New to ROS, need help with port mapping/static IPs

jaduke · December 2, 2012, 2:40am

I’m new to ROS.

I’ve read the documentation, looked over the wiki, read through the forum posts.

I’ve previously configured a number other routers (Netopia & Ecessa, among others) over the years and have a decent understanding of what needs to be done.

I’m trying to open specific ports for services to my servers and something isn’t quite right with my config… Network NAT works (so the DHCP systems are fine for internet access) but the servers aren’t able to receive or send traffic.

Can someone look at this and enlighten me, please.

Thanks in advance.

The specifics, I’m running RouterOS 5.14 on a RouterBoard 750GL.

Here’s my network diagram:

Here’s the dumps from the configuration that I’ve done already:

[admin@MikroTik-JAD] /ip address> print detail
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; NATted address for router
     address=72.74.246.14/24 network=72.74.246.0 interface=ether1-gateway 
     actual-interface=ether1-gateway 

 1   ;;; Mail
     address=72.74.246.10/24 network=72.74.246.0 interface=ether1-gateway 
     actual-interface=ether1-gateway 

 2   ;;; File
     address=72.74.246.11/24 network=72.74.246.0 interface=ether1-gateway 
     actual-interface=ether1-gateway 

 3   ;;; Spare 1
     address=72.74.246.12/24 network=72.74.246.0 interface=ether1-gateway 
     actual-interface=ether1-gateway 

 4   ;;; spare 2
     address=72.74.246.13/24 network=72.74.246.0 interface=ether1-gateway 
     actual-interface=ether1-gateway 

 5   ;;; JAD Standard Network
     address=192.168.1.1/24 network=192.168.1.0 interface=ether2-master-local

[admin@MikroTik-JAD] /ip route> print detail
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 0 A S  ;;; NAT Route
        dst-address=0.0.0.0/0 gateway=72.74.246.1 
        gateway-status=72.74.246.1 reachable via  ether1-gateway distance=1 
        scope=30 target-scope=10 

 1 X S  dst-address=0.0.0.0/0 gateway=72.74.246.1 
        gateway-status=72.74.246.1 inactive distance=1 scope=30 
        target-scope=10 

 2 X S  dst-address=0.0.0.0/0 pref-src=72.74.246.14 gateway=72.74.246.1 
        gateway-status=72.74.246.1 inactive distance=1 scope=30 
        target-scope=10 

 3 ADC  dst-address=72.74.246.0/24 pref-src=72.74.246.14 gateway=ether1-gateway 
        gateway-status=ether1-gateway reachable distance=0 scope=10 

 4 ADC  dst-address=192.168.1.0/24 pref-src=192.168.1.1 
        gateway=ether2-master-local 
        gateway-status=ether2-master-local reachable distance=0 scope=10 
[admin@MikroTik-JAD] /ip route>

[admin@MikroTik-JAD] /interface> print detail
Flags: D - dynamic, X - disabled, R - running, S - slave 
 0  R  name="ether1-gateway" type="ether" mtu=1500 l2mtu=1598 max-l2mtu=4074 

 1  R  name="ether2-master-local" type="ether" mtu=1500 l2mtu=1598 
       max-l2mtu=4074 

 2     name="ether3-slave-local" type="ether" mtu=1500 l2mtu=1598 
       max-l2mtu=4074 

 3     name="ether4-slave-local" type="ether" mtu=1500 l2mtu=1598 
       max-l2mtu=4074 

