NAT problems

Hi.
I am new in using Mikrotik, so I will ask everyone to excuse me if the questions are so easy things to do??

I am having problems in configuring NAT.
I have a mikrotik with the IP 192.168.2.7 in Eth1 (WAN) and Eth2 192.168.1.2 (LAN). I want to access one PC (192.168.1.1) in the ports 25, 3000 and 3389.

I added the following rules:

/ip firewall nat add chain=dstnat dst-address=192.168.2.7 protocol=tcp dst-port=3389 action=dst-nat to-addresses=192.168.1.1 to-ports=3389

/ip firewall nat add chain=dstnat dst-address=192.168.2.7 protocol=tcp dst-port=3000 action=dst-nat to-addresses=192.168.1.1 to-ports=3000

/ip firewall nat add chain=dstnat dst-address=192.168.2.7 protocol=tcp dst-port=25 action=dst-nat to-addresses=192.168.1.1 to-ports=25

When I try to access these ports, they are not accessible. Telnet 192.168.2.7 25 nothing, and the other ports to.

Do I have to add other configurations or other NAT rules for these to work??

Thanks

Try this rather;

/ip firewall nat add chain=dstnat in-interface=ether1 protocol=tcp dst-port=3389 action=dst-nat to-addresses=192.168.1.1 to-ports=3389

ether1 is the interface that your WAN link is on.

Let us know.

Greetings!

What do you have in your firewall filter rules? Any entries there that could block access?

Normally, if the dstnat rule doesn’t work, you end up telneting into the primary box, not being rejected or dropped.

Hi.
I tried
/ip firewall nat add chain=dstnat in-interface=ether1 protocol=tcp dst-port=3389 action=dst-nat to-addresses=192.168.1.1 to-ports=3389

But did not work.
As far as I see when I telnet to those ports, it seems that firewall is blocking them. If the ports are not forwarded, when I telnet it shows a message that the request was refused, if the rules are active, when I telnet it shows nothing, just trying and not redirecting.

In firewall filter rules I didn’t add nothing, just what is by default???

Maybe I have done something wrong. So I accessed the firewall by web page and at the firewall section, I have the following rules selected:

Firewall
Public interface: Ether1.
Protect router: “yes”
Protect customer: “yes”
NAT: “yes”

In stead of yes at the interface is a tick for selection.
I removed the selection for all above, but the routing did not work.

What should I have in the firewall filter rules???

Thanks a lot for the help.

If you have the “protect router” selection, you must add a rule to allow your computer through.
/ip firewall filter add chain=input action=accept src-address=xx.xx.xx.xx/yy place-before=0
Change xx.xx.xx.xx/yy to the IP/mask of the computer(s) you want to acces that box with.

Hi.
I tried to add the rule:
/ip firewall filter add chain=input action=accept src-address=192.168.1.1/24 place-before=0

But firewall shows the error below:
item number must be assigned by a print command
use print command before using an item number in a command

So it doesn’t accept the rule.

Can I add the rule in another way, or where should I add the “print” command in the rule below.

Thanks

Simple enough:
/ip firewall filter print
then
/ip firewall filter add chain=input action=accept src-address=xx.xx.xx.xx/yy place-before=0

Hi.

I added the rules below:

/ip firewall filter add chain=input action=accept src-address=xx.xx.xx.xx/yy place-before=0

But I don’t know how, still does not work. I can’t telnet to the port 25. From the network that port (25) is ok. form outside the router it does not work???
Just says connecting…

Sorry for the post, I am not familiar and I don’t have an experience in mikrotik.

When you say “outside the router”, you mean from a public IP? The WAN address (192.168.x.x) is a private network address. You will not be able to access that IP without your ISP setting up a dstnat for you from a “real” public IP.

“Outside the router” I mean from the IP in the range of the WAN.
I have a Network with the range of IP-s 192.168.2.0/24, in this network I have installed a mikrotik with the WAN IP 192.168.2.7, which I use to create a new network in range of IP-s 192.168.1.0/24.
What I want is to access a PC within the network 192.168.1.0/24 (behind the mikrotik) from the network 192.168.2.0/24.
So the way is:
PC(IP 192.168.2.45) - Mikrotik(WAN 192.168.2.7, LAN 192.168.1.2) - PC (IP 192.168.1.1).

In the firewall I have the following rules:

/ip firewall nat add chain=dstnat dst-address=192.168.2.7 protocol=tcp dst-port=25 action=dst-nat to-addresses=192.168.1.1 to-ports=25
/ip firewall nat add chain=dstnat in-interface=ether1 protocol=tcp dst-port=25 action=dst-nat to-addresses=192.168.1.1 to-ports=25
/ip firewall filter add chain=input action=accept src-address=192.168.1.1/24 place-before=0

And still I can’t access the PC (192.168.1.1) port 25 from a PC (IP 192.168.2.45).
I can access this PC from the network (192.168.1.15). The problem is NAT or Firewall rules.

Thanks for your time?

If that is the IP of the remote box you are trying to access your MikroTik box from, then:
/ip firewall filter add chain=input action=accept src-address=192.168.2.0/24 place-before=0
That will allow all computers on the 192.168.2.x net to access this box with the correct user/password.

Hi again.
I analyzed all the rules via winbox in firewall rules and there it was a rule which says “drop” in Action field and “customer” in the chain field.
I disabled this rule and it work fine.
Now I have another problem ?? I added the rule to allow all the subnet 192.168.2.0/24 and it works for this network.
I want to allow access to all the networks for this access, not only this subnet?
Can I do this, if I add the rule:
/ip firewall filter add chain=input action=accept src-address=0.0.0.0/0 place-before=0

Or does it have a similar rule, which will allow all the IP to have access in the NAT-ed ports??

Thanks a lot for your time.

Only one thing need be done then. Remove this rule:
chain=input action=drop
Should be the last of the input chain entries.

Thank you for your time spend with my problem.
I tested the firewall and works. For the moment I see no problems.

Thanks again for the help.