I can't open ports

skylack · June 20, 2020, 6:03am

I get a / 29 from my ISP, in a CCR and I deliver a public ip via static route and loopback interface for a 3011, but I can’t seem to open any port, they just won’t open, and I can’t find the error , I will leave the code and thank you very much anyone who can help me

CCR configuration:

/ip route print
/ip route print
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          201.xxx.xxx.89              1
 1  DC  192.168.2.0/24     192.168.2.1     ether5                  255
 2 ADC  192.168.20.0/30    192.168.20.1    ether1                    0
 3 ADC  201.xxx.xxx.88/29    201.xxx.xxx.90    sfp-sfpplus1              0
 4 A S  201.xxx.xxx.93/32                    192.168.20.2              1
 
/ip address print
 #   ADDRESS            NETWORK         INTERFACE                                
 0   192.168.2.1/24     192.168.2.0     ether5                                               
 1   201.xxx.xxx.90/29    201.xxx.xxx.88    sfp-sfpplus1                             
 2   192.168.20.1/30    192.168.20.0    ether1
 
  /ip firewall nat print
 0    chain=srcnat action=masquerade src-address=!201.xxx.xxx.88/29 
      out-interface=sfp-sfpplus1 log=no log-prefix=""

3011 Configuration:

/ip address print
 #   ADDRESS            NETWORK         INTERFACE                                              
 0   192.168.20.2/30    192.168.20.0    ether1                                                 
 1   201.xxx.xxx.93/32    201.xxx.xxx.93    LoopBack                                                                                         
 2  192.168.2.1/24     192.168.2.0     ether5                                                 
 3   10.100.0.5/24      10.100.0.0      ether7 
 
 /ip route print
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0          201.xxx.xxx.93    192.168.20.1              1
 1 ADC  10.100.0.0/24      10.100.0.5      ether7                    0
 2 ADC  192.168.2.0/24     192.168.2.1     ether5                    0
 3 ADC  192.168.20.0/30    192.168.20.2    ether1                    0
 4 ADC  201.xxx.xxx.93/32    201.xxx.xxx.93    LoopBack                  0 

/ip firewall nat print
 0    chain=srcnat action=src-nat to-addresses=201.xxx.xxx.93 out-interface=ether1 log=no 
      log-prefix="" 

 1    ;;; SmartOLT
      chain=dstnat action=dst-nat to-addresses=10.100.0.2 to-ports=23 protocol=tcp 
      src-address-list=SmartOLT dst-port=2333 log=no log-prefix="" 

 2    ;;; SmartOLT
      chain=dstnat action=dst-nat to-addresses=10.100.0.2 to-ports=22 protocol=tcp 
      src-address-list=SmartOLT dst-port=2322 log=no log-prefix="" 

 3    ;;; SmartOLT
      chain=dstnat action=dst-nat to-addresses=10.100.0.2 to-ports=161 protocol=udp 
      src-address-list=SmartOLT dst-port=2161 log=no log-prefix="" 

 4    ;;; SmartOLT
      chain=srcnat action=masquerade dst-address-list=SmartOLT log=no log-prefix=""

thanks in advance

mutluit · June 20, 2020, 3:54pm

For easy understanding you better should make a drawing of your network.

Since you seem to be using 2 routers, then it could be that you have a “Double NAT Problem”.
On which of the routers do you have NAT enabled? You should have NAT enabled only on the WAN router, and disable it on all other devices (routers, switches).

One usually diagnoses such errors by reducing the problem to the smallest possible setup. Ie. by plugging off all irrelevant devices.
Start small, then step by step extend it.

skylack · June 24, 2020, 4:55pm

Thanks for the answer.
Masquerade, as you can see from the rules, I only have RB1, RB2 is doing srcnat for srcnat.
I’ve tried everything and I can’t open any ports.

Sob · June 24, 2020, 7:31pm

You mean that dstnat rules on RB3011 don’t work? And does the IP address 201.xxx.xxx.93 work at all? Can you e.g. ping it from internet (not just from CCR)? You posted only small part of config, so nobody knows what you have elsewhere, but if you route it like this, you need proxy ARP, either on interface, or for individual addresses like this:

/ip arp
add address=201.xxx.xxx.93 interface=sfp-sfpplus1 published=yes

skylack · June 25, 2020, 3:05am

This, the internet works, and if I look at my ip it is showing the correct .93 and not .90, I also have the arp proxy directly on the sfp-sfpplus1 interface, but dstnat rules on RB3011, do not work

I posted these settings, because I thought it would be necessary, but if you need some print from another session just tell me which one