Mikrotik as a second router behind the main. Mapping problem

u10root · June 10, 2022, 9:23am

Hi.
I encountered a network with such a structure:

Internet —> Keenetik(main router) ----> Mikrotik —> LocalNetwork

Keenetik Local IP: 192.168.1.1
Mikrotik eth1 IP: 192.168.1.103
eth2 IP: 192.168.88.1

LocalNetwork SubNet: 192.168.88.0

Mikrotik RouterOS 6.47.1

I reset mikrotik, so it is default settings

Problem: I can’t map ports to the LocalNetwork through Mikrotik to 192.168.88.3 - LocalComp where started nginx(for test)

I mapped ports 80 & 8291 on Keenetik to Mikrotik IP : 192.168.1.103 - all works fine, I can connect to Mikrotik from Internet via WinBox
I mapped ports on Mikrotik with /ip firewall nat add chain=dstnat dst-port=80 action=dst-nat protocol=tcp to-address=192.168.88.3 to-port=80 – nothing work - I can’t open web page on LocalMachine from Internet

I have thought it’s because I don’t need nat but need forward packet to next node(192.168.88.3), or probably I need add rule to input chain, as Keenetik send packets to 192.168.1.103(to input Mikrotik)
I’ve turned off all drop rules in firewall, then have tried:
/ip firewall filter add chain=forward action=add-dst-to-address-list protocol=tcp dst-address=192.168.1.103 address-list=192.168.88.3 dst-port=80
not working. With input not working too.

Please hint me, which rules I must to add to reach from Internet LocalComp

Thanks

Sob · June 10, 2022, 2:38pm

Your dstnat rule is incomplete, only two conditions are protocol=tcp dst-port=80. So if something local LocalNetwork tries to open some web page, it’s also connection to tcp port 80 and will be forwarded to 192.168.88.3. So you need to add dst-address=192.168.1.103 as another condition.

As for forwarding to internal server, with default firewall and dstnat rule it should just work. If not, you need to allow it through firewall. Simple way for all forwarded ports is:

/ip firewall filter
add chain=forward connection-nat-state=dstnat action=accept

Another way, if you don’t want NAT on Mikrotik, you can add static route to its subnet (destination 192.168.88.0/24, gateway 192.168.1.103) and forward ports to 192.168.88.3 directly from main router.

u10root · June 10, 2022, 4:49pm

Thanks Sob, I made second(route to 192.168.88.0) and very strange, ping pass through(from keenetic) but packets to 80 port don’t
I’ve tried this: chain=dstnat action=dst-nat to-addresses=192.168.88.3 to-ports=80 protocol=tcp dst-address=192.168.1.103 dst-port=80 log=no log-prefix=“” don’t work
Anyway, thank you

Sob · June 10, 2022, 5:40pm

If you go with the second option, then there isn’t (shouldn’t be) any NAT, neither dstnat rules, nor anything in srcnat chain (src-nat/masquerade). But depending on your firewall filters, you may need to allow connections using:

/ip firewall filter
add chain=forward dst-address=192.168.88.3 protocol=tcp dst-port=80 action=accept

u10root · June 10, 2022, 6:08pm

P.S. Problem wasn’t with mikrotik, it was with keenetik. Dunno why, it don’t working with 80 port, dunno why it work only with mapping: not 80 → 80

Thank you)