I connected Mikrotik to ATT Fiber directly on sfp-sfpplus1. Used QuickSet to get started. Had to fix DHCP server network.
Router IP is 192.168.0.2
Networks is 192.168.0.0/24
Also, did few more steps to get access to ATT SFP module web interface:
/ip address add address=192.168.11.2/24 interface=sfp-sfpplus1
/ip route print
DST-ADDRESS GATEWAY DISTANCE
DAc 192.168.0.0/24 bridge1 0
DAc 192.168.11.0/24 sfp-sfpplus1 0
# Clone Mac for ATT
/interface ethernet set sfp-sfpplus1 mac-address=ac:8f:a9:31:**:**
Internet works, I can browser web sites.
Then I added 2 port forwarding rules and I see this:
By the way, currently I have ATT router, and port forwarding on it works. So, my IP is not CG-NAT’d.
Also, in the logs, I can see that there are requests coming externally to the router, trying to login / brute-force … So, the requests are coming from outside, just need to figure out how to do port forwarding.
01:02:32 system,error,critical login failure for user root from 112.103.94.202 via telnet
00:24:10 system,error,critical login failure for user admin from 40.118.145.212 via ssh
00:24:31 system,error,critical login failure for user root from 120.240.244.235 via ssh
00:27:49 echo: system,error,critical login failure for user admin from 103.102.230.5 via api
00:27:49 echo: system,error,critical login failure for user admin from 103.102.230.5 via api
Firewall Rules: Also ensure you have firewall rules that allow traffic on ports 80 and 443 to the internal IP of your instance, 192.168.0.202. Sometimes just the Firewall rules can prevent the access even if you configured the NAT rules properly.
Interface Lists: Ensure that you briefly verify that sfp-sfpplus1 interface is visible on your WAN side. If it is not the case, the specified NAT rules may not affect the incoming traffic in your network.
I have 0 (Zero) firewall rules. That means, that everything is open (allow). Right?
I understand, that eventually I’ll need to close / limit few things, but i’m ok to have everything open while troubleshooting. Right?
Interface Lists
Does that mean this:
/interface list member print
# LIST INTERFACE
0 WAN sfp-sfpplus1
1 LAN bridge1
Depends, is your device connected directly to the internet and not behind an ISP router??
If public facing then,
YES to first question, NO to the second question.
Smart move, put back in default firewall rules, adjust them as necessary for needed traffic and then carry on with testing if connected to the network.
So, I’m NOT using ISP router.
I have ATT Fiber line going to WS-110 SFP+ module, which inserted to sfp-sfpplus1 port of Mikrotik.
Internet works, - I’m using it from my laptop, which is connected via Ethernet to sfp-sfpplus7.
Port forwarding doesn’t work.
Smart move, put back in default firewall rules, adjust them as necessary for needed traffic and then carry on with testing if connected to the network.
I do not have any firewall rules. Only firewall NAT rules.
From the above, I get the feeling that on the sfp you set an IP manually and you get an IP through DHCP. As there is no /ip route specified, it is probably dynamically set through DHCP as well.
Your router, or at least services like telnet and ssh are publically available, hence you are either in DMZ or have a public IP.
What you should do:
Add firewall rules:
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat in-interface-list=WAN
After that, we will continue. Hopefully you haven’t been compromised yet (any other users created)?
[Update] Aah, you have confirmed that your router is public facing…without firewall filter rules.
I added firewalls rules, as suggessted above, and port forwarding still doesn’t work.
Tried few other firewall settings - can’t make port forward to work.
Here is how I see connections on Firewall:
/ip firewall/connection print
Flags: S - SEEN-REPLY; A - ASSURED; C - CONFIRMED; F - FASTTRACK; s - SRCNAT; d - DSTNAT
Columns: PROTOCOL, SRC-ADDRESS, DST-ADDRESS, TCP-STATE, TIMEOUT, ORIG-RATE, REPL-RATE, ORIG-PACKETS, REPL-PACKETS, ORIG-BYTES, REPL-BYTES
# PROTOCOL SRC-ADDRESS DST-ADDRESS TCP-STATE TIMEOUT ORIG-RATE REPL-RATE ORIG-PACKETS REPL-PACKETS ORIG-BYTES REPL-BYTES
9 C d tcp 198.13.84.43:56620 104.63.172.143:443 established 4m6s 0bps 0bps 2 0 2 468 0
10 C d tcp 52.183.22.178:36372 104.63.172.143:443 established 4m25s 0bps 0bps 3 0 3 507 0
14 C d tcp 66.249.73.200:37708 104.63.172.143:443 established 4m 0bps 0bps 1 0 52 0
15 C d tcp 66.249.73.200:55028 104.63.172.143:443 established 4m53s 0bps 0bps 2 0 104 0
19 C d tcp 66.249.73.201:43451 104.63.172.143:443 established 4m36s 0bps 0bps 2 0 104 0
