NAT problem

RouterOS General
1

Hi All,

I have a Microtik router which has a DMZ, a lot of port fowards, a lot of standard router stuff.

I am currently using WinBox v6.42.7 to manage it.

I am having an issue I can’t work out.

I have 2x port forwards to a box. ie. port 110,25 in the filter rules
I have these 2x ports forwarded in the NAT section. working fine.
If I add an extra port to the end of these filters and DNAT, ie port 3389. It works as expected.

If I create a new filter rule (and accompanying NAT rule) with just the port 3389, directly below the above rule, it does not work.

If I change the newly create rule and DNAT to port 22 to another box, it works.

I do not understand why the individual 3389 port forward is not working.

Can somebody help me shed some light ?

Thanks in advance,

Richard

2

FYI - I just realised there is an update and have upgraded to 6.44.3.

Still the same behaviour.

3

No way to tell unless you post your config.
/export hide-sensitive file=yourconfigmay08

4

Hi Anav,

Ok thx, here you go :

may/08/2019 12:57:23 by RouterOS 6.44.3

software id = H4M5-EKCH

model = 1100AHx2

serial number = 57320522B5A3

/interface ethernet
set [ find default-name=ether6 ] arp=proxy-arp name=“DMZ - Ether 6” speed=
100Mbps
set [ find default-name=ether2 ] arp=proxy-arp comment=LAN name=
“LAN - Ether 2” speed=100Mbps
set [ find default-name=ether5 ] comment=Unused disabled=yes name=
“LAN - ether 5” speed=100Mbps
set [ find default-name=ether4 ] comment=“NBN Port 1 (isp)” name=
“WAN - Ether 4” speed=100Mbps
set [ find default-name=ether1 ] comment=“Microwave Link” disabled=yes speed=
100Mbps
set [ find default-name=ether3 ] comment=Phones disabled=yes speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=ether8 ] speed=100Mbps
set [ find default-name=ether9 ] speed=100Mbps
set [ find default-name=ether10 ] speed=100Mbps
set [ find default-name=ether11 ] advertise=
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether12 ] advertise=
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether13 ] advertise=
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface pppoe-client
add allow=chap disabled=no interface=“WAN - Ether 4” keepalive-timeout=
disabled max-mru=1492 max-mtu=1492 name=pppoe-isp user=
02xxxxxxxx@nsw.isp.com.au
/interface pptp-server
add name=VPN user=“”
/interface vlan
add comment=“DataCenter Vlan” disabled=yes interface=ether1 name=ether1.39
vlan-id=39
/interface list
add exclude=dynamic name=discover
add name=mactel
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=fw0.customer.com.au
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-128 name=profile_1 nat-traversal=no
/ip ipsec peer
add address=203.80.163.90/32 comment=Gosford local-address=220.xxx.xxx.xx
name=peer1 profile=profile_1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc,3des
/ip pool
add name=oob ranges=192.168.88.10-192.168.88.254
add name=phones ranges=192.168.10.101-192.168.10.150
add name=vpn ranges=192.168.1.150-192.168.1.169
/ip dhcp-server
add address-pool=phones authoritative=after-2sec-delay disabled=no interface=
ether3 lease-time=3d name=phones
/ppp profile
set *0 comment=“Do Not Use!”
add dns-server=8.8.8.8,4.4.4.4 local-address=vpn name=“VPN Profile”
remote-address=vpn
set *FFFFFFFE dns-server=8.8.8.8,4.4.4.4 idle-timeout=2h local-address=vpn
remote-address=vpn use-encryption=required
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/tool user-manager customer
set admin access=
own-routers,own-users,own-profiles,own-limits,config-payment-gw
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add interface=ether1 list=discover
add interface=“LAN - Ether 2” list=discover
add interface=ether3 list=discover
add interface=“WAN - Ether 4” list=discover
add interface=“LAN - ether 5” list=discover
add interface=“DMZ - Ether 6” list=discover
add interface=ether7 list=discover
add interface=ether8 list=discover
add interface=ether9 list=discover
add interface=ether10 list=discover
add interface=ether11 list=discover
add interface=ether12 list=discover
add interface=ether13 list=discover
add interface=“LAN - Ether 2” list=mactel
add interface=ether3 list=mactel
add interface=“WAN - Ether 4” list=mactel
