Need some help with port forwarding

kristapsb · June 29, 2010, 9:10am

Hello,

I want to forward port 81 to internal ip, here ir how I tried:

/ip firewall nat add chain=dstnat dst-address=my.wan.ip protocol=tcp dst-port=81 \
    action=dst-nat to-addresses=192.168.1.103 to-ports=0-65535

Whey I try to connect my.wan.ip:81 - connection timed out. Where is the problem? Do I need to add something else in NAT?

Thanks,
kristapsb

mrz · June 29, 2010, 9:28am

You also need source nat rule to masquerade your local network.

bafh · June 29, 2010, 9:34am

kristapsb:

Hello,
/ip firewall nat add chain=dstnat dst-address=my.wan.ip protocol=tcp dst-port=81 \
    action=dst-nat to-addresses=192.168.1.103 to-ports=0-65535
Whey I try to connect my.wan.ip:81 - connection timed out. Where is the problem? Do I need to add something else in NAT?

Yeah, you do. Forward the 81. from wan to 81. at internal IP, not 81. to all ports

kristapsb · June 29, 2010, 9:45am

I allready have masquerade for ether1 ( wan port ).

/ip firewall nat add chain=srcnat action=masquerade out-interface=ether1

How can I do this for local network?

bafh · June 29, 2010, 9:49am

In the masquerade you should mention the internal subnet. It is all written in FM (fine manual), so please, feel free to RTFM!

Feklar · July 1, 2010, 3:00pm

/ip firewall nat add chain=srcnat action=masquerade out-interface=ether1

>
> How can I do this for local network?

Just by putting that in.  The firewall matches each packet, the more specific you get the less it will match, the more general you make it the more it will match.  If you only wanted to masquerade for only one subnet you make a rule like this:

```text
/ip firewall nat add chain=srcnat action=masquerade src-address=192.168.1.0/24 out-interface=ether1

You can also get more specific and add in an in-interface, or any other options you want. Just be careful to not get too specific otherwise you can wind up not masquerading traffic that you want. The same goes for every other firewall rule as well, you can also be too general and catch things you don’t want.

lilmansplace · July 3, 2010, 2:09pm

Here is a print out of the nat rules I have in place:

0 chain=srcnat action=masquerade out-interface=ether1
src-address=192.168.2.0/24

1 chain=dstnat action=dst-nat to-addresses=192.168.2.2 to-ports=23
in-interface=ether1 dst-address=10.0.0.17 dst-port=5000 protocol=tcp

I’m attempting to translate the port externally from 5000 to port 23 internally.

It’s not working. Any ideas folks?

AND YES I’VE RTFM just didn’t have the right bit of how to from the manual sink in apparently.

HELP! this should be soooo simple.

Thanks…

On a side note… I have another router setup that is running 3.35 and those rules work as to where the ones not working are running 3.25.

Here are the rules from the one thats working.

0 chain=srcnat action=masquerade src-address=192.168.2.0/24
out-interface=ether1

1 chain=dstnat action=dst-nat to-addresses=192.168.2.154 to-ports=3389
protocol=tcp in-interface=ether1 dst-port=8889

I would just upgrade that router to the newer version but i’m really curious as to why it’s not working. If this version of the OS needs different criteria or something. So before I upgrade I want to figure out if older version need different syntax. Any one else experienced this before?