Thank you for reading this post. It is my first and I am in dire need of assistance. Simply, I have tried every which way to get port forwarding to work on my RB2011Ui-AS 2hHD IN and I simply cannot get it working.
I have a web server listening on 5450 that I would like to access from outside the LAN. I have the default configuration for 6.33 and have only added one configuration, the NAT configuration. Here is the firewall and NAT config:
is all that I have added fat this point. EVERYTHING else on the router is default config.
I have this checked for logging output however the counter does not increase which makes me think the traffic it not getting to the rule.
At this point I would think perhaps ISP however this worked well with my Cisco 1841 less then a month ago so I am not being blocked at or before demarc. Note that I am getting a dynamic internal IP from my cable modem so setting a static destination address is not possible. Also, I tried RDP port 3389 forwarding to a computer that is setup for RDP thinking that it may be port related/disk station related but that is a no go as well and the counter does not increase on that rule either
Because I have not setup a hairpin NAT, I have been using my phone’s cell network to do all testing with Wi-Fi off so I am testing outside of the LAN.
I am exhausted guys and have no idea why it simply doesn’t work. What am i missing?
I went ahead and added the forward rule as suggested. Nothing. Same thing as well. No counter increase. It is simply not being received by any of the rules. Is their a log for EVERYTHING before pre-routing begins? With the default configuration, there is a forward fastback rule in place that cannot be removed and a few NAT mange rules. Does anyone have port forward working on 6.31 + specifically?
List Postion #2 add chain=forward dst-address=192.168.88.252 dst-port=5450 in-interface=
ether1-gateway protocol=tcp
My thinking is that because I am not specifying a connection state in #2, it is not being processed and then is blocked by rule 7 or 8. Or does the state of it not matter if the rule is above the drop rule?
Here’s an interesting question, are you sure that traffic actually passes through NAT? Since you are getting a dynamic internal IP from your cable modem, it could be that your RB2011 just knows how to route packets between the internal RFC 1918 address range of your RB2011 and the internal RFC 1918 address range provided by the cable modem. Could you show the [/ip route print] output?
Mind you, I could be way off base here but it might be worth checking it out.
Thanks. I will check that out. I just called up my ISP and had them put the cable modem.in bridge mode. I should now be pulling a dynamic public on eth1’s interface now. I will find out tonight.
Still no bueno. I just don’t see my phones IP hitting the firewall in any way. It’s really like the traffic simply doesn’t exist. I am really out of ideas at this point. Does anyone have a full firewall and Nat config I can just copy and paste in? Perhaps that is better then trying to figure out what rule is busting the traffic. Is their a way to review traffic before pre-routing?
I’m not sure if my config would help because my setup uses PPPoE as an interface and has extra NAT rules to account for VPN connections. In addition to that, I’ve got some firewall rules for IPSec VPN’s. I’ve got two RB2011 in the field and both of them have no problem with dstnat rules. To be honest, I don’t really see anything wrong in your firewall config so this is a bit mystifying to me as well. Any chance you could show us more of your config? Maybe run a [/export] and post it here without things like passwords and WiFi keys?
As requested, I’ve posted my firewall config here. I can assure you that it works fine (although there might be a few optimizations I could add but with a 11Mbps connection it doesn’t really matter that much).
/ip firewall filter
add chain=forward comment="Forward connections from internal IPv4 network" src-address-list=local_ipv4
add chain=forward comment="Forward connections from remote IPv4 networks" src-address-list=remote_ipv4
add chain=forward comment="Forward Established" connection-state=established
add chain=forward comment="Forward Related" connection-state=related
add action=drop chain=forward comment="Drop Invalid" connection-state=invalid
add action=drop chain=forward comment="Default Deny in Forward Chain" in-interface=pppoe-ISP-inet
add chain=input comment="Allow all connections from the local network" src-address-list=local_ipv4
add chain=input comment="Accept all connections from remote IPv4 vpn networks" src-address-list=remote_ipv4
add chain=input comment="Allow all established connections" connection-state=established
add chain=input comment="Allow all related connections" connection-state=related