 4  R  name="ether5-slave-local" type="ether" mtu=1500 l2mtu=1598 
       max-l2mtu=4074 

 5  R  name="loopback0" type="bridge" mtu=1500 l2mtu=65535 
[admin@MikroTik-JAD] /interface>

[admin@MikroTik-JAD] /ip firewall> export
# dec/01/2012 18:09:10 by RouterOS 5.14
# software id = EUGD-42VC
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
    tcp-close-wait-timeout=10s tcp-established-timeout=1d \
    tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
    tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="default configuration" disabled=no \
    protocol=icmp
add action=accept chain=input comment="default configuration" \
    connection-state=established disabled=no
add action=accept chain=input comment="default configuration" \
    connection-state=related disabled=no
add action=drop chain=input comment="default configuration" disabled=no \
    in-interface=ether1-gateway
/ip firewall nat
add action=dst-nat chain=dstnat comment="Mail Server HTTP-Webmail" disabled=\
    no dst-address=72.74.246.10 dst-port=80 protocol=tcp to-addresses=\
    192.168.1.10 to-ports=80
add action=dst-nat chain=dstnat comment="Mail Server POP" disabled=no \
    dst-address=72.74.246.10 dst-port=110 protocol=tcp to-addresses=\
    192.168.1.10 to-ports=110
add action=dst-nat chain=dstnat comment="Mail Server IMAP" disabled=no \
    dst-address=72.74.246.10 dst-port=143 protocol=tcp to-addresses=\
    192.168.1.10 to-ports=143
add action=dst-nat chain=dstnat comment="Mail Server-SMTP" disabled=no \
    dst-address=72.74.246.10 dst-port=25 protocol=tcp to-addresses=\
    192.168.1.10 to-ports=25
add action=dst-nat chain=dstnat comment="Mail Server-Secure HTTP (HTTPS)" \
    disabled=no dst-address=72.74.246.10 dst-port=443 protocol=tcp \
    to-addresses=192.168.1.10 to-ports=443
add action=dst-nat chain=dstnat comment="Mail Server-Secure SMTP" disabled=no \
    dst-address=72.74.246.10 dst-port=465 protocol=tcp to-addresses=\
    192.168.1.10 to-ports=465
add action=dst-nat chain=dstnat comment="Mail Server-SMTP Submission" \
    disabled=no dst-address=72.74.246.10 dst-port=587 protocol=tcp \
    to-addresses=192.168.1.10 to-ports=587
add action=dst-nat chain=dstnat comment="Mail Server-Secure IMAP" disabled=no \
    dst-address=72.74.246.10 dst-port=993 protocol=tcp to-addresses=\
    192.168.1.10 to-ports=993
add action=dst-nat chain=dstnat comment="Mail Server-LDAP" disabled=no \
    dst-address=72.74.246.10 dst-port=389 protocol=tcp to-addresses=\
    192.168.1.10 to-ports=389
add action=dst-nat chain=dstnat comment="Mail Server-Secure LDAP" disabled=no \
    dst-address=72.74.246.10 dst-port=636 protocol=tcp to-addresses=\
    192.168.1.10 to-ports=636
add action=dst-nat chain=dstnat comment="Mail Server-Kerio Admin" disabled=no \
    dst-address=72.74.246.10 dst-port=4040 protocol=tcp to-addresses=\
    192.168.1.10 to-ports=4040
add action=dst-nat chain=dstnat comment="Mail Server-iStat Monitor" disabled=\
    no dst-address=72.74.246.10 dst-port=5109 protocol=tcp to-addresses=\
    192.168.1.10 to-ports=5109
add action=dst-nat chain=dstnat comment="Web Server-HTTP" disabled=no \
    dst-address=72.74.246.11 dst-port=80 protocol=tcp to-addresses=\
    192.168.1.11 to-ports=80
add action=dst-nat chain=dstnat comment="Web Server-FTP (TCP)" disabled=no \
    dst-address=72.74.246.11 dst-port=20 protocol=tcp to-addresses=\
    192.168.1.11 to-ports=20
add action=dst-nat chain=dstnat comment="Web Server-FTP (UDP)" disabled=no \
    dst-address=72.74.246.11 dst-port=20 protocol=udp to-addresses=\
    192.168.1.11 to-ports=20
add action=dst-nat chain=dstnat comment="Web Server-FTP (TCP)" disabled=no \
    dst-address=72.74.246.11 dst-port=21 protocol=tcp to-addresses=\
    192.168.1.11 to-ports=21
add action=dst-nat chain=dstnat comment="Web Server-FTP (UDP)" disabled=no \
    dst-address=72.74.246.11 dst-port=21 protocol=udp to-addresses=\
    192.168.1.11 to-ports=21
add action=dst-nat chain=dstnat comment="Web Server-AFP (TCP)" disabled=no \
    dst-address=72.74.246.11 dst-port=548 protocol=tcp to-addresses=\
    192.168.1.11 to-ports=548
add action=dst-nat chain=dstnat comment="Web Server-AFP (UDP)" disabled=no \
    dst-address=72.74.246.11 dst-port=548 protocol=udp to-addresses=\
    192.168.1.11 to-ports=548
add action=dst-nat chain=dstnat comment=\
    "Web Server-Mac OS X Server servermanagerd" disabled=no dst-address=\
    72.74.246.11 dst-port=311 protocol=tcp to-addresses=192.168.1.11 \
    to-ports=311
add action=src-nat chain=srcnat comment="Mail Server-map to external address" \
    disabled=no src-address=192.168.1.10 to-addresses=72.74.246.10
add action=src-nat chain=srcnat comment="Web Server-Map to External" \
    disabled=no src-address=192.168.1.11 to-addresses=72.74.246.11
add action=masquerade chain=srcnat comment="default configuration" disabled=\
    no out-interface=ether1-gateway
add action=masquerade chain=srcnat comment=\
    "Hairpin NAT for accessing internal servers using external DNS" disabled=\
    no dst-address=192.168.1.0/24 out-interface=ether1-gateway to-addresses=\
    192.168.1.10
add action=masquerade chain=srcnat disabled=no dst-address=192.168.1.0/24 \
    to-addresses=192.168.1.11
add action=masquerade chain=srcnat disabled=no dst-address=192.168.1.0/24 \
    to-addresses=192.168.1.12
add action=masquerade chain=srcnat disabled=no dst-address=192.168.1.10 \
    out-interface=ether2-master-local src-address=192.168.1.0/24
add action=masquerade chain=srcnat disabled=no dst-address=192.168.1.11 \
    out-interface=ether2-master-local src-address=192.168.1.0/24
add action=masquerade chain=srcnat disabled=no dst-address=192.168.1.12 \
    out-interface=ether2-master-local src-address=192.168.1.0/24 \
    to-addresses=0.0.0.0
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no
[admin@MikroTik-JAD] /ip firewall>

