Opening port (PAT) is locking NAT masquerade ?

Hello,

I’m new with mikrotik product but used to configure network router.
I’m starting to use a RB5009, for now only with IPv4, using latest 7.2 firmware.
2 bridge, one for LAN (br-lan), one for WAN (br-wan).
I’ve set the first firewall NAT rules to access internet from my LAN :

/ip firewall nat
add action=masquerade chain=srcnat out-interface=br-wan to-addresses=0.0.0.0

This works as excepted and I’m able to browse the internet.

Now, I want to access one of my LAN server from outside. I need to open the 443 port using PAT, and cannot specified the destination IP as my ISP is giving me dynamic public IP :

add action=dst-nat chain=dstnat dst-port=443 protocol=tcp to-addresses=192.168.1.5 to-ports=443

If I do that, I can no longer open any socket on port 443 from my LAN to the internet. This rules messed up everyting.
I need to set it as this :

add action=dst-nat chain=dstnat dst-port=443 in-interface=br-wan protocol=tcp to-addresses=192.168.1.5 to-ports=443

adding the in-interface specified with my wan bridge, and everything is working as expected then.

I’m kind of surprise because the documentation does not mention this. What am I missing here ?

Thanks !

Post your config
/export file=anynameyouwish.

This rule typically looks like this ( the too addresses is not required and is not useful and should be removed)
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN or out-interface=eth1 (or if its pppoe then =pppoe-out1, or vlan etc…).
never seen it tied to bridge but that should be okay!

For port forwarding you need one firewall filter rule in the forward chain
add chain=forward action=accept connection-nat-state=dstnat

and properly formatted DST nAT rules… for that it depends on whether its dynamic or static…
You are missing how the rule is getting to the router…
If its dynamic in-interface-list=WAN
If its dynamic dst-address=WANIP
[b item E.[/b] here… https://forum.mikrotik.com/viewtopic.php?t=182373
read
1A and 1B and para 6.

Since the RB5009 is a “router” class device, I’m not sure it supports multiple bridges per switch chip in hardware, as the CRS3xx and higher-end CCR devices do. You can read more about that potential problem in the docs, here.

Try the command near the end (“/interface bridge port print”) to see if you get “H” in the flags column for all ports. If not, and the WAN port is a single uplink, it might be better to have that port not be any bridge at all.

I’m kind of surprise because the documentation does not mention this. What am I missing here ?

You’re missing the fact that the dstnat feature has uses beyond WAN port-forwarding into the private LAN. Not all uses require or even benefit from restricting the rule by in-interface.

I’ve checked and indeed RB5009 does not support hardware offloading on multiple bridge.
It could related to some performance issue but to be honest i’ve not realized any ? (for now HW is enable on the br-lan bridge).

I’m unfortunately in the necessity of using a bridge for wan (I do need bridge filter to enable COS6 on DHCP request for my ISP).
It seems that I could use VLAN to isolate ports and make multiple subnets, i’ll have to check that !

What makes you think you need a bridge for WAN??

this : “I do need bridge filter to enable COS6 on DHCP request for my ISP”

I don’t see other way to change COS priority for DHCP request ?

Web searching didn’t turn up much about what “COS6” means, nor why you’d want to do it.

However, I don’t see why you’d need bridge filtering to do anything in this condition. Now that you’ve discovered that you have only one hardware bridge, it’s sensible to put the WAN port outside it, forcing all traffic to cross the CPU. Therefore, regular /ip/firewall/filter has no cost penalty over bridge filtering for that port.

The two filtering features don’t have precisely overlapping syntax, but they’re close enough that you should have no trouble translating them.

Tangent, not to go off on a tangent (yuck yuck), I remember awhile back when trying to use my zyxel router to host both the TV VLAN, and Internet VLAN, I was only able to host the internet vlan. The reason being that the handshake from TV VLAN required a return handshake of COS at a certain setting. It sounds familiar and thus the OP needs that initial connection to be with COS set at 6. How do to this on MT routers, maybe not possible??