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid
add chain=input comment="Allow NTP requests from Draytek Vigor 130" dst-port=123 in-interface=ether9-xdsl protocol=udp src-address=192.168.0.1
add chain=input comment="Allow ICMP coming from the PPPoE session with ISP" in-interface=pppoe-ISP-inet limit=50,2 protocol=icmp
add action=jump chain=input comment="Jump to the IPSec chain" in-interface=pppoe-ISP-inet jump-target=ipsec
add action=log chain=input log=yes log-prefix=Dropped_Traffic
add action=drop chain=input comment="Default Deny for input"
add chain=ipsec comment="IPSec Chain" protocol=ipsec-esp
add chain=ipsec protocol=ipsec-ah
add chain=ipsec dst-port=500 log=yes protocol=udp
add chain=ipsec dst-port=1701 protocol=udp
add chain=ipsec dst-port=4500 protocol=udp
add action=return chain=ipsec
/ip firewall mangle
add action=change-mss chain=forward comment="ISP PPPoE TCP Clamping" \
new-mss=1452 out-interface=pppoe-ISP-inet protocol=tcp tcp-flags=syn \
tcp-mss=1453-65535
add action=change-mss chain=forward in-interface=pppoe-ISP-inet new-mss=\
1452 protocol=tcp tcp-flags=syn tcp-mss=1453-65535
add action=change-mss chain=forward disabled=yes new-mss=1366 out-interface=\
gre6-tunnel-degrens protocol=tcp tcp-flags=syn tcp-mss=1367-65535
add action=change-mss chain=forward disabled=yes in-interface=\
gre6-tunnel-degrens new-mss=1366 protocol=tcp tcp-flags=syn tcp-mss=\
1367-65535
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=\
Through_US_VPN passthrough=no src-address-list=RouteThroughVPN
add action=mark-routing chain=prerouting disabled=yes dst-address-list=\
"Xs4all Internet BV" new-routing-mark=Through_ISP_PPPoE
/ip firewall nat
add chain=srcnat comment="Bypass NAT for IPSec traffic to remote networks" \
dst-address-list="IPSec Remote Networks" src-address=192.168.88.0/24
add chain=srcnat comment="Bypass NAT for the xs4all network so it can be sent \
through the VPN tunnel to Rotterdam" dst-address-list=\
"Xs4all Internet BV" src-address=192.168.88.0/24
add action=netmap chain=dstnat comment="Allow Draytek Vigor 130 to send syslog\
\_messages to the logging server on the local network" in-interface=\
ether9-xdsl protocol=udp src-address=192.168.0.1 src-port=514 \
to-addresses=192.168.88.30 to-ports=514
add action=masquerade chain=srcnat out-interface=pppoe-ISP-inet
add action=masquerade chain=srcnat dst-address=192.168.0.0/24 out-interface=\
ether9-xdsl to-addresses=192.168.0.2
# pptp-unotelly-vpn-us not ready
add action=masquerade chain=srcnat out-interface=pptp-unotelly-vpn-us
# pptp-vypr-vpn-us not ready
add action=masquerade chain=srcnat out-interface=pptp-vypr-vpn-us
add action=dst-nat chain=dstnat dst-address=1.2.3.4 \
dst-port=22 protocol=tcp to-addresses=192.168.88.30
add action=dst-nat chain=dstnat dst-address=1.2.3.4 \
dst-port=465 in-interface=pppoe-tele2-inet protocol=tcp to-addresses=\
192.168.88.21 to-ports=465
add action=dst-nat chain=dstnat dst-address=1.2.3.4 \
dst-port=587 in-interface=pppoe-tele2-inet protocol=tcp to-addresses=\
192.168.88.21 to-ports=587
There is nothing wrong with forwarding itself. Most of MikroTik users are using it every day.
If you have firewall filter rule with chain=forward and action drop, then it must be the reason why you have this issue.
Usually when traffic does not pass you should disable all filter rules. If it starts to work, then from the top enable rules one by one and find which one is causing issue.
So plot thickens. (I think) Using potchecker.co I am actually seeing traffic hit the firewall however the port is registered as closed. Here is what I see. With just the dst-nat rule in place.
dstnat: in:ether1-gateway out:(none), src-mac 00:25:f2:71:77:7d, proto TCP (SYN), 192.241.144.195:33627->10.0.1.2:5450, len 60
If I add this rule
I get these to log lines in order:
dstnat: in:ether1-gateway out:(none), src-mac 00:25:f2:71:77:7d, proto TCP (SYN), 192.241.144.195:33627->10.0.1.2:5450, len 60
forward: in:ether1-gateway out:bridge-local, src-mac 00:25:f2:71:77:7d, proto TCP (SYN), 192.241.144.195:33664->192.168.88.252:5450, NAT 192.241.144.195:33664->(10.0.1.2:5450->192.168.88.252:5450), len 60
portchecker.co says that the port is closed. When I use my phone I get no traffic at all on either rule. It’s pretty weird. I am going to keep digging but I was wondering if this was normal logging behavior as well as the port being listed as closed.
I have found the root cause for this more or less. It appears that in order to process a login remotely a companion UDP port needed to be opened. I have since port forwarded the UDP port as well as the TCP port and it appears to be working as it should on web and mobile. Also, it turns our that no forward rule was needed, only a dstnat rule.
Wanna’ thank the community for the assist. It was appreciated!