Hi All,
I’m going insane with this.. I’ve been trying to get this going for the last 4 hours to no avail.. It should be a simple port forward, but the technogods are not smiling upon me tonight…
The situation is that I’m trying to grant access to my QNAP NAS Surveillance Station from the internet.. I already have multiple dst-nat’s in use and they are working just fine.. except this one .. and I have no idea why!
I can see that the packet counter on the NAT rule goes up when I try to access it from the 'Net, but not the Firewall packet counter..
Some Details:
RouterOS 6.24
LAN Subnet is 10.0.0.0/16
Single WAN Address
QNAP is set to listen on 80, MT set to listen on 32350, port translation happens on the NAT rule..
Traffic type is SSL HTTP..
The “PLEX” rule works, the “Camera Traffic” entries are the ones I’m having issues with, which I cant understand, as I just copied the PLEX rule and renamed everything.. (As I type this, I’m wondering if it could be a QNAP issue?)
the application used for monitoring works when on the local network, or if over VPN
Firewall Filters:
/ip firewall filter
add action=drop chain=input comment="Drop Invalid Connections" connection-state=invalid
add action=jump chain=input comment="Jump for ICMP Input Flow" jump-target=ICMP protocol=icmp
add chain=input comment="Allow Established Connections" connection-state=established
add chain=input comment="Allow Related Connections" connection-state=related
add action=drop chain=input comment="Dropping Port Scanners" in-interface=WAN src-address-list="Port Scanners"
add action=drop chain=input comment="Drop SSH Bruteforcers" dst-port=22 in-interface=WAN protocol=tcp src-address-list=ssh_blacklist
add action=drop chain=input comment="Drop FTP on WAN" dst-port=21 in-interface=WAN protocol=tcp
add action=tarpit chain=input comment="Supress DoS Attack" connection-limit=3,32 in-interface=WAN protocol=tcp src-address-list=black_list
add action=add-src-to-address-list address-list=black_list address-list-timeout=1d chain=input comment="Detect DoS Attack" connection-limit=10,32 in-interface=WAN protocol=tcp
add action=add-src-to-address-list address-list=black_list address-list-timeout=1d chain=input comment="Protect Against DoS Attack" connection-limit=50,32 in-interface=WAN protocol=tcp
add action=add-src-to-address-list address-list=trying_to_login address-list-timeout=1d chain=input comment="List IP's Who Try Remote Login" dst-port=20-23 protocol=tcp
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=6w chain=input comment="Add to SSH Bruteforce Blacklist" connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1h chain=input comment="Add to SSH Bruteforce Stage 3" connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1h chain=input comment="Add to SSH Bruteforce Stage 2" connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1h chain=input comment="Add to SSH Bruteforce Stage 1" connection-state=new dst-port=22 protocol=tcp
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=6w chain=input comment="Port Scanners to List " protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=6w chain=input comment="NMAP FIN Stealth Scan" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=6w chain=input comment="SYN/FIN Scan" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=6w chain=input comment="SYN/RST Scan" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=6w chain=input comment="FIN/PSH/URG Scan" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add chain=input comment="Allow SSH" disabled=yes dst-port=22 in-interface=WAN protocol=tcp
add chain=input comment="Accept VPN GRE" in-interface=WAN protocol=gre
add chain=input comment="Accept VPN" dst-port=1723 in-interface=WAN protocol=tcp
add chain=input comment="Acccept LAN" src-address=10.0.0.0/16
add action=drop chain=input comment="Drop Everything Else"
add chain=output comment="Section Break" disabled=yes
add action=drop chain=forward comment="Drop Invalid Connections" connection-state=invalid
add action=drop chain=output comment="Drop outgoing from connectivity test on 4G" dst-address=208.67.222.222 out-interface=!WAN
add chain=forward comment="Allow Already Established Connections" connection-state=established
add chain=forward comment="Allow Related Connections" connection-state=related
add action=jump chain=forward comment="Jump for ICMP Forward Flow" jump-target=ICMP protocol=icmp
add chain=forward comment="Accept LAN" in-interface=LAN src-address=10.0.0.0/16
add chain=forward comment="Accept VPN" in-interface=all-ppp src-address=192.168.5.0/24
add chain=forward comment="Accept SMTP" dst-port=25 protocol=tcp
add chain=forward comment="Accept Camera Traffic" dst-port=32350 in-interface=WAN protocol=tcp
add chain=forward comment=PLEX dst-port=32400 in-interface=WAN protocol=tcp
add action=drop chain=forward comment="Drop everything else"
add chain=output comment="Section Break" disabled=yes
add action=jump chain=output comment="Jump for ICMP Output" jump-target=ICMP protocol=icmp
add chain=output comment="Section Break" disabled=yes
add chain=ICMP comment="Echo Request - Avoiding Ping Flood" icmp-options=8:0 limit=1,5 protocol=icmp
add chain=ICMP comment="Echo Reply" icmp-options=0:0 protocol=icmp
add chain=ICMP comment="Time Exceeded" icmp-options=11:0 protocol=icmp
add chain=ICMP comment="Destination Unreachable" icmp-options=3:0-1 protocol=icmp
add chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
NAT Entries:
/ip firewall nat
add action=dst-nat chain=dstnat comment="NAT for Exchange OWA" dst-port=443 in-interface=WAN protocol=tcp src-address-list="!Port Scanners" to-addresses=10.0.0.208 to-ports=443
add action=dst-nat chain=dstnat comment="SMTP NAT Rule" disabled=yes dst-port=2525 in-interface=WAN protocol=tcp to-addresses=10.0.0.208 to-ports=25
add action=masquerade chain=srcnat comment="Hairpin for Cameras" dst-address=XXX.XXX.XXX.XXX dst-port=32350 out-interface=LAN protocol=tcp src-address=10.0.0.0/24
add action=dst-nat chain=dstnat comment="Camera Traffic" dst-port=32350 in-interface=WAN protocol=tcp src-address-list="!Port Scanners" to-addresses=10.0.0.160 to-ports=80
add action=dst-nat chain=dstnat comment=PLEX dst-port=32400 in-interface=WAN protocol=tcp src-address-list="!Port Scanners" to-addresses=10.0.0.180
add action=masquerade chain=srcnat comment="NAT rule for PIA VPN traffic" connection-mark=Torrent-VPN out-interface="PIA VPN" packet-mark=VPN-Packet routing-mark=via-VPN src-address-list=VPN_Address
add action=masquerade chain=srcnat comment="Default NAT rule for Internet Access" out-interface=WAN
add action=masquerade chain=srcnat comment="Backup NAT rule for Internet Access" out-interface=4GBackup
Can anyone think of anything that may be wrong?
Things I have done/checked:
- disabled SSL
- changed port numbers (all of them)
- port scanned the qnap to make sure it was listening
- checked that internet address tested from was not in block lists
- cables are connected
- connected to Exchange OWA and PLEX (the other NAT dst-nat rules) successfully
Thanks in advance for any help..