add interface=“LAN - ether 5” list=mactel
/interface pptp-server server
set enabled=yes
/ip address
add address=192.168.10.1/24 interface=ether3 network=192.168.10.0
add address=192.168.1.2/24 comment=“customer internal network” interface=
“LAN - Ether 2” network=192.168.1.0
add address=220.xxx.xxx.xx/29 comment=VPN interface=“WAN - Ether 4” network=
220.233.174.32
add address=172.16.0.1/24 comment=“DMZ for VMPhoenix” interface=
“DMZ - Ether 6” network=172.16.0.0
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=8.8.8.8 domain=customer.com.au
gateway=192.168.10.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,4.4.4.4
/ip dns static
add address=192.168.88.1 name=router
/ip firewall address-list
add address=192.168.0.0/16 list=ADMIN
/ip firewall filter
add action=accept chain=input comment=“Allow Established” connection-state=
established
add action=accept chain=input protocol=icmp
add action=accept chain=input comment=“Allow Related” connection-state=
related
add action=accept chain=input comment=“Allow DHCP” dst-port=67 in-interface=
“WAN - Ether 4” protocol=udp
add action=drop chain=LOG-DROP in-interface=pppoe-isp
add action=drop chain=LOG-DROP dst-port=137 protocol=udp
add action=log chain=LOG-DROP
add action=drop chain=LOG-DROP
add action=accept chain=input comment=“Allow Router Administration” dst-port=
20,21,22,23,80,443,8291 protocol=tcp src-address-list=ADMIN
add action=accept chain=input comment=“Allow PPTP” dst-port=1723 protocol=tcp
add action=accept chain=input protocol=gre
add action=accept chain=forward comment=“Allow Established” connection-state=
established
add action=accept chain=forward comment=“Allow Related” connection-state=
related
add action=accept chain=forward comment=“DMZ to LAN - Altaro " dst-address=
192.168.1.174 dst-port=35100-35220 in-interface=“DMZ - Ether 6”
out-interface=“LAN - Ether 2” protocol=tcp
add action=drop chain=forward comment=“Drop all traffic from DMZ to LAN”
dst-address=192.168.1.0/24 in-interface=“DMZ - Ether 6” log=yes
out-interface=“LAN - Ether 2” src-address=172.16.0.0/24
add action=accept chain=forward comment=“CPanel > Internet” out-interface=
pppoe-isp src-address=172.16.0.0/24
add action=jump chain=forward comment=“Everywhere > 3CX (Phone System)”
dst-address=192.168.1.15 jump-target=3CX
add action=accept chain=forward comment=“Not sure” disabled=yes dst-address=
192.168.1.16 dst-port=2087 protocol=tcp
add action=accept chain=forward comment=“Altaro to Phils box external”
connection-type=”" dst-address=192.168.1.174 dst-port=35100-35220 log=yes
protocol=tcp src-address-list=“” src-port=“”
add action=accept chain=forward comment=“Incoming to Stardust” dst-address=
192.168.1.18 dst-port=110,25 protocol=tcp
add action=accept chain=forward comment=“Everwhere > Stardust (Mail)”
disabled=yes dst-address=192.168.1.18 dst-port=25,443 protocol=tcp
add action=accept chain=forward comment=“Everywhere > FTP” dst-address=
192.168.1.25 dst-port=20,21 protocol=tcp
add action=accept chain=forward comment=“RDP to VMPHOENIX” dst-address=
172.16.0.2 dst-port=3389 protocol=tcp
add action=accept chain=forward comment=“Everywhere > FTP 172.16.0.100”
dst-address=172.16.0.100 dst-port=20,21 log=yes protocol=tcp
add action=accept chain=forward comment=“Everywhere > FTP 172.16.0.102”
dst-address=172.16.0.102 dst-port=20,21 log=yes protocol=tcp
add action=accept chain=forward comment=“Everywhere > CPanel 172.16.0.102”
dst-address=172.16.0.102 dst-port=80,443 protocol=tcp
add action=accept chain=forward comment=“LAN <> VPN” dst-address=
192.168.1.0/24 src-address=192.168.1.0/24
add action=accept chain=forward comment=“LAN > Internet” out-interface=
pppoe-isp src-address=192.168.1.0/24
add action=accept chain=3CX comment=“Allow ICMP” protocol=icmp
add action=accept chain=3CX comment=HTTP dst-port=80,5000 protocol=tcp
add action=accept chain=3CX comment=HTTPS dst-port=443,5001 protocol=tcp
add action=accept chain=3CX comment=“3CX Wallboard” dst-port=4516 protocol=
tcp
add action=accept chain=3CX comment=SIP dst-port=5060 protocol=tcp
add action=accept chain=3CX dst-port=5060 protocol=udp
add action=accept chain=3CX comment=“SIP (TLS)” dst-port=5061 protocol=tcp
add action=accept chain=3CX comment=Tunnel dst-port=5090 protocol=tcp
