NAT Port forwarding conflicts with Firewall (Default config)

Awaking · May 25, 2017, 5:15pm

I’ve read dozens of topics about configuring port forwarding, but nothing helped. I have Mikrotik rb751u-2hnd with default configuration.
WAN network 192.168.1.0/24 is connected to the ether1.
Local network is 192.168.88.0/24.
I want to get access to 22 port of the local machine 192.168.88.250 from the WAN.

Firewall filters:

Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp 

 2    ;;; defconf: accept established,related
      chain=input action=accept connection-state=established,related 

 3    ;;; defconf: drop all from WAN
      chain=input action=drop in-interface=ether1 

 4    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related 

 5    ;;; defconf: accept established,related
      chain=forward action=accept connection-state=established,related 

 6    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid 

 7    ;;; defconf:  drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1

Nat rules:

Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface=ether1 

 1    ;;; SSH Port Forwarding to Raspberry Pi
      chain=dstnat action=dst-nat to-addresses=192.168.88.250 to-ports=22 protocol=tcp in-interface=ether1 dst-port=22 log=yes log-prefix="nat_d"

And this config doesn’t work. The problem is in #7 Filter (“drop all from WAN not DSTNATed”). After disabling it I can access to my local network from WAN.
Or I can just add this rule before “drop all from WAN not DSTNATed”:

 7    ;;; Hack rule
      chain=forward action=accept protocol=tcp in-interface=ether1 dst-port=22 log=no

Moreover, with such rule I can even delete NAT Forwarding rule and 22 port will still be reachable.
But if I edit it this way (in according with logic of #7 Filter (“drop all from WAN not DSTNATed”)):

 7    ;;; Hack rule
      chain=forward action=accept connection-nat-state=dstnat protocol=tcp in-interface=ether1 dst-port=22 log=no

Then the access is lost again…
It seems like NAT doesn’t mark Port Forwarding rule connection state as dstnat and it is blocked by #7 Filter (“drop all from WAN not DSTNATed”). Although I can see how packets count changes for the NAT Forwarding rule while attempting to connect via SSH.

Thanks in advance.

Gbs7734 · May 27, 2017, 3:47am

Same issue here, configured v6.39.1 through WebFig. Port forward did not work. Is it a known bug?