Port Forward/Nat

chvel · January 18, 2014, 12:11am

Hello all I am trying to do I guess is a port forward on a RB2011 to setup a FreePBX here is kind of what I have setup.

Ether1=1.0.0.1 wan
Ether2=10.0.0.1 lan
Ether1=1.0.0.2 voip

Local Address for FreePBX 10.0.0.10

IP/Firewall/NAT

Chain=dstnat
Dst Address=1.0.0.2
Action=dst nat
to address = 10.0.0.10
chain=srcnat
Src Address= 10.0.0.10
Action=src nat
To Address=1.0.0.2

When the PBX registers with my host it is showing me that I am connected with 1.0.0.1:1033 and I do not know why. I know I need to setup ports in the Nat Rules I am just unsure of what all to setup. Thanks ahead of time for any help.

kashifmac2005 · January 18, 2014, 7:27am

i also have same issue and one more thing i can’t connect using wan ip in local network but connecting outside is fine

Caci99 · January 18, 2014, 12:19pm

What you are trying to do is actually a one to one NAT. So your PBX will act as it has the WAN IP address. The rules are ok, but I would change them with action netmap:

chain=dstnat dst-address=1.0.0.2 action=netmap to-address = 10.0.0.10
chain=srcnat src-address=10.0.0.10 action=netmap to-addresses=1.0.0.2

It is import that these rules seat above the masquerade rule

chvel · January 18, 2014, 3:07pm

I have two other rules in there above the two other rules one is for my VPN

Chain=scrnat
Src Address=10.0.1.0/24
Dst Address=10.0.0.0/24
Action=accept

Chain=srcnat
Src Address=10.0.1.0/24
Dst Address=0.0.0.0/0
Out. Interface= ether1
Action=masquerade

So what you are saying is remove

Chain=dstnat
Dst Address=1.0.0.2
Action=dst nat
to address = 10.0.0.10
chain=srcnat
Src Address= 10.0.0.10
Action=src nat
To Address=1.0.0.2

and add in

chain=dstnat dst-address=1.0.0.2 action=netmap to-address = 10.0.0.10
chain=srcnat src-address=10.0.0.10 action=netmap to-addresses=1.0.0.2

above the masquerade rule. Is that right?

Caci99 · January 18, 2014, 6:30pm

Yes, delete those rules or change the action on those rules to netmap. These rules should be the first, always, so that traffic of these rules does not get processed by the others.

chvel · January 19, 2014, 3:07pm

So I made the changes that was suggested. And the PBX is registered at the host however it is still showing it connected with a ip of 1.0.0.1:1033 and not 1.0.0.2:5060. Any ideas on what might be causing it to do that?

Caci99 · January 20, 2014, 12:33pm

Can you do an export of /ip firewall nat and post it in here? Also, how are you testing PBX, is the phone trying to connect from LAN or from outside your LAN?

chvel · January 20, 2014, 3:50pm

/ip firewall nat
add action=netmap chain=dstnat disabled=no dst-address=1.0.0.2 to-addresses=10.0.0.10
add action=netmap chain=srcnat disabled=no src-address=10.0.0.10 to-addresses=1.0.0.2
add action=accept chain=srcnat disabled=no dst-address=10.0.10.0/24 src-address=10.0.25.0/24
add action=masquerade chain=srcnat disabled=no dst-address=0.0.0.0/0 out-interface=ether1-gateway
src-address=10.0.25.0/24

The PBX is connecting to our host who is Flowroute and it shows on there the ip address that is connected to it. The IP it is showing is the address of the Mikrotik not the PBX.

Caci99 · January 20, 2014, 6:01pm

Since it is a netmap, it is possible that PBX shows IP 1.0.0.1 instead of 1.0.0.2. Form the point of view of PBX, it does not know that it has an IP assigned to it as one to one NAT (in other words it does not know that router is masquerading it with another IP). This is only assumption. If you do a traceroute form PBX it will very probably show one hop to 1.0.0.1 and the next to 1.0.0.2.
Best way to test it, is to try to connect to the PBX form outside using 1.0.0.2, it should work.

chvel · January 20, 2014, 7:30pm

when i do a traceroute to 1.0.0.2 i never see 1.0.0.1 hop 13 and 14 are both showing 1.0.0.2 but when I do one to 1.0.0.1 I see 1.0.0.1.

Caci99 · January 20, 2014, 8:06pm

I’m sorry, my bad. If you execute traceroute from PBX you should reach 1.0.0.2 after two hops with no 1.0.0.1 in between.
Anyway, I think you should test the connection by trying to connect to the PBX from outside using 1.0.0.2, if it connects it is working.

chvel · January 29, 2014, 4:26pm

Sorry for the delay in responding been busy with other things here at work. I gave the PBX a public IP outside the PBX and it showed the correct information at the provider. However now what I am trying to do is plug the PBX into ether3 and give it the IP of the PBX. when I go to the address I get the web logon for the router not the PBX logon.

/ip address
add address=10.0.25.1/24 disabled=no interface=ether2 network=10.0.25.0
add address=1.0.0.2/29 disabled=no interface=ether1-gateway network=1.0.0.
add address=1.0.0.3/29 disabled=no interface=ether3-gateway network=1.0.0.

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=1.0.0.1 scope=30 target-scope=10

I also disabled the nat rules that was discussed previously.

/ip firewall nat
office 1 vpn
add action=accept chain=srcnat disabled=no dst-address=10.0.10.0/24 src-address=\
    10.0.25.0/24
office 2 vpn
add action=accept chain=srcnat disabled=no dst-address=10.10.15.0/24 src-address=\
    10.0.25.0/24
add action=masquerade chain=srcnat disabled=no dst-address=0.0.0.0/0 out-interface=ether1-gateway \
    src-address=10.0.25.0/24

So i am missing something somewhere any help would be great. I really don’t know where to go from here.