Issue with dst-nat

gigaserv · October 29, 2015, 1:00pm

hello,

i have rb110ahx2, routeros ver 6.30.4
trying to forward 80 and 25 port to host inside lan. every time i try to reach it (80 port for example) i see syn_recv on host behind NAT, but nothing else. i even added forward rule with dst port 80 and 25.
nat:
0 chain=dstnat action=netmap to-addresses=192.168.0.11 to-ports=80 protocol=tcp dst-address=X.X.X.X dst-port=80 log=yes log-prefix=“WWW”

1 chain=dstnat action=netmap to-addresses=192.168.0.11 to-ports=25 protocol=tcp dst-address=X.X.X.X dst-port=25 log=yes log-prefix=“SMTP”

2 chain=srcnat action=masquerade out-interface=ISP log=no log-prefix=“”

in IP/Settings i enabled TCP SynCookies

Any thoughts, please help.

gigaserv · October 30, 2015, 9:14am

i changed
chain=srcnat action=masquerade out-interface=ISP log=no log-prefix=“”
to
chai=srcnat action=src-nat to-addresses=X.X.X.X
X.X.X.X is static IP provided by ISP

on host machine behind nat i can easily reach any internet address (def. gateway is mikrotik ip)
i have no blocking forward rule regarding 80 port, only blocking invalid traffic.
please, help. it drives me crazy…

skuykend · October 30, 2015, 11:02pm

Think you should be using action=dst-nat instead of netmap.
Make sure you’re not dropping or are explicitly forwarding connection-nat-state=dstnat in your filters forward chain.

gigaserv · October 31, 2015, 8:17am

i tried dst-nat instead of netmap, same result.
i check connection-nat-state=dstnat, but didn’t find one in my rules, everything is clear.
i tried to open 21 port same way, but ftp server tells me clear: “couldn’t send reply, disconnected.”
any thoughts? if isp would be blocking port, i wouldn’t see even that message, right?

docmarius · October 31, 2015, 9:26am

Do you have forward rules accepting traffic for those ports between WAN and LAN and back?

gigaserv · October 31, 2015, 2:09pm

yeah i have forwarding rules wan->lan and lan->wan but still nothing happens. i see something is going through based on counters and torch and on host (tcpdump). but i get only “syn_recv” state and no “established”. i already called my isp, may be they’re blocking, but it’d be strange as i’d have nothing in counters and no “syn_recv” on host and router.

gigaserv · November 3, 2015, 11:30pm

i fixed issue, isp was blocking almost all common ports. but now i can’t dst-nat 443 and 25 ports, at the same time 80 port is working well.

gigaserv · November 3, 2015, 11:47pm

fixed that as well,by creating forward rule,although dst-nat for 80 port didn’t need that rule.

skuykend · November 4, 2015, 1:47am

If you put in a single accept of connection-nat-state=dstnat in your filters forward chain you won’t have to duplicate every dstnat port in the filters section.