Port forward / NAT / port mapping problem.

pavljiks · August 9, 2010, 8:30pm

First of all proud of such company (because i am Latvian). Heard much about it. Finally got my R750G to give it a try. And to get familiar with RouterOS at all, and i already have that feeling that in some time we will be friends .

After spending some time reading forums and wiki. mikrotik com i still can’t get access from outside to my internal server (service tcp on port 9000-9001 of my internal PC 192.168.1.99). It can be also windows remote access or any other service.

I’ll better just try to paste correct part from config just clear out what has gone wrong:

[admin@MikroTik] > /ip firewall nat print all
Flags: X - disabled, I - invalid, D - dynamic
 0   ;;; Added by webbox
     chain=srcnat action=masquerade out-interface=ether1-gateway

 1 D chain=dstnat action=dst-nat to-addresses=192.168.1.109 to-ports=3442 protocol=tcp dst-address=87.110.170.124 dst-port=3442
 2 D chain=dstnat action=dst-nat to-addresses=192.168.1.109 to-ports=3442 protocol=udp dst-address=87.110.170.124 dst-port=3442
 3 D chain=dstnat action=dst-nat to-addresses=192.168.1.254 to-ports=32966 protocol=tcp dst-address=87.110.170.124 dst-port=32966
 4 D chain=dstnat action=dst-nat to-addresses=192.168.1.254 to-ports=32966 protocol=udp dst-address=87.110.170.124 dst-port=32966
 5   chain=dstnat action=dst-nat to-addresses=192.168.1.99 to-ports=9000 protocol=tcp dst-port=9000
 6   chain=dstnat action=dst-nat to-addresses=192.168.1.99 to-ports=9001 protocol=tcp dst-port=9001

[admin@MikroTik] > /ip firewall filter print all
Flags: X - disabled, I - invalid, D - dynamic
 0   ;;; Added by webbox
     chain=input action=accept protocol=icmp
 1   ;;; Added by webbox
     chain=input action=accept connection-state=established in-interface=ether1-gateway
 2   ;;; Added by webbox
     chain=input action=accept connection-state=related in-interface=ether1-gateway
 3   ;;; logoshana
     chain=input action=log in-interface=ether1-gateway log-prefix="Input:Other"
 4   ;;; Added by webbox
     chain=input action=drop in-interface=ether1-gateway
 5   ;;; Added by webbox
     chain=forward action=jump jump-target=customer in-interface=ether1-gateway
 6   ;;; Added by webbox
     chain=customer action=accept connection-state=established
 7   ;;; Added by webbox
     chain=customer action=accept connection-state=related
 8   ;;; Added by webbox
     chain=customer action=drop

My outside interface is connected to internet with dynamic IP [DHCP](so it hard for me to specify dst-address for dst-nat), it can change.
Basically my routerboard config is almost default except lines i pasted hare. And settings which i can specify over web access (for example i don’t have any clue what means “Protect router”, “Protect LAN” and “NAT” in Firewall tab over web access.

SurferTim · August 10, 2010, 10:26am

Your firewall filter forward rules are blocking the access. You need to allow the three ips through before the “action=drop” rule.

add chain=customer action=accept src-address=192.168.1.109
add chain=customer action=accept dst-address=192.168.1.109

then do the same for the other two ips.

Move all these above the “chain=customer action=drop” rule.

someuser · August 10, 2010, 5:25pm

Hey FloridaSurferTim,
I missed your “Shark Week”. Any recordings anywhere?

CaliforniaSurferTim

pavljiks · August 10, 2010, 7:32pm

Added two rules as you said. And it works.

[admin@MikroTik] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
 0   ;;; Added by webbox
     chain=input action=accept protocol=icmp
 1   ;;; Added by webbox
     chain=input action=accept connection-state=established in-interface=ether1-gateway
 2   ;;; Added by webbox
     chain=input action=accept connection-state=related in-interface=ether1-gateway
 3   chain=customer action=accept src-address=192.168.1.99
 4   chain=customer action=accept dst-address=192.168.1.99
 5   ;;; logoshana
     chain=input action=log in-interface=ether1-gateway log-prefix="Input:Other"
 6   ;;; Added by webbox
     chain=input action=drop in-interface=ether1-gateway
 7   ;;; Added by webbox
     chain=forward action=jump jump-target=customer in-interface=ether1-gateway
 8   ;;; Added by webbox
     chain=customer action=accept connection-state=established
 9   ;;; Added by webbox
     chain=customer action=accept connection-state=related
10   ;;; Added by webbox
     chain=customer action=drop

Is that the correct place(3,4). And two more questions

How i can change rule order from command line. Had to use winbox to just drag and drop.
What the difference between chain input and chain customer. (I understand that i have to read more about it now, but maybe someone can give me a short hint for this time).

fewi · August 10, 2010, 7:39pm

If they work in that position, then they’re OK in that position.

“/ip firewall filter move 10 1” moves the 10th rule to the position currently occupied by rule 1, and shifts everything behind it down one
http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter#Chains

input - used to process packets entering the router through one of the interfaces with the destination IP address which is one of the router’s addresses. Packets passing through the router are not processed against the rules of the input chain

forward - used to process packets passing through the router

output - used to process packets originated from the router and leaving it through one of the interfaces. Packets passing through the router are not processed against the rules of the output chain

The ‘customer’ chain is a custom, non-built in chain jumped to from the forward chain in your ruleset:

chain=forward action=jump jump-target=customer in-interface=ether1-gateway