NAT / firewall questions with 2 routers

sjmcnamara · February 14, 2022, 5:10pm

hey,

trying to figure out how to open a specific port on a device on my LAN. Here a network diagram

https://docs.google.com/presentation/d/1Oc-9DiHA_upgq92BIRnrEXztJpCELUfrrLFmySTrY1E/edit#slide=id.p

I’m Client1 and have a server running on 192.168.20.68. I want to allow traffic on my external IP 81.168.57.219 44158 routers throught to the LAN side .68 box.

The firewall log looks like it should be working but portchecker.co says otherwise.

forward: in:pppoe-out1 out:bridge, src-mac 64:d1:54:cc:b9:7d, proto TCP (ACK,PSH), 178.244.216.138:44158->192.168.20.68:44158, NAT 178.244.216.138:44158->(81.168.57.219:44158->192.168.20.68:44158), len 179

netcat doesnt see it either.

➜  ~ nc -zv 81.168.57.219  44158
nc: connectx to 81.168.57.219 port 44158 (tcp) failed: Connection refused

Sob · February 16, 2022, 11:44pm

You can see that it’s passing through router, so check the server (192.168.20.68), if there’s really something listening on port 44158, it’s not blocked by server’s firewall, etc.

404Network · February 17, 2022, 12:52am

Ensure you put in the destination nat rule the source address allowed to access the port. That should make it appear invisible to port checkers

sjmcnamara · February 22, 2022, 9:41am

yeah, theres a service running on the local device.

➜  ~ nc -zv 192.168.20.68  44158
Connection to 192.168.20.68 port 44158 [tcp/*] succeeded!

sjmcnamara · February 22, 2022, 9:43am

hey 404, can you explain more what you mean? I wont know what external IP is trying to connect to me, so cant whitelist them individually. Can it be wild carded?

404Network · February 22, 2022, 11:48am

What do you mean you dont know who is accessing your server?
Dont you have a specific reason to have a server for specific users??

sjmcnamara · February 22, 2022, 3:57pm

its an application level protocol as part of a p2p network so, I don’t explicitly know the inbound IP thats connecting to me on that port.

Sob · February 22, 2022, 5:07pm

If possible, I’d do quick check with packet sniffer on server, to see if there’s anything coming in.

sjmcnamara · February 22, 2022, 6:55pm

I’m no expert but it seems wireshark sees no traffic to the 192.168.20.68 address in question. Remember there’s 2 routers here so both firewalls / NAT setups have to work.

Network diagram here https://docs.google.com/presentation/d/1Oc-9DiHA_upgq92BIRnrEXztJpCELUfrrLFmySTrY1E/edit?usp=sharing
Donor side and Client1 configs attached, if anyones able to take a look and recommend what to do.
Client1.rsc (7.76 KB)
Donor.rsc (8.28 KB)

Sob · February 23, 2022, 1:24am

You don’t need to do anything with first router, it only passes public address to second one using PPPoE and you excluded traffic to it from firewall filter.

Second router just needs dstnat rule:

/ip firewall nat
add chain=dstnat dst-address=<public address> protocol=tcp dst-port=44158 action=dst-nat to-addresses=192.168.20.68

It’s not in your export, but you must have had it before to get the log in first (together with another rule in forward chain). You can make sure that it’s really going to server using:

/ip firewall mangle
add chain=postrouting dst-address=192.168.20.68 protocol=tcp dst-port=44158 action=log

And if it does, whatever problem there might be is behind router.

Not directly related, but you shouldn’t need this rule:

/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none

You already have one covering traffic to internet, and this one masquerades all other traffic passing through router, so e.g. server would see all traffic from internet with 192.168.20.1 as source.

sjmcnamara · February 23, 2022, 11:00am

Sob you’re a genius! Thank you for sorting that out.