CelticComms · December 5, 2012, 10:44pm

Do you really have no forwarding chain filters or did you just miss them out of the upload?

jaduke · December 6, 2012, 2:23am

I haven’t defined any forwarding chains. The only ones present are the default ones.

/ip firewall filter
add action=accept chain=input comment="default configuration" disabled=no \
    protocol=icmp
add action=accept chain=input comment="default configuration" \
    connection-state=established disabled=no
add action=accept chain=input comment="default configuration" \
    connection-state=related disabled=no
add action=drop chain=input comment="default configuration" disabled=no \
    in-interface=ether1-gateway

I’ve read the section on NAT & forwarding, but didn’t see anywhere that a chain needed to be defined…I made an assumption (incorrect, perhaps) that the dstnat & srcnat chains shown in the examples were for the default behavior for NAT when performing port mapping of public to private addresses.

Can you explain what I’m missing? I’ve read the manual section on the firewall just now, but, if anything, am more perplexed that I missed something here.

Thanks.

Cheers,
Jon

CelticComms · December 6, 2012, 1:21pm

Are you using Ether ports 3-5 on the RouterBoard? They don’t seem to be slaved to Ether 2.

jaduke · December 6, 2012, 2:37pm

I’m not using 3-5 typically, but ports 2-5 appear to act as one group of ports as I plugged into the box on ports 2, 4 & 5 and all worked fine (I got my IP assigned and was able to work on the ROS config.

CelticComms · December 6, 2012, 5:22pm

OK - the slave status doesn’t show in print detail for some reason…

Could you confirm the symptoms:

General LAN clients have full internet access? Which public IP do they present on an IP checking site?

For the servers, are they able to access internet - i.e. does web browser work?

I scanned through quickly - noticed one oddity:

add action=masquerade chain=srcnat disabled=no dst-address=192.168.1.12 \
    out-interface=ether2-master-local src-address=192.168.1.0/24 \
   to-addresses=0.0.0.0

to-addresses looks odd.

It might be worth temporarily disabling the hairpin rules while trying to pin down the problem.

jaduke · December 8, 2012, 11:55pm

CelticComms:

OK - the slave status doesn’t show in print detail for some reason…

Could you confirm the symptoms:

General LAN clients have full internet access? Which public IP do they present on an IP checking site?

For the servers, are they able to access internet - i.e. does web browser work?

I scanned through quickly - noticed one oddity:
add action=masquerade chain=srcnat disabled=no dst-address=192.168.1.12 \
    out-interface=ether2-master-local src-address=192.168.1.0/24 \
   to-addresses=0.0.0.0
to-addresses looks odd.

It might be worth temporarily disabling the hairpin rules while trying to pin down the problem.

I’ve disabled the hairpin rules, still no joy…

Thanks.

Cheers,
Jon