I have been struggling for the last week with something that should be simple.
I am using a routerboard 450g with routeros 4.10. The specific symptoms vary but fall into
the following general categories: outgoing ssh works everywhere, incoming traffic works,
outgoing http usually fails with no route to host or connection refused.

Assume a /system reset-configuration has been done.

I want one public address xx.xx.118.9/24 with gateway xx.xx.118.1 (internet border router).
The internal network gateway is 172.16.2.1/24.

Three internal servers 172.16.2.2, 172.16.2.3, and 172.16.2.252. Each internal server
with the following ports open: 22 (ssh), 80 (http), and 443 (https). I was planning on
mapping the ports as follows:

xx.xx.118.9 {9852, 9080, 9443} → 172.16.2.252 {22, 80, 443}
xx.xx.118.9 {9854, 8080, 8443} → 172.16.2.3 {22, 80, 443}
xx.xx.118.9 {9853, 80, 443} → 172.16.2.252 {22, 80, 443}

I have tried all sorts of different things (src-nat/dst-nat and masquerade) and have
ended up totally confused. I have tried to research this and haven’t come up with the
correct configuration (found a lot of out-of-date and partial solutions).

Any hints or other information that anyone could provide would be greatly appreciated.

thanks

-ron

Follow the port forward example in the IP firewall NAT wiki manual and add “in-interface=WAN” to each rule, replacing ‘WAN’ with the name of your Internet facing interface.

But, if there is internal network protection, like

chain=customer action=drop

How to break through this? While this rule is active, simple port forward, like wiki example

/ip firewall nat add chain=dstnat dst-address=69.69.69.69 protocol=tcp dst-port=5900 \
    action=dst-nat to-addresses=192.168.1.101 to-ports=5900

doesn’t work. If earlier mentioned filter is disabled, port forward works like charm…

EDIT: Damn, my fault! All opened ports should be placed upper drop rule in ip firewall filter, like this:

 5 chain=customer action=accept protocol=tcp dst-port=21,22,23,80,443,3389,8291
6 chain=customer action=drop

Hi:

I was finally able to get back to work on the router: here is the info requested.
All of this was done with a “bare” rb-450g (i.e. /system reset-configuration and "r"emove default configuration).

reference: http://wiki.mikrotik.com/wiki/NAT_Tutorial

[admin@MikroTik] /ip firewall> /ip address print detail
Flags: X - disabled, I - invalid, D - dynamic
0 address=131.216.118.9/24 network=131.216.118.0 broadcast=131.216.118.255
interface=ether1 actual-interface=ether1

1 address=172.16.2.1/24 network=172.16.2.0 broadcast=172.16.2.255
interface=bridge1 actual-interface=bridge1

[admin@MikroTik] /ip firewall> /ip route print detail
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 A S dst-address=0.0.0.0/0 gateway=131.216.118.1
gateway-status=131.216.118.1 reachable ether1 distance=1 scope=30
target-scope=10

1 ADC dst-address=131.216.118.0/24 pref-src=131.216.118.9 gateway=ether1
gateway-status=ether1 reachable distance=0 scope=10

2 ADC dst-address=172.16.2.0/24 pref-src=172.16.2.1 gateway=bridge1
gateway-status=bridge1 reachable distance=0 scope=10

[admin@MikroTik] /ip firewall> /interface print
Flags: D - dynamic, X - disabled, R - running, S - slave

NAME TYPE MTU L2MTU

0 R ether1 ether 1500 1524
1 ether2 ether 1500 1524
2 ether3 ether 1500 1524
3 ether4 ether 1500 1524
4 ether5 ether 1500 1524
5 R bridge1 bridge 1500 65535


