  REPL-BYTES
  9   C  d tcp       198.13.84.43:56620     104.63.172.143:443    established  4m6s       0bps       0bps                  2             0       2 468           0
 10   C  d tcp       52.183.22.178:36372    104.63.172.143:443    established  4m25s      0bps       0bps                  3             0       3 507           0
 14   C  d tcp       66.249.73.200:37708    104.63.172.143:443    established  4m         0bps       0bps                  1             0          52           0
 15   C  d tcp       66.249.73.200:55028    104.63.172.143:443    established  4m53s      0bps       0bps                  2             0         104           0
 19   C  d tcp       66.249.73.201:43451    104.63.172.143:443    established  4m36s      0bps       0bps                  2             0         104           0
 25   C  d tcp       66.249.73.201:42575    104.63.172.143:443    established  4m36s      0bps       0bps                  2             0         104           0
 37   C  d tcp       108.172.75.226:52364   104.63.172.143:443    established  4m20s      0bps       0bps                  2             0       2 338           0
 41   C  d tcp       66.249.73.200:59266    104.63.172.143:443    established  4m53s      0bps       0bps                  2             0         104           0
 42   C  d tcp       66.249.73.200:61300    104.63.172.143:443    established  4m53s      0bps       0bps                  2             0         104           0
 53   C  d tcp       66.249.74.78:60332     104.63.172.143:443    last-ack     4s         0bps       0bps                  8             0         416           0
 70   C  d tcp       3.142.54.202:39828     104.63.172.143:443    syn-sent     0s         0bps       0bps                  4             0         240           0
 71   C  d tcp       57.141.7.22:52794      104.63.172.143:443    syn-sent     0s         0bps       0bps                  4             0         240           0
 72   C  d tcp       3.142.54.202:6209      104.63.172.143:443    syn-sent     0s         0bps       0bps                  4             0         240           0
 73   C  d tcp       57.141.7.6:53342       104.63.172.143:443    syn-sent     0s         0bps       0bps                  4             0         240           0
 74   C  d tcp       57.141.7.27:34566      104.63.172.143:443    syn-sent     0s         0bps       0bps                  4             0         240           0
 75   C  d tcp       3.219.81.66:46257      104.63.172.143:443    syn-sent     0s         0bps       0bps                  4             0         240           0
 76   C  d tcp       54.85.7.119:13306      104.63.172.143:443    syn-sent     1s         0bps       0bps                  4             0         240           0
 77   C  d tcp       216.244.66.247:35586   104.63.172.143:80     syn-sent     1s         0bps       0bps                  4             0         240           0
 78   C  d tcp       57.141.7.3:40228       104.63.172.143:443    syn-sent     1s         0bps       0bps                  4             0         240           0
 79   C  d tcp       57.141.7.28:41220      104.63.172.143:443    syn-sent     1s         0bps       0bps                  4             0         240           0
 80   C  d tcp       184.73.195.18:56731    104.63.172.143:443    syn-sent     1s         0bps       0bps                  4             0         240           0
 81   C  d tcp       57.141.7.1:35404       104.63.172.143:443    syn-sent     1s         0bps       0bps                  4             0         240           0
 82   C  d tcp       57.141.7.15:37358      104.63.172.143:443    syn-sent     2s         0bps       0bps                  4             0         240           0
 83   C  d tcp       57.141.7.25:49674      104.63.172.143:443    syn-sent     2s         0bps       0bps                  4             0         240           0
 84   C  d tcp       57.141.7.16:38876      104.63.172.143:443    syn-sent     2s         0bps       0bps                  4             0         240           0
 85   C  d tcp       54.221.203.24:5692     104.63.172.143:443    syn-sent     2s         0bps       0bps                  4             0         240           0
 86   C  d tcp       57.141.7.19:53314      104.63.172.143:443    syn-sent     2s         0bps       0bps                  4             0         240           0
 87   C  d tcp       54.147.182.90:54458    104.63.172.143:443    syn-sent     3s         480bps     0bps                  4             0         240           0
 88   C  d tcp       57.141.7.23:54898      104.63.172.143:443    syn-sent     3s         480bps     0bps                  4             0         240           0
...

So, I see that

connections on port 80/443 correctly getting to DSTNAT
but never gets to the state " S - SEEN-REPLY; A - ASSURED"

What else can I do?

Currently my config export:

