Inbound traffic for private network

niren · March 28, 2014, 8:06am

My setup is

private network system(192.168.2.4) <—(LAN)—>(192.168.2.1)Mikrotik (123.201.xxx.xxx)<—(WAN)—> Internet

123.201.xxx.xxx is public IP but not static IP, if disconnect and connect internet back the IP would have changed.

There is a NAT rule to allow outbound traffic:

srcnat LAN private IP's traffic to be masquerade 
chain=srcnat action=masquerade to-addresses=123.201.xxx.xxx src-address=192.168.2.0/24 out-interface=pppoe-out2

Now I can access internet from my private system. now what I want is inbound rule for private system. I am trying to do RDP from my home system to my office system with dst-nat rule in mikrotik router as

 port mapping from 100 to 4's 3389
chain=dstnat action=dst-nat to-addresses=192.168.2.4 to-ports=3389 protocol=tcp dst-address=123.201.xxx.xxx dst-port=100

Here am trying to do port maping. In my home system I use 123.201.xxx.xxx:100 in RDP to connect to my office system, but this rule is not working.

CTrain · March 28, 2014, 8:26am

add action=dst-nat chain=dstnat comment=“Remote SSH Access” dst-port=
22 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.0.164
to-ports=22Here is an example DST NAT with Dynamic IP see instead of using Packets IP I read which port the packet comes in on

niren · March 28, 2014, 8:46am

i have added this rule in NAT

chain=dstnat action=dst-nat to-addresses=192.168.2.4 to-ports=3389 protocol=tcp in-interface=ether1-Input dst-port=100

and trying access from home system as 123.201.xxx.xxx:100 in RDP, But It is not working

CTrain · March 28, 2014, 8:58am

Have you got an allow in your firewall on both your computer and the mikrotik. Try turning windows firewall and anyother firewalls off and disable the rules in the mikrotik firewall

niren · March 28, 2014, 9:04am

I tried disable all firewall rule in mikrotik router and have disabled firewall in home windows system, still no luck.

CTrain · March 28, 2014, 9:09am

are you behind an ISP based NAT or DO you have a modem performing NAT Duities

niren · March 28, 2014, 9:31am

As the given image shows I can say the NAT rule is working but partially. The highlighted line in the image is

Src. Dst.
192.168.2.4:3389(ms-wbt-server) 27.34.253.98:52246

That line is coming when I try initiate RDP from my home system. So from my home system(27.34.253.98) I can access office system(192.168.2.4) but not completely. What would be the problem?

niren · March 28, 2014, 9:36am

I have mikrotik router to performing NAT rule. I configure it myself.

CTrain · March 28, 2014, 9:46am

can you please post your nat and firewall export

CTrain · March 28, 2014, 9:46am

Did you disable the firewall on the system that you are connecting to?

niren · March 28, 2014, 10:36am

I have disabled windows firewall. These are the rules I have in mikrotik router

>  ip address print
 #   ADDRESS            NETWORK         INTERFACE
 1   192.168.2.1/24     192.168.2.0      ether2                         
 2 D 106.51.150.148/32  106.51.128.1    pppoe-out2


> ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic 

 0   ;;; srcnat LAN private IP's traffic to be masquerade
     chain=srcnat action=masquerade to-addresses=106.51.187.89 src-address=192.168.2.0/24 out-interface=pppoe-out2 

 1   ;;; port mapping from 100 to 4's 3389
     chain=dstnat action=dst-nat to-addresses=192.168.2.4 to-ports=3389 protocol=tcp in-interface=pppoe-out2 dst-port=3389 

> interface print
Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                              TYPE               MTU L2MTU  MAX-L2MTU
 0  R  ether1-Input                      ether             1500  1598       4074
 1  R  ether2                            ether             1500  1598       4074
 2  R  pppoe-out2                        pppoe-out         1480

/interface pppoe-client> print
Flags: X - disabled, R - running 
 0  R name="pppoe-out2" max-mtu=1480 max-mru=1480 mrru=disabled interface=ether1-Input user="username" password="password" profile=default service-name="" ac-name="" add-default-route=yes dial-on-demand=no use-peer-dns=yes allow=pap,chap,mschap1,mschap2

niren · March 28, 2014, 1:05pm

Problem solved. Office systems windows firewall was turned on, my bad I didn’t think in that way. I turned off windows firewall in office system then I got port forwarding work.

CTrain · March 28, 2014, 10:12pm

Yes it is always the firewall on the machine that you are connecting to and not the computers doing the connecting. turn the office firewall back on and add an accept rule for rdp traffic

CTrain · March 28, 2014, 10:15pm

;;; srcnat LAN private IP’s traffic to be masquerade
chain=srcnat action=masquerade to-addresses=106.51.187.89 src-address=192.168.2.0/24 out-interface=pppoe-out2

You should remove the to and src address as they are not required and my be causing problems when your IP changes