add action=accept chain=3CX dst-port=5090 protocol=udp
add action=accept chain=3CX comment=RTP dst-port=9000-9500 protocol=udp
add action=jump chain=3CX comment=“Deny All” jump-target=LOG-DROP
add action=accept chain=forward comment=“LAN > DMZ” dst-address=172.16.0.0/24
src-address=192.168.1.0/24
add action=jump chain=forward comment=“DENY ALL” jump-target=LOG-DROP
add action=jump chain=input comment=“Deny All” jump-target=LOG-DROP
/ip firewall mangle
add action=change-mss chain=forward new-mss=1360 out-interface=pppoe-isp
passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1361-65535
/ip firewall nat
add action=src-nat chain=srcnat comment=“3CX DMZ” out-interface=pppoe-isp
src-address=192.168.1.15 to-addresses=220.xxx.xxx.xx
add action=masquerade chain=srcnat comment=
“Possibly to Masquerade PPTP Clients” disabled=yes out-interface=
“LAN - Ether 2” src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment=“LAN > Internet” out-interface=
pppoe-isp src-address=192.168.1.0/24
add action=src-nat chain=srcnat comment=“DMZ to internet” out-interface=
pppoe-isp src-address=172.16.0.0/24 to-addresses=115.xxx.xxx.xxx
add action=dst-nat chain=dstnat comment=FTP dst-address=220.xxx.xxx.xx
dst-port=20,21 protocol=tcp to-addresses=192.168.1.25
add action=dst-nat chain=dstnat comment=“SMTP & POP3” dst-address=
220.xxx.xxx.xx dst-port=110,25 protocol=tcp to-addresses=192.168.1.18
add action=return chain=dmz comment=“Exclude PPTP” dst-port=1723 protocol=tcp
add action=return chain=dmz comment=“Exclude GRE” protocol=gre
add action=return chain=dmz comment=“Exclude Router Admin” dst-port=
21,22,23,80,443,8291 protocol=tcp
add action=dst-nat chain=dmz comment=3CX to-addresses=192.168.1.15
add action=dst-nat chain=dstnat comment=“FTP to 172.16.0.100” dst-address=
115.xxx.xxx.xx dst-port=20,21 protocol=tcp to-addresses=172.16.0.100
add action=dst-nat chain=dstnat comment=“FTP to 172.16.0.102 cpanel”
dst-address=115.xxx.xxx.xxx dst-port=20,21 protocol=tcp to-addresses=
172.16.0.102
add action=dst-nat chain=dstnat comment=“FTP to 172.16.0.101 Lapitus”
dst-address=115.xx.xxx.xxx dst-port=80 protocol=tcp src-port=81
to-addresses=172.16.0.104
add action=dst-nat chain=dstnat comment=“Cpanel to 172.16.0.102” dst-address=
115.xxx.xxx.xxx dst-port=80,443 protocol=tcp to-addresses=172.16.0.102
add action=dst-nat chain=dstnat comment=“RDP Consultant to VMPHOENIX”
dst-address=115.xx.xxx.xxx dst-port=3389 log=yes protocol=tcp
src-address=203.xxx.xx.xxx to-addresses=172.16.0.2
add action=jump chain=dstnat comment=“3CX DMZ” dst-address=220.xxx.xxx.xx
jump-target=dmz
add action=dst-nat chain=dstnat dst-address=220.xxx.xxx.xx dst-port=
35100-35220 protocol=tcp src-address=203.xxx.xx.xxx to-addresses=
192.168.1.174
/ip firewall service-port
set pptp ports=1723
/ip ipsec identity
add peer=peer1
/ip ipsec policy
set 0 comment=“Dynamic Phase 2” disabled=yes
add comment=“PC <> location” dst-address=192.168.5.0/24
sa-dst-address=203.80.163.90 sa-src-address=220.xxx.xxx.xx src-address=
192.168.1.0/24 tunnel=yes
/ip proxy
set cache-path=web-proxy1 parent-proxy=0.0.0.0
/ip route
add comment=“General Internet Access via isp (Preferred)” distance=1
gateway=pppoe-isp
/ip route rule
add src-address=203.80.163.0/28 table=wireless
add src-address=203.80.164.12/32 table=wireless
/ip service
set api disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ip upnp
set enabled=yes
/ppp secret
add name=scott profile=default-encryption
add name=kristy profile=default-encryption
add comment=“Jason” disabled=yes name=jason profile=default-encryption
add name=ray profile=default-encryption
add name=cameron profile=default-encryption
add name=jeremy profile=default-encryption
add name=ales
add name=allan
add name=customer profile=default-encryption
add name=staff1 profile=default-encryption
add name=chris
/system clock
set time-zone-autodetect=no time-zone-name=Australia/Sydney
/system identity
set name=fw0.customer.com.au
/system ntp client
set enabled=yes primary-ntp=128.138.141.172
/tool mac-server
set allowed-interface-list=mactel
/tool sniffer
set filter-interface=“LAN - Ether 2” filter-ip-address=192.168.1.19/32
filter-ip-protocol=icmp filter-stream=yes
/tool user-manager database
set db-path=/user-manager1

