NAT not work

danmircescu · April 21, 2020, 12:40pm

]Hello,
I'm a beginner in networks.
There is a network with programmable controllers and a Microtik router.
Each programmable machine works like a webserver in the LAN. See https://spidercontrol.net/.
WAN access is required for each programmable automatic for http - port 80 LAN connection.
I tried to connect via NAT as well as fasttrack but I do not pass syn_sent.
I noticed that each request from WAN opens 3 connections.
Thanks for the help!

plc1.png1397×197 16.8 KB

jan/02/1970 04:25:42 by RouterOS 6.45.8

software id = BJX0-D7ZX

model = RB750r2

serial number = AA840B094ABE

/interface bridge
add admin-mac=C4:AD:34:41:71:E9 auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip firewall connection tracking
set icmp-timeout=20s tcp-close-timeout=20s tcp-close-wait-timeout=20s
tcp-fin-wait-timeout=20s tcp-last-ack-timeout=20s
tcp-syn-received-timeout=15s tcp-syn-sent-timeout=15s
tcp-time-wait-timeout=20s udp-timeout=20s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set accept-redirects=yes accept-source-route=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether2 network=
192.168.1.0
add address=192.168.XXX.10/25 interface=ether1 network=192.168.XXX.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=winbox_accept dst-port=8291
in-interface=ether1 protocol=tcp
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="accept plc web server"
connection-nat-state=""
add action=drop chain=input comment="defconf: drop all not coming from LAN"
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy"
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade"
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=win_box_9999 dst-port=9999
in-interface=ether1 protocol=tcp to-addresses=192.168.1.1 to-ports=8291
add action=dst-nat chain=dstnat comment="web server plc1" dst-port=88
in-interface=ether1 protocol=tcp to-addresses=192.168.1.240 to-ports=80
/ip route
add distance=1 gateway=192.168.XXX.1
/ip service
set www port=90
/system identity
set name=Automatizari_XXX
/system package update
set channel=long-term
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

anav · April 22, 2020, 2:34am

Sounds fishy to me, almost like a homework assignment. but in any case…
the one thing that looks like an obvious error is this…

/ip address
add address=192.168.1.1/24 comment=defconf interface=ether2 network=
192.168.1.0

Should be
add address=192.168.1.1/24 comment=defconf interface=bridge network=
192.168.1.0

danmircescu · April 23, 2020, 5:51am

I made the proposed change, no change. It is the default configuration for the router with changes on NAT., It should be a simple and trivial thing but it doesn’t work, I have the impression that you have the 3 connections that open at the same time, I can change it. I tried to mark the connection with Mangle and then Fasttrack but it doesn’t work either.
At the LAN level everything works.
If I put a regular router with NAT function everything is ok, maybe there is an incompatibility between my automation network and the MikroTik router or it is another setting that I did not do, of course it is the tcp protocol, the connection is http on port 80 .

Jotne · April 23, 2020, 6:24am

add action=dst-nat chain=dstnat comment=win_box_9999 dst-port=9999 \
in-interface=ether1 protocol=tcp to-addresses=192.168.1.1 to-ports=8291

This is wrong as well. Winbox is used on the closest IP on the router. So from outside, it’s your outside IP 192.168.xxx.10, and from inside, it’s your inside IP 192.168.1.1.
Nat is not needed for Winbox.

But you should not do this. Winbox should be reached using VPN.

If you can not use VPN, then

Use port kncking
Long and secure password
do not use default port (9999) should be ok.
Add an access rule to limit access to only some specific IP.
Log all access to the router to an external Syslog server (or use email alert from router)

danmircescu · April 23, 2020, 7:19am

Ok, I agree that I could use the Winbox connection from the WAN and otherwise, I preferred this connection to check NAT and that’s not my problem: I can’t access the LAN equipment from the WAN, respectively several programmable controllers that work each as a webserver on port 80 http connection. In the posted configuration I try to connect on port 88 WAN to the PLC from 192.168.1.240 port 80 LAN. This doesn’t work for me, I don’t go through “syn_sent” and I have 3 connections at once. I’m sorry I also put a print screen but I think it doesn’t let me put images.

Jotne · April 23, 2020, 7:52am

Do you have multiple NAT, since your router has 192.168.xx.10 (private IP)?

danmircescu · April 23, 2020, 8:15am

We have a company vpn, all ports are open and with a regular router like zyxel n300 the installation works. I would have liked to switch to MikroTik due to the multiple facilities but it seems that there is an incompatibility or more study is needed.