Port forward or Routing issue

jshoff · July 15, 2011, 7:23pm

I have a range of IP addresses from our ISP (ex: 10.10.10.0/28) (using this subnet as an example only, they are routeable IPs)

10.10.10.1 is my ISP’s gateway

I have a Mikrotik router on 10.10.10.2/28 WAN side, doing src-nat masquerade for the internal LAN at 10.171.XXX.XXX/20

I have several VOIP devices or linux boxes on 10.10.10.3-10.10.10.8

From ANY remote location I can browse to these direct connected devices, connect to them, etc. HOWEVER, from any internal IP (10.171.XXX.XXX) I cannot browse to port 80 (http) on any of the devices outside the router. I can however ping their IP from inside the LAN, and a tracert is successful also.

Any ideas??

fewi · July 15, 2011, 7:28pm

http://wiki.mikrotik.com/wiki/Hairpin_NAT

jshoff · July 15, 2011, 7:50pm

thanks for that link… BUT.

The servers I have are not behind my router at all, they are in front of it (or beside it?)

ISP
|
srv1 srv2 srv3 router
|
pc1 pc2 pc3 pc4 pc5 srv4 srv5 srv6

In the above diagram, srv1-srv3 I cannot access from pc1 (or anything else bhind the router), but srv4 - srv6 I can access using hairpin NAT, that’s OK. From an outside source I can access everything (any of the servers not behind nat, as well as the few that are with port forward (dst-nat) rules)

fewi · July 15, 2011, 8:25pm

Oh, I misunderstood.

That is certainly odd.

Post the output of “/ip address print detail”, “/ip route print detail”, “/interface print”, and “/ip firewall export”.

jshoff · July 15, 2011, 8:44pm

(address detail)
0 ;;; ALL EMAIL TRAFFIC
address=64.253.145.154/28 network=64.253.145.144 interface=ether1
actual-interface=ether1

1 ;;; RBIHOSTING02 Server
address=64.253.145.153/28 network=64.253.145.144 interface=ether1
actual-interface=ether1

2 ;;; RBISRVWEB03
address=64.253.145.149/28 network=64.253.145.144 interface=ether1
actual-interface=ether1

3 ;;; DEFAULT RBI LAN TRAFFIC ROUTE
address=64.253.145.148/28 network=64.253.145.144 interface=ether1
actual-interface=ether1

4 ;;; RBISRVAD01 AND PUBMAIL
address=64.253.145.147/28 network=64.253.145.144 interface=ether1
actual-interface=ether1

5 ;;; LAN

address=10.171.192.1/20 network=10.171.192.0 interface=ether3

0 A S dst-address=0.0.0.0/0 gateway=64.253.145.145
gateway-status=64.253.145.145 reachable ether1 check-gateway=ping
distance=1 scope=30 target-scope=10

1 ADC dst-address=10.171.192.0/20 pref-src=10.171.192.1 gateway=ether3
gateway-status=ether3 reachable distance=0 scope=10

2 ADC dst-address=64.253.145.144/28 pref-src=64.253.145.154 gateway=ether1
gateway-status=ether1 reachable distance=0 scope=10

NAME TYPE

0 R ether5 ether
1 R ;;; Connected to Internet Directly (64.253.145.
ether1 ether
2 R ether2 ether
3 R ;;; RBI Office LAN (10.171.192.0/20)
ether3 ether
4 R ether4 ether