25 C d tcp 66.249.73.201:42575 104.63.172.143:443 established 4m36s 0bps 0bps 2 0 104 0
37 C d tcp 108.172.75.226:52364 104.63.172.143:443 established 4m20s 0bps 0bps 2 0 2 338 0
41 C d tcp 66.249.73.200:59266 104.63.172.143:443 established 4m53s 0bps 0bps 2 0 104 0
42 C d tcp 66.249.73.200:61300 104.63.172.143:443 established 4m53s 0bps 0bps 2 0 104 0
53 C d tcp 66.249.74.78:60332 104.63.172.143:443 last-ack 4s 0bps 0bps 8 0 416 0
70 C d tcp 3.142.54.202:39828 104.63.172.143:443 syn-sent 0s 0bps 0bps 4 0 240 0
71 C d tcp 57.141.7.22:52794 104.63.172.143:443 syn-sent 0s 0bps 0bps 4 0 240 0
72 C d tcp 3.142.54.202:6209 104.63.172.143:443 syn-sent 0s 0bps 0bps 4 0 240 0
73 C d tcp 57.141.7.6:53342 104.63.172.143:443 syn-sent 0s 0bps 0bps 4 0 240 0
74 C d tcp 57.141.7.27:34566 104.63.172.143:443 syn-sent 0s 0bps 0bps 4 0 240 0
75 C d tcp 3.219.81.66:46257 104.63.172.143:443 syn-sent 0s 0bps 0bps 4 0 240 0
76 C d tcp 54.85.7.119:13306 104.63.172.143:443 syn-sent 1s 0bps 0bps 4 0 240 0
77 C d tcp 216.244.66.247:35586 104.63.172.143:80 syn-sent 1s 0bps 0bps 4 0 240 0
78 C d tcp 57.141.7.3:40228 104.63.172.143:443 syn-sent 1s 0bps 0bps 4 0 240 0
79 C d tcp 57.141.7.28:41220 104.63.172.143:443 syn-sent 1s 0bps 0bps 4 0 240 0
80 C d tcp 184.73.195.18:56731 104.63.172.143:443 syn-sent 1s 0bps 0bps 4 0 240 0
81 C d tcp 57.141.7.1:35404 104.63.172.143:443 syn-sent 1s 0bps 0bps 4 0 240 0
82 C d tcp 57.141.7.15:37358 104.63.172.143:443 syn-sent 2s 0bps 0bps 4 0 240 0
83 C d tcp 57.141.7.25:49674 104.63.172.143:443 syn-sent 2s 0bps 0bps 4 0 240 0
84 C d tcp 57.141.7.16:38876 104.63.172.143:443 syn-sent 2s 0bps 0bps 4 0 240 0
85 C d tcp 54.221.203.24:5692 104.63.172.143:443 syn-sent 2s 0bps 0bps 4 0 240 0
86 C d tcp 57.141.7.19:53314 104.63.172.143:443 syn-sent 2s 0bps 0bps 4 0 240 0
87 C d tcp 54.147.182.90:54458 104.63.172.143:443 syn-sent 3s 480bps 0bps 4 0 240 0
88 C d tcp 57.141.7.23:54898 104.63.172.143:443 syn-sent 3s 480bps 0bps 4 0 240 0
...
So, I see that
connections on port 80/443 correctly getting to DSTNAT
but never gets to the state " S - SEEN-REPLY; A - ASSURED"
How do you expect to port forward if you dont have a public IP address?
If you can access the upstream ISP device and from there forward a port, then it could be done.
Effectively assigning a private IP to sfp-sfpplus1
You also have this… and this is in conflict as you cannot use BOTH, so recommend you delete the IP address entry!!! /ip dhcp-client
add interface=sfp-sfpplus1
2. Recommend minor change to firewall rules for better clarity and tighter security
FROM default rule: add action=drop chain=forward comment=
“drop access to clients behind NAT from WAN” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
TO add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“drop all else”
Hm,
I do have public IP on sfp-sfpplus1 and it’s coming from ISP provider (ATT) via dhcp-client.
And I also have private IP sfp-sfpplus1 - it has static private IP for SFP firmware.
Can it be the reason why port forwarding doesn’t work?
I’ll try to disable that 192.168.11.2 network on sfp-sfpplus1 and test.
Few websites, which I host on web servers in my LAN getting accessed from the Internet and from the LAN, too.
So, NAT loopback (hair-pinning) is my next task, after I’ll get port forwarding sorted out.
Why are you asking me which servers??
Ahhh so they are both to the same web server?
Why do even you make the unencrypted port 80 available ??
in any case long winded add action=dst-nat chain=dstnat dst-port=80 in-interface-list=WAN protocol=
tcp to-addresses=192.168.0.101 to-ports=80
add action=dst-nat chain=dstnat dst-port=443 in-interface-list=WAN protocol=
tcp to-addresses=192.168.0.101 to-ports=443
Can be shortened to: add action=dst-nat chain=dstnat dst-port=80,443 in-interface-list=WAN protocol=tcp to-addresses=192.168.0.101
Yes get rid of the private IP address you have for sfp-sfpplus1, its bogus!
In terms of hairpin nat.
StepOne: I already showed you what the forward chain firewall rules should look like.
StepTwo: Add sourcenat rule as the FIRST rule in the NAT chain. add chain=srcnat action=masquerade src-address=192.168.0.0/24 dst-address=192.168.0.0/24
StepThree: We need to change the in-interface=WAN to something that is inclusive of incoming from both ends…
If this was a static WANIP then we simply use dst-address=WANIP.
However in the dynamic case, a real easy fix is the following.
/ip firewall address-list
add address=dyndnsURL list=MyWAN comment="the URL, dyndnsname or mynetname users use to reach the router