Port forwarding - an idiot's guide required.

SweetSunday · September 28, 2007, 8:28am

Could someone help this idiot with what I think is a port forwarding problem.

The scenario -

I have a device that monitors battery voltage at a remote solar-powered AP site. It has the address 10.0.10.10 and uses port 12341. It has an ethernet connection to the router (RB532) at eth0 = 10.0.10.1

My PC is behind a RB112 and has an address 10.3.2.101. The RB112 eth0 is 10.3.2.1. The RB112 talks to the AP on a 10.0.3.0/24 network. The RB112 has (for reasons that escape me) a srcnat=masquerade firewall rule for anything with a 10.0.0.0/16 destination address.

From the AP site with my laptop connected to the same ethernet cable I can network to my PC using VNC so routing would seem to be correct while from my PC I can ping the device, but starting the application on my PC that connects to the device always causes a “Socket error 10061: connection refused” message.

Can anyone spot the obvious? (I can’t!)

Viroslash · September 28, 2007, 11:36am

Try this…
Paste in the console:

/ ip firewall nat 
add chain=dstnat protocol=tcp dst-port=12341 action=dst-nat to-addresses=10.0.10.10 to-ports=12341 comment="redirection rule 10.0.10.10" disabled=no

Make sure you can ping 10.0.10.10 from your computer.

Greetings…

SweetSunday · September 28, 2007, 10:37pm

Greetings Viroslash, and thanks.

No joy, though. I can ping 10.0.10.10 from my PC but a Windows tracert=

C:\Documents and Settings\Tony>tracert 10.0.10.10

Tracing route to elaine [10.0.10.10]
over a maximum of 30 hops:

1 1 ms <1 ms <1 ms (CPE) [10.3.2.1]
2 2 ms 1 ms 1 ms (AP) [10.0.3.1]
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 ^C

This is odder because I don’t know what is making Windows interpret 10.0.10.10 as ‘elaine’. I had an experimental server with the hostname ‘elaine’ where the device now is and with the 10.0.10.10 address long ago but ‘elaine’ no longer appears in the Windows ‘hosts’ file nor in any static DNS listing on the CPE or the AP.

The application’s log-file =

29/09/2007 10:00:27 a.m.: Started
29/09/2007 10:00:28 a.m.: Error: Socket Error # 10061
Connection refused.
29/09/2007 10:00:28 a.m.: Will try again in 1 minute, due to above error
29/09/2007 10:01:28 a.m.: Attempting to reconnect
29/09/2007 10:01:29 a.m.: Error: Socket Error # 10061
Connection refused.
29/09/2007 10:02:29 a.m.: Attempting to reconnect
29/09/2007 10:02:30 a.m.: Error: Socket Error # 10061
Connection refused.
&etc.

My CPE terminal reports:

admin@me] ip firewall> nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat out-interface=wlan1 dst-address=10.0.0.0/16 action=masquerade

1 chain=srcnat out-interface=pppoe-out1 dst-address=0.0.0.0/0 action=masquerade

2 ;;; redirection rule 10.0.10.10
chain=dstnat protocol=tcp dst-port=12341 action=dst-nat to-addresses=10.0.10.10
to-ports=12341
[admin@me] ip firewall>

When I do a traceroute from Winbox I get the following:

hop 1 host 10.0.3.1 5ms 3ms 3ms
hop 2 host 10.0.10.10 6ms 5ms 4ms

But when I did it in a new terminal I got this:

[admin@me] tool> traceroute 10.0.10.10
ADDRESS STATUS
1 0.0.0.0 timeout timeout timeout
[admin@me] tool> traceroute 10.0.10.10
ADDRESS STATUS
1 0.0.0.0 timeout timeout timeout
[admin@me] tool>

Which doesn’t make any sense at all to me.

Viroslash · September 30, 2007, 6:01pm

Paste this rule and try again…

/ip firewall nat add chain=scr-nar action=masquerade

Check the default gw, if this don’t work try to setting ip addresses form the same network to all interfaces, then check ping.

From the MT console make ping to your PC and to the 10.0.10.10 (don’t use DNS names)

SweetSunday · September 30, 2007, 9:08pm

Sorry, Virolan, I don’t understand.

Is that rule to be added in addition to the one you’ve already proposed or in substitution?

And I don’t understand “try to setting ip addresses form the same network to all interfaces”.

Please understand that I’m trying to reverse-engineer a network I didn’t set up, and I’m not sure I comprehend the thinking of the guy who did it.

This is how it think it’s set up:-

My PC. eth 10.3.2.101
|
|
MT box eth 10.3.2.1
X ( wlan 10.0.3.2/
MT box ( pppoe-out 10.100.3.1
|
|
|
MT box ( wlan 10.0.3.1/
AP ( pppoe-in 10.100.3.1
MT box eth 10.0.10.1
|
|
device eth 10.0.10.10

The idea was that all local traffic - anything with a 10.0.0