NAT, DST-NAT, Port-Forwarding problems

ronnyg · January 7, 2017, 12:40pm

Hello,

first of all, thanks for everyone helping each other. I am new with this, and I already read much about NAT, Hairpin and so on.

In my configuration, there is something special, I think, and I am not sure, where my default error is .

I want to allow some ports over NAT, in my example I want to reach port 80 on 192.168.5.70 which is behind the Routerboard in my private LAN.

My cablemodem is connected to my ISP in front (!) of the Routerboard.
The cablemodem has a dynamic public IP-address to the network of my ISP.
Inside the cablemodem, there are 2 NAT-rules configured to the Routerboard to ETHER1, means:
Cablemodem has 192.168.0.1, Routerboard has 192.168.0.10 on ETHER1, so I let forward from the cablemodem Port 80 in the example to 192.168.0.10:80.
This seems to work because I can sniff the packet on the Routeros so far.

On Ether2 at the Routerboard, there is my private LAN connected. I use 192.168.5.0/24, so the default IP here is 192.168.5.1.

1 chain=srcnat action=masquerade out-interface=Ether1 log=no

2 chain=dstnat action=dst-nat to-addresses=192.168.5.70 to-ports=80 protocol=tcp dst-address=192.168.0.10 in-interface=ether1 dst-port=80 log=yes

Normally, this should work, but I think the Traffic “hangs” somewhere between the Routerboard AND the Cablemodem so I can not access this port from outside (public Internet).
I Think I need a route or Srcnat-Chain back to the Cablemodem. But I do not have any idea how to set this

Thanks for any help
Best,
Ronny

ronnyg · January 7, 2017, 8:53pm

Some additional information;

I added a log into my forward rule and I can see that the packet seems to arrive at the Routerboard

19:05:09 firewall,info dstnat: in:ether1 out:(none), src-mac 68:b6:fc:d6:bc:02, proto TCP (SYN), 1.2.3.4:59866->192.168.0.10:80, len 48
19:05:27 firewall,info dstnat: in:ether1 out:(none), src-mac 68:b6:fc:d6:bc:02, proto TCP (SYN), 1.2.3.4:59866->192.168.0.10:80, len 48
19:05:56 firewall,info dstnat: in:ether1 out:(none), src-mac 68:b6:fc:d6:bc:02, proto TCP (SYN), 1.2.3.4:59913->192.168.0.10:80, len 48
19:06:14 firewall,info dstnat: in:ether1 out:(none), src-mac 68:b6:fc:d6:bc:02, proto TCP (SYN), 1.2.3.4:59913->192.168.0.10:80, len 48

1.2.3.4 is the public IP from the ISP at another endpoint. Means, flow is ok ingoing, but outgoing there seems a hang.

Full list of my ruleset is here:

for NAT:

0 chain=srcnat action=masquerade out-interface=VPN log=no
1 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface=ether1
2 chain=dstnat action=dst-nat to-addresses=192.168.5.70 to-ports=80 protocol=tcp dst-address=192.168.0.10 in-interface=ether1 dst-port=80 log=yes

for all other (default in 6.38):

0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough

1 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp

2 ;;; defconf: accept established,related
chain=input action=accept connection-state=established,related

3 ;;; defconf: drop all from WAN
chain=input action=drop in-interface=ether1 log=no

4 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related

5 ;;; defconf: accept established,related
chain=forward action=accept connection-state=established,related

6 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid

7 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1

2frogs · January 7, 2017, 9:37pm

Have you disabled Webfig or at least changed it to another port?

Sob · January 7, 2017, 10:08pm

You’re doing well so far, just continue with that. SYN packets arriving to your router mean that port forwarding on modem is ok. Dstnat rule on your router looks ok too. You can add another logging rule to postrouting (or instead of logging rules, you can use Tools->Torch) and see if those SYN packets pass through router to LAN. It they do, next step is your internal server, make sure it accepts connections to port 80 from anywhere. If it does, it sends reply back, which must come to your router on LAN interface (you can catch it with src-address=192.168.5.70 src-port=80), pass through and go out via ether1 (WAN). The list of steps is really simple, it should be easy to find out where it fails.

