need help to deal with simple port forwarding

RizONE · November 20, 2018, 2:16pm

Hi
the rule is configured on a target mikrotik

/ ip firewall nat
add action = netmap chain = dstnat comment = RDP dst-port = 4556 in-interface = WAN log = yes protocol = tcp to-addresses = 192.168.0.50 to-ports = 3389

and it works, but
When connecting through one provider in the log I see

08:52:35 firewall, info dstnat: in: WAN out: (none), src-mac 00: 04: 96: 52: 4c: e2, proto TCP (SYN), 91.205. *. *: 1077-> 10.82 . *. *: 4556, len 60

no connection
and through another one

08:53:40 firewall, info dstnat: in: WAN out: (none), src-mac 00: 04: 96: 52: 4c: e2, proto TCP (SYN), 91.226. *. *: 50225-> 10.82 . *. *: 4556, len 52

there is a connection
The only difference is in the len part, what is the len and how to fix it?

anav · November 20, 2018, 4:55pm

I am not familiar with netmap but your rule looks reasonable.
Any user coming in on the wan with traffic destined for port 4556 gets their request forwarded to IP .0.50, on port 3389.

(I am not sure this is the most secure use of RDP, I would rather vpn in to a server or router)

sebastia · November 20, 2018, 7:10pm

Do you have a filter rule that allows dnat-ed or that specific traffic through?

You need both: one to remap and other to allow. as these are located in different ip tables.

anav · November 20, 2018, 7:36pm

Correct, you need to have a firewall rule to allow your DST-NAT Traffic
I would assume he does as dstnat works in one case but not the other.
It may be that his allow dstnat rule is not generic but specific to a particular WANIP?

the usual rule looks like this ---->
/ip firewall filter
add chain=forward action=accept in-interface=wan_interface connection-nat-state=dstnat connection-state=established,related

If one has multiple ISP interfaces then
/ip firewall filter
add chain=forward action=accept in-interface-list=wan connection-nat-state=dstnat connection-state=established,related

2frogs · November 20, 2018, 9:41pm

Use action=dst-nat, netmap is intended to do a 1:1 nat between an ip or between sets of multiple ips. Between 2 ips it acts more like an DMZ where it would be port for port.
DST-nat is for forwarding either a single port or multiple ports to a device and can be used to forward different ports to different devices.

Len=length and in this case it refers to the size of the packet. The fact they are different has no real meaning.

anav · November 21, 2018, 1:04am

So two frogs, netmap is akin to 1:1 mappings between public IPs and private iPs? Like dedicated to a server?

2frogs · November 21, 2018, 1:13am

That’s correct!

netmap - creates a static 1:1 mapping of one set of IP addresses to another one. Often used to distribute public IP addresses to hosts on private networks

https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT

RizONE · November 21, 2018, 7:58am

Thanx a lot to all.
that helps me

but anyway I do not undestand why port worwarding (without this rule) works for one provider and do not for other one.

anav · November 21, 2018, 7:38pm

If you have two providers the rule should look like this
/ip firewall filter
add chain=forward action=accept in-interface-list=wan connection-nat-state=dstnat connection-state=established,related