# 2024-11-12 00:04:05 by RouterOS 7.16.1
# software id = ZAQF-UBCR
#
# model = CCR2004-1G-12S+2XS
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] mac-address=AC:8F:A9:31:**:** \
    sfp-ignore-rx-los=yes
/interface list
add name=WAN
add name=LAN
/ip pool
add name=dhcp ranges=192.168.0.40-192.168.0.150
/ip dhcp-server
add address-pool=dhcp interface=bridge1 name=dhcp1
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=sfp-sfpplus2
add bridge=bridge1 interface=sfp-sfpplus3
add bridge=bridge1 interface=sfp-sfpplus4
add bridge=bridge1 interface=sfp-sfpplus5
add bridge=bridge1 interface=sfp-sfpplus6
add bridge=bridge1 interface=sfp-sfpplus7
add bridge=bridge1 interface=sfp-sfpplus8
add bridge=bridge1 interface=sfp-sfpplus9
add bridge=bridge1 interface=sfp-sfpplus10
add bridge=bridge1 interface=sfp-sfpplus11
add bridge=bridge1 interface=sfp-sfpplus12
add bridge=bridge1 interface=sfp28-1
add bridge=bridge1 interface=sfp28-2
/interface list member
add interface=sfp-sfpplus1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.0.2/24 interface=bridge1 network=192.168.0.0
add address=192.168.11.2/24 interface=sfp-sfpplus1 network=192.168.11.0
/ip dhcp-client
add interface=sfp-sfpplus1
/ip dhcp-server lease
add address=192.168.0.101 comment=ds1621xs+ mac-address=00:11:32:EA:FD:03
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.2 gateway=192.168.0.2 \
    netmask=24
/ip firewall filter
add action=accept chain=input comment="accept established,related" \
    connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="allow ICMP" protocol=icmp
add action=fasttrack-connection chain=forward comment=\
    "fast-track for established,related" connection-state=established,related \
    hw-offload=yes
add action=accept chain=forward comment="accept established,related" \
    connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward comment=\
    "drop access to clients behind NAT from WAN" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=80 in-interface-list=WAN protocol=\
    tcp to-addresses=192.168.0.101 to-ports=80
add action=dst-nat chain=dstnat dst-port=443 in-interface-list=WAN protocol=\
    tcp to-addresses=192.168.0.101 to-ports=443
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2200
set api disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=America/New_York
/system note
set show-at-login=no
/tool bandwidth-server
set enabled=no

anav · November 12, 2024, 3:16pm

How do you expect to port forward if you dont have a public IP address?
If you can access the upstream ISP device and from there forward a port, then it could be done.

slavikf · November 12, 2024, 6:11pm

I do have public IP address. I’m using Mikrotik INSTEAD of ISP router. So, my Mikrotik gets public IP address on SFP1

anav · November 12, 2024, 6:23pm

Your words are not reflected in the config!!!

/ip address
add address=192.168.11.2/24 interface=sfp-sfpplus1 network=192.168.11.0

Effectively assigning a private IP to sfp-sfpplus1

You also have this… and this is in conflict as you cannot use BOTH, so recommend you delete the IP address entry!!!
/ip dhcp-client
add interface=sfp-sfpplus1

2. Recommend minor change to firewall rules for better clarity and tighter security
FROM default rule:
add action=drop chain=forward comment=
“drop access to clients behind NAT from WAN” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN

TO
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“drop all else”

anav · November 12, 2024, 6:28pm

Question: Do you have users on the same LAN subnet also using one or both servers?

If so, how are they connecting to the servers
a. by direct LANIP
b. by DYNDNS URL name etc…

slavikf · November 13, 2024, 12:56am

Hm,
I do have public IP on sfp-sfpplus1 and it’s coming from ISP provider (ATT) via dhcp-client.
And I also have private IP sfp-sfpplus1 - it has static private IP for SFP firmware.
Can it be the reason why port forwarding doesn’t work?

I’ll try to disable that 192.168.11.2 network on sfp-sfpplus1 and test.

slavikf · November 13, 2024, 12:59am

What do you mean by “both servers”?

Few websites, which I host on web servers in my LAN getting accessed from the Internet and from the LAN, too.
So, NAT loopback (hair-pinning) is my next task, after I’ll get port forwarding sorted out.

anav · November 13, 2024, 1:06am

Why are you asking me which servers??
Ahhh so they are both to the same web server?
Why do even you make the unencrypted port 80 available ??

in any case long winded
add action=dst-nat chain=dstnat dst-port=80 in-interface-list=WAN protocol=
tcp to-addresses=192.168.0.101 to-ports=80
add action=dst-nat chain=dstnat dst-port=443 in-interface-list=WAN protocol=
tcp to-addresses=192.168.0.101 to-ports=443
Can be shortened to:
add action=dst-nat chain=dstnat dst-port=80,443 in-interface-list=WAN protocol=tcp to-addresses=192.168.0.101

anav · November 13, 2024, 1:15am

Yes get rid of the private IP address you have for sfp-sfpplus1, its bogus!

In terms of hairpin nat.
StepOne: I already showed you what the forward chain firewall rules should look like.

StepTwo: Add sourcenat rule as the FIRST rule in the NAT chain.
add chain=srcnat action=masquerade src-address=192.168.0.0/24 dst-address=192.168.0.0/24

StepThree: We need to change the in-interface=WAN to something that is inclusive of incoming from both ends…
If this was a static WANIP then we simply use dst-address=WANIP.
However in the dynamic case, a real easy fix is the following.

/ip firewall address-list
add address=dyndnsURL list=MyWAN comment="the URL, dyndnsname or mynetname users use to reach the router

StepFour: the revised rule:
add action=dst-nat chain=dstnat dst-port=80,443 dst-address-list=MyWAN protocol=tcp to-addresses=192.168.0.101