@2frogs: It’s not needed. If there’s service on router using the same port, dstnat catches and redirects the packet before it can reach the service.

ronnyg · January 8, 2017, 8:54am

I already tried with another port (now using 90 incoming to 80 destination), same result.
I can telnet 192.168.5.70 from the Routerboard so far, so I think / hope it should work.
Also I think it works with all IP-networks because in the past I had a Edge-Router from UBNT before and it did work .

Is it maybe a problem with src nat (masquerade)?

ronnyg · January 8, 2017, 9:09am

I added this rule

chain=forward action=accept src-address=192.168.5.70 log=yes

Which I wanted to use to check whether the internal server sends something back. No result in the logs either.

Sob · January 8, 2017, 1:24pm

It’s clear what should happen, so you can capture all steps by these rules:

/ip firewall nat
add action=dst-nat chain=dstnat dst-address=192.168.0.10 dst-port=80 log=yes log-prefix=2
    protocol=tcp to-addresses=192.168.50.70
/ip firewall mangle
add action=log chain=prerouting dst-address=192.168.0.10 dst-port=80 log-prefix=1 protocol=tcp
add action=log chain=postrouting dst-address=192.168.50.70 dst-port=80 log-prefix=4 protocol=tcp
add action=log chain=prerouting log-prefix=5 protocol=tcp src-address=192.168.50.70 src-port=80
add action=log chain=postrouting log-prefix=7 protocol=tcp src-address=192.168.50.70 src-port=80
/ip firewall filter
add action=log chain=forward dst-address=192.168.50.70 dst-port=80 log-prefix=3 protocol=tcp
add action=log chain=forward log-prefix=6 protocol=tcp src-address=192.168.50.70 src-port=80

And if you connect from outside, you should see them all in right order:

14:10:25 firewall,info 1 prerouting: in:ether1 out:(none), src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), 1.2.3.4:63958->192.168.0.10:80, len 44 
14:10:25 firewall,info 2 dstnat: in:ether1 out:(none), src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), 1.2.3.4:63958->192.168.0.10:80, len 44 
14:10:25 firewall,info 3 forward: in:ether1 out:<LAN>, src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), 1.2.3.4:63958->192.168.50.70:80, NAT 1.2.3.4:63958->(192.168.0.10:80->192.168.50.70:80), len 44 
14:10:25 firewall,info 4 postrouting: in:(none) out:<LAN>, src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), 1.2.3.4:63958->192.168.50.70:80, NAT 1.2.3.4:63958->(192.168.0.10:80->192.168.50.70:80), len 44 
14:10:25 firewall,info 5 prerouting: in:<LAN> out:(none), src-mac yy:yy:yy:yy:yy:yy, proto TCP (SYN,ACK), 192.168.50.70:80->1.2.3.4:63958, NAT (192.168.50.70:80->192.168.0.10:80)->1.2.3.4:63958, len 44 
14:10:25 firewall,info 6 forward: in:<LAN> out:ether1, src-mac yy:yy:yy:yy:yy:yy, proto TCP (SYN,ACK), 192.168.50.70:80->1.2.3.4:63958, NAT (192.168.50.70:80->192.168.0.10:80)->1.2.3.4:63958, len 44 
14:10:25 firewall,info 7 postrouting: in:(none) out:ether1, src-mac yy:yy:yy:yy:yy:yy, proto TCP (SYN,ACK), 192.168.50.70:80->1.2.3.4:63958, NAT (192.168.50.70:80->192.168.0.10:80)->1.2.3.4:63958, len 44

Based on posted config, you should get at least to #4, which means that packet successfully passed through router and was sent to server. If you don’t see #5 with proper SYN,ACK flags, it means that either server does not accept connection or has wrong routing (e.g. default gateway something different than 192.168.5.1).

ronnyg · January 8, 2017, 6:45pm

Sometimes, I wish, I would have learnt something more intelligent than being an admin

You´re absolutly right. The routing at the other server is wrong. I tried with another Qnap Box and, yeah, it works. F*** - I spent so much time for that issue.

Thanks anyone who has helped me