My ISP won’t respond to DHCP request for getting a public IP if the request is NOT with a particular QoS on the 802.1q header. The only way to change this QoS that i’ve found is using a bridge filter rule :

add action=set-priority chain=output dst-port=67 ip-protocol=udp log=yes log-prefix="Set CoS6 IPv4" mac-protocol=ip new-priority=6 out-interface=vlan832-internet passthrough=yes
add action=set-priority chain=output dst-port=547 ip-protocol=udp log=yes log-prefix="Set CoS6 IPv6" mac-protocol=ipv6 new-priority=6 out-interface=vlan832-internet

Unless i’m totally wrong, you CANNOT do an action “set-priority” anywhere else.

I don’t understand what you mean with

Now that you’ve discovered that you have only one hardware bridge, it’s sensible to put the WAN port outside it, forcing all traffic to cross the CPU

Sensible as a security issue ?
Or performance issue ?

What should be the best bridge configuraiton ? one bridge that include all eth port that are parts of my LAN/Wifi, and the WAN port exclude ?

You are right, bridge filter is the only way to do this… Nice find!! Apparently if ones device has a switch chip it can be done on the chip vice bridge filter…

There is no QoS field in the 802.1q header. Nor is there a COS field, which explains my trouble searching for information to help you. Please use the correct terms.

I assume you’re referring to the priority code point field (PCP) instead, which RouterOS calls the vlan-priority. I’ve never run across a need to set the PCP field, but I think you can get what you want with something like:

/interface/ethernet/switch/rule
add ports=ether1 dst-port=67 protocol=udp mac-protocol=ip \
vlan-id=832 vlan-priority=6

See the docs on switch chip rules for details. I don’t have an RB5009 here to test with, but at the top of that page, it says the switch chip in that model has room for 256 rules.

Incidentally, I suspect you don’t need to restrict this rule to DHCP. Setting the same VLAN priority for all traffic might be legitimate; ask your ISP’s techies. If that’s right, you’re thinking in terms of DHCP only because it’s the first thing that must succeed on this interface. That doesn’t mean the priority must change after the DHCP exchange is complete.

I don’t understand what you mean with

Now that you’ve discovered that you have only one hardware bridge, it’s sensible to put the WAN port outside it, forcing all traffic to cross the CPU

Sensible as a security issue ?
Or performance issue ?

I’m saying that if you can have only one hardware bridge, it’s sensible to use that for the LAN-side ports, since there’s more than one, and bridging them together is what you normally want to do.

(Contrast LAN-side routing, which is uncommon with RB5009 class devices beyond basics like inter-VLAN routing.)

That leaves two options for the WAN-side port: put it in a bridge, which must be a software bridge under the limitations for this model of router, or don’t put it in a bridge at all. Since you don’t get the benefit of hardware bridging either way, and bridging is causing you trouble, why not take the second option?

Sorry for the wrong term, I’m not used to this field and use incorrect name indeed.

Unfortunatelly it seems the RB5009 cannot change VLAN priority using switch rule :

[admin@MikroTik] > /interface/ethernet/switch/rule/add port=sfp-sfpplus1 dst-port=67 protocol=udp mac-protocol=ip switch=switch1 new-vlan-id=832 new-vlan-priority=6
failure: new-vlan-priority not supported for this switch

I do need the VLANID for every packet ; I do need PCP6 for the DHCP request to be accepted. If I leave the PCP6 on every request, then the ISP do apply some QoS and my upload is really limitated: normally it could goes up to 300Mb/s, if I set PCP6 for every packet it drops to ~5Mb/s. That’s why I was referring this field to “QoS” by the way.

IF so the bridge filter rules should be capable of this.

Then it sounds like you do need a one-port software bridge to make this work, lame as that is. Set “hw=no” on the WAN bridge to make sure RouterOS doesn’t choose the LAN bridge to be the one that gets the short-sheeting.

For instance, you might someday reorder your configuration by port number, so if the WAN port is ether1, leaving the “hw” parameter at its default would make the WAN take over the hardware bridge, hurting performance on the LAN side.

It also serves as documentation, saying in effect, “Yes, I know this is a software bridge.”

Do you have any documentation about what’s so catastrophic to have bridges that cannot be hardware ?
To be honest the current configuration with 3 bridge seems to work ok ?

First link in my first post.

The problem isn’t having software bridges, it’s in not specifying which one gets to be the hardware backed bridge. If you don’t choose, RouterOS does it for you, and you might not like its choice.