Port forward frustration

RouterOS General
1

After spending hours trying to get this to work with the default RouterOS setup, I’ve gone with what I can only think is the most basic of router configurations at this point.

I’m simply trying to port forward port 8080 to 192.168.1.102 port 22.

What am I missing?

[admin@MikroTik] > /ip address print detail
Flags: X - disabled, I - invalid, D - dynamic 
 0   address=192.168.1.1/24 network=192.168.1.0 interface=ether2 
     actual-interface=ether2 

 1 D address=24.xxx.xxx.xx/xx network=24.xxx.xxx.xxx interface=ether1 
     actual-interface=ether1




[admin@MikroTik] > /ip route print detail
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 0 ADS  dst-address=0.0.0.0/0 gateway=24.xxx.xxx.xxx 
        gateway-status=24.xxx.xxx.xxx reachable via  ether1 distance=1 scope=30 
        target-scope=10 vrf-interface=ether1 

 1 ADC  dst-address=24.xxx.xxx.xxx/xx pref-src=24.xxx.xxx.xxx gateway=ether1 
        gateway-status=ether1 reachable distance=0 scope=10 

 2 ADC  dst-address=192.168.1.0/24 pref-src=192.168.1.1 gateway=ether2 
        gateway-status=ether2 reachable distance=0 scope=10




[admin@MikroTik] > /interface print detail
Flags: D - dynamic, X - disabled, R - running, S - slave 
 0  R  name="ether1" default-name="ether1" type="ether" mtu=1500 actual-mtu=1500 
       l2mtu=1520 max-l2mtu=1520 mac-address=4C:XX:XX:XX:XX:XX fast-path=no 
       last-link-up-time=dec/19/2015 20:41:43 link-downs=0 

 1  R  name="ether2" default-name="ether2" type="ether" mtu=1500 actual-mtu=1500 
       l2mtu=1520 max-l2mtu=1520 mac-address=4C:XX:XX:XX:XX:XX fast-path=no 
       last-link-down-time=dec/19/2015 20:46:32 
       last-link-up-time=dec/19/2015 20:46:40 link-downs=1 

 2     name="ether3" default-name="ether3" type="ether" mtu=1500 actual-mtu=1500 
       l2mtu=1520 max-l2mtu=1520 mac-address=4C:XX:XX:XX:XX:XX fast-path=no 
       last-link-down-time=dec/19/2015 20:46:37 
       last-link-up-time=dec/19/2015 20:42:02 link-downs=2 

 3     name="ether4" default-name="ether4" type="ether" mtu=1500 actual-mtu=1500 
       l2mtu=1520 max-l2mtu=1520 mac-address=4C:XX:XX:XX:XX:XX fast-path=no 
       last-link-down-time=dec/19/2015 20:46:41 
       last-link-up-time=dec/19/2015 20:42:02 link-downs=2 

 4     name="ether5" default-name="ether5" type="ether" mtu=1500 actual-mtu=1500 
       l2mtu=1520 max-l2mtu=1520 mac-address=4C:XX:XX:XX:XX:XX fast-path=no 
       link-downs=0




[admin@MikroTik] > /ip firewall export
# dec/19/2015 21:08:34 by RouterOS 6.33
# software id = PVPD-3MD2
#
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat dst-port=8080 in-interface=ether1 protocol=tcp \
    to-addresses=192.168.1.102 to-ports=22
2

Hi,

How are you planning to access the device?

Do you want to do it from the web or only on your internal network?

Try the last nat rule like this. action=dst-nat chain=dstnat dst-address={Your Public IP} dst-port=8080 in-interface=ether1 protocol=tcp to-addresses=192.168.1.102 to-ports=22

I see your dst-port and to ports isn’t matching, sometimes the device firewall will reject the incomming connections if the address is outside its ip subnet and the outside port is not matching.

3

Well well… That seems to have done it. Greatly appreciated!

I have a static IP so I remove the dst-addresss={Your Public IP}. It still seems to work, should I expect any issue going forward?

4

Hi,

From my experience its best to leave the dst-address.

For example if you port forward RDP(3389) to 192.168.1.20 with no dst-address.

You will try and rdp to a remote computer from an internal machine and all the traffic will forward to 192.168.1.20 on you own network.

5

well… it seems to have stopped working :frowning:

Full disclosure I reset the device and tried adding the rule again.

this is the line I was using to add the port forward:

/ip firewall nat add action=dst-nat chain=dstnat dst-address=24.xxx.xxx.xxx dst-port=8080 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.1.102 to-ports=22

Am I typing it wrong or something this time?

6

Well I may have been mistaken. Works fine from an external IP address, just not an internal one. Going to read to read up on Hairpin NAT as I think that’s my issue now.