As I understand packets incoming to router first processing by NAT, and then (changed) pass to firewall.
My network have rule - what is not permitted is forbidden. So when i try configure NAT using RDP from internet i get closed ports.
I add rule to firewall accept all incoming packets for port 3389 (changed by NAT from 33389 before processing through firewall), but also have
closed port. So i add second rule to firewall - pasthrough all packets from local network to internet from port 3389, and only after this i see open port 33389. This is my config:
/ip fi fi
add action=accept chain=forward comment=\
"Allow incoming RDP connections from internet for RDPUSERS" disabled=no \
dst-port=3389 protocol=tcp src-address-list=RDPUSERS
add action=accept chain=forward comment=\
"Allow outgoing RDP packets from local net" disabled=no protocol=tcp \
src-port=3389
/ip fi nat
add action=dst-nat chain=dstnat comment="RDP 192.168.1.55" disabled=no \
dst-address=176.192.8.74 dst-port=33389 protocol=tcp src-address-list=\
RDPUSERS to-addresses=192.168.1.55 to-ports=3389
Now when i want to forward port i need add 2 rule to firewall and 1 rule to nat. How can I configure mikrotik do this automatically for new NAT rules? Or add universal rule to firewall alllow all incoming and outgoing packets for NAT rules?
You can’t automatically add new NAT rules, how would it know what PC to port forward to??? If you want to forward EVERYTHING to a certain PC, you can certainly do that. Just empty out the dst-port and to-port and remove the filter.
Also, you don’t need the dst-address at all… unless you have multiple public IP addresses and you want to only use that one.
May be you don’t understand me. For example, I want connect to my local machine with RDP port from Internet, then I create NAT rule, but I don’t want remember add next two rules to FIREWALL for accept incoming and outgoing traffic for this port, for this computer. Can this rules for firewall add automatic when I create NAT rule?
Unless specifically blocked, the port forward would function as the method to turn traffic that would normally be directed towards the router into traffic directed past the router. The NAT rule is just providing the route in a not already established connection.
For instance with an xbox, nobody wil be able to connect to you if you don’t have a port opened & forwarded to the xbox’s IP. Your xbox can access the internet just fine, and can connect to other users, but it can’t respond to unsolicited requests. If you provide a NAT rule, the request is directed to the xbox from the internet, passing through the firewall rules normally.
Quick and dirty:
NAT without forward = packet directed to router = INPUT chain rules applied
NAT with forward = packet directed across router = FORWARD chain applied
For DST-NAT traffic (port forwarding) there is no need to add any ‘accept’ rule in ‘forward’ chain.
According to packet flow (http://wiki.mikrotik.com/wiki/Packet_Flow#Diagram)
DST-NAT takes place before ‘input’ and ‘forward’ chains.
Port forwarding works for me without these rules.
As I understand packets incoming to router first processing by NAT, and then (changed) pass to firewall.
and
Now when i want to forward port i need add 2 rule to firewall and 1 rule to nat.
Hence my answer, that you don’t need any rules in ‘forward’ chain for port forwarding
and ‘src-address-list=RDPUSERS’ check should be in ‘prerouting’ chain.