[admin@MikroTik] /ip firewall> export

jan/02/1970 01:03:57 by RouterOS 4.5

software id = C1ZS-WGPZ

/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s
tcp-close-wait-timeout=10s tcp-established-timeout=1d
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=forward comment=“” disabled=no src-address=
172.16.2.0/24
add action=accept chain=forward comment=“” connection-state=established
disabled=no
add action=accept chain=forward comment=“” connection-state=related disabled=
no
add action=accept chain=forward comment=“” disabled=no dst-port=
22,80,443,8291 protocol=tcp
add action=drop chain=forward comment=“” disabled=no
/ip firewall nat
add action=dst-nat chain=dstnat comment=“” disabled=no dst-address=
131.216.118.9 dst-port=9852 in-interface=ether1 protocol=tcp
to-addresses=172.16.2.252 to-ports=22
add action=dst-nat chain=dstnat comment=“” disabled=no dst-address=
131.216.118.9 dst-port=9080 in-interface=ether1 protocol=tcp
to-addresses=172.16.2.252 to-ports=80
add action=dst-nat chain=dstnat comment=“” disabled=no dst-address=
131.216.118.9 dst-port=9443 in-interface=ether1 protocol=tcp
to-addresses=172.16.2.252 to-ports=443
add action=dst-nat chain=dstnat comment=“” disabled=no dst-address=
131.216.118.9 dst-port=9854 in-interface=ether1 protocol=tcp
to-addresses=172.16.2.2 to-ports=22
add action=dst-nat chain=dstnat comment=“” disabled=no dst-address=
131.216.118.9 dst-port=8080 in-interface=ether1 protocol=tcp
to-addresses=172.16.2.2 to-ports=80
add action=dst-nat chain=dstnat comment=“” disabled=no dst-address=
131.216.118.9 dst-port=8443 in-interface=ether1 protocol=tcp
to-addresses=172.16.2.2 to-ports=443
add action=dst-nat chain=dstnat comment=“” disabled=no dst-address=
131.216.118.9 dst-port=9853 in-interface=ether1 protocol=tcp
to-addresses=172.16.2.3 to-ports=22
add action=dst-nat chain=dstnat comment=“” disabled=no dst-address=
131.216.118.9 dst-port=80 in-interface=ether1 protocol=tcp to-addresses=
172.16.2.3 to-ports=80
add action=dst-nat chain=dstnat comment=“” disabled=no dst-address=
131.216.118.9 dst-port=443 in-interface=ether1 protocol=tcp to-addresses=
172.16.2.3 to-ports=443
add action=src-nat chain=srcnat comment=“” disabled=no protocol=tcp
src-address=172.16.2.0/24 to-addresses=131.216.118.9 to-ports=0-65535
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no

And is that working now? It should, based on what you posted.

no its not working at all…no outgoing traffic appears to be exiting the router. Do I need the output and input chains configured in /ip firewall filter?

The same for me with RB450G - almost a week I am trying to configure access for internal web page with no success. All ports are forwarded properly, but it is unable to access internal machine from outside of router on ports 80, 443, 22. All other things work fine (FTP, Remote desktop connection). Despite ronyoung12001 configuration I have only one server inside. Filter/Nat configuration are similar. I’m a little bit confused because it should work, but doesn’t. I tried different logical/unlogical filter/nat configs with no success. I am out of ideas and start thinking it is due to all internal (ether2 to ether5) LAN ports are bridged…

You do not.

I was only looking at the NAT rules - why are you bridging anything? The RB450G has a switch chip built in, that it configured by the master-port property of ethernet interfaces. Ether1 is your WAN and should be stand alone. Ether3-5 should have ether2 as the master-port. Your LAN address then goes on the ether2 interface. From them on your configuration appears to be correct, though I would add “out-interface=ether1” to the source NAT rule.

It turns out there were a couple of server issues that were causing the network problems.
One hardware (badly behaving interface card) and one software (IPMI interface also grabbed
the same IP as the service console (172.16.2.252).

Once I corrected them, things started behaving much better…

As for the bridging, that was just allow me to plug additional devices on to the internal
net without needing a switch or touching the router config.

Thanks again everyone for your help.

-ron

Good that it is working. But the built in switch chip allows for bridging at hardware level - if you ever experience low performance issues that would be the first ing to tweak.