jul/15/2011 14:41:52 by RouterOS 5.4

/ip firewall address-list
add address=10.171.192.0/20 disabled=no list="Local Traffic"
add address=10.171.210.0/24 disabled=no list=Shoff-House-VPN
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s
tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s
tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s
tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall mangle
add action=mark-packet chain=prerouting disabled=no dscp=12 new-packet-mark=ZPH_Local_Hit
passthrough=no
/ip firewall nat
add action=accept chain=srcnat comment="IPSEC TO SHOFF HOUSE" disabled=no dst-address=
10.171.210.0/24 src-address=10.171.192.0/20
add action=dst-nat chain=dstnat comment=RBISRVAD01 disabled=no dst-address=64.253.145.147
dst-address-type=local dst-port=53 protocol=udp to-addresses=10.171.200.156
add action=src-nat chain=srcnat comment=RBISRVAD01 disabled=no src-address=10.171.200.156
to-addresses=64.253.145.147
add action=dst-nat chain=dstnat comment="NAT Microsoft Exchange & DNS to RBISRVAD02"
disabled=no dst-address=64.253.145.154 dst-address-type=local dst-port=53 protocol=udp
to-addresses=10.171.200.154
add action=dst-nat chain=dstnat disabled=no dst-address=64.253.145.154 dst-address-type=local
dst-port=25 protocol=tcp to-addresses=10.171.200.154
add action=dst-nat chain=dstnat disabled=no dst-address=64.253.145.154 dst-address-type=local
dst-port=5272 protocol=tcp to-addresses=10.171.200.154
add action=src-nat chain=srcnat disabled=no src-address=10.171.200.154 to-addresses=
64.253.145.154
add action=dst-nat chain=dstnat comment="NAT Terminal Server 01 - RDP port" disabled=no
dst-address=64.253.145.146 dst-address-type=local dst-port=3389 protocol=tcp
to-addresses=10.171.200.155
add action=dst-nat chain=dstnat disabled=no dst-address=64.253.145.146 dst-address-type=local
dst-port=80 protocol=tcp to-addresses=10.171.200.155
add action=src-nat chain=srcnat disabled=no src-address=10.171.200.155 to-addresses=
64.253.145.146
add action=dst-nat chain=dstnat comment="NAT PUBLIC MAIL TO PUBMAIL01" disabled=no
dst-address=64.253.145.147 dst-address-type=local dst-port=25 protocol=tcp to-addresses=
10.171.200.153
add action=dst-nat chain=dstnat disabled=no dst-address=64.253.145.147 dst-address-type=local
dst-port=2525 protocol=tcp to-addresses=10.171.200.153 to-ports=25
add action=dst-nat chain=dstnat disabled=no dst-address=64.253.145.147 dst-address-type=local
dst-port=143 protocol=tcp to-addresses=10.171.200.153
add action=dst-nat chain=dstnat disabled=no dst-address=64.253.145.147 dst-address-type=local
dst-port=110 protocol=tcp to-addresses=10.171.200.153
add action=dst-nat chain=dstnat disabled=no dst-address=64.253.145.147 dst-address-type=local
dst-port=80 protocol=tcp to-addresses=10.171.200.153
add action=src-nat chain=srcnat disabled=no src-address=10.171.200.153 to-addresses=
64.253.145.147
add action=dst-nat chain=dstnat comment="NAT HTTP to RBISRVWEB03" disabled=no dst-address=
64.253.145.149 dst-address-type=local dst-port=80 protocol=tcp to-addresses=
10.171.200.149
add action=dst-nat chain=dstnat disabled=no dst-address=64.253.145.149 dst-address-type=local
dst-port=443 protocol=tcp to-addresses=10.171.200.149
add action=dst-nat chain=dstnat disabled=no dst-address=64.253.145.149 dst-address-type=local
dst-port=21,5000-6000 protocol=tcp to-addresses=10.171.200.149
add action=src-nat chain=srcnat disabled=no src-address=10.171.200.149 to-addresses=
64.253.145.149
add action=dst-nat chain=dstnat comment="NAT Microsoft Exchange to RBIHOSTING02" disabled=no
dst-address=64.253.145.153 dst-address-type=local dst-port=25 protocol=tcp to-addresses=
10.171.201.2
add action=dst-nat chain=dstnat disabled=no dst-address=64.253.145.153 dst-address-type=local
dst-port=143 protocol=tcp to-addresses=10.171.201.2
add action=dst-nat chain=dstnat disabled=no dst-address=64.253.145.153 dst-address-type=local
dst-port=443 protocol=tcp to-addresses=10.171.201.2
add action=dst-nat chain=dstnat disabled=no dst-address=64.253.145.153 dst-address-type=local
dst-port=80 protocol=tcp to-addresses=10.171.201.2
add action=dst-nat chain=dstnat disabled=no dst-address=64.253.145.153 dst-address-type=local
dst-port=465 protocol=tcp to-addresses=10.171.201.2
add action=src-nat chain=srcnat disabled=no src-address=10.171.201.2 to-addresses=
64.253.145.153
add action=dst-nat chain=dstnat comment="Redirect local office traffic to the proxy server"
disabled=yes dst-port=80 in-interface=ether2 protocol=tcp to-addresses=64.253.145.151
to-ports=3128
add action=masquerade chain=srcnat disabled=no dst-address=10.171.200.0/24 dst-port=80,443
out-interface=ether3 protocol=tcp src-address=10.171.192.0/20
add action=masquerade chain=srcnat disabled=no dst-address=10.171.201.0/24 dst-port=80,443
out-interface=ether3 protocol=tcp src-address=10.171.192.0/20
add action=src-nat chain=srcnat disabled=no out-interface=ether1 src-address=10.171.192.0/20
to-addresses=64.253.145.148
/ip firewall service-port
set ftp disabled=no ports=22
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no

fewi · July 15, 2011, 9:05pm

From that I can’t see what wouldn’t be working. No firewall filters, NAT is set up fine. Should be working, really.

What IP address on the outside network are you trying to get to?

Have you tried running a packet sniffer to see if the headers of the packets going to the server are what you’re expecting, or whether they’re getting there at all?

jshoff · July 15, 2011, 9:28pm

i haven’t no. i’ll try that i guess. strangely, it was working at some point for many months, and then a few days ago it stopped? I’ve be changing nat rules in the last few days, and think that I must have changed something that broke the connection, but I can’t see what I have done wrong?

fewi · July 15, 2011, 9:43pm

Could be - hard to tell without knowing the specific IPs involved. What source IP are you coming from on the inside network? What destination IP are you going to? That’ll help trace out the NAT flow.

jshoff · July 15, 2011, 9:51pm

i’m going from 64.253.145.148 to 64.253.145.155, trying packet sniffer now.

fewi · July 15, 2011, 10:07pm

According to everything you’ve posted that should be working. I’m curious what the packet sniffer will find.