5

Okay. So if I take literally what you wrote, we have the two series of rules:


/ip firewall filter

add action=accept chain=forward comment=“Incoming to Stardust” dst-address=192.168.1.18 dst-port=110,25 protocol=tcp
add action=accept chain=forward comment=“Everwhere > Stardust (Mail)” disabled=yes dst-address=192.168.1.18 dst-port=25,443 protocol=tcp
add action=accept chain=forward comment=“Everywhere > FTP” dst-address=192.168.1.25 dst-port=20,21 protocol=tcp
add action=accept chain=forward comment=“RDP to VMPHOENIX” dst-address=172.16.0.2 dst-port=3389 protocol=tcp

/ip firewall nat

add action=dst-nat chain=dstnat comment=“SMTP & POP3” dst-address=220.xxx.xxx.xx dst-port=110,25 protocol=tcp to-addresses=192.168.1.18
add action=dst-nat chain=dstnat comment=“FTP to 172.16.0.100” dst-address=115.xxx.xxx.xx dst-port=20,21 protocol=tcp to-addresses=172.16.0.100
add action=dst-nat chain=dstnat comment=“FTP to 172.16.0.102 cpanel” dst-address=115.xxx.xxx.xxx dst-port=20,21 protocol=tcp to-addresses=172.16.0.102
add action=dst-nat chain=dstnat comment=“FTP to 172.16.0.101 Lapitus” dst-address=115.xx.xxx.xxx dst-port=80 protocol=tcp src-port=81 to-addresses=172.16.0.104
add action=dst-nat chain=dstnat comment=“Cpanel to 172.16.0.102” dst-address=115.xxx.xxx.xxx dst-port=80,443 protocol=tcp to-addresses=172.16.0.102
add action=dst-nat chain=dstnat comment=“RDP Consultant to VMPHOENIX” dst-address=115.xx.xxx.xxx dst-port=3389 log=yes protocol=tcp src-address=203.xxx.xx.xxx to-addresses=172.16.0.2

In both tables, the rules in gray between those with dst-port=110,25 and those with dst-port=3389 are also discriminating on dst-port with other port numbers than 3389 so they cannot shadow another rule matching on dst-port=3389.

Now what are the exact rules you add “right below the existing ones with dst-port=3389” and they don’t work? And what exactly means that they don’t work, can you see them not to count packets or only the RDP connection from the remote client doesn’t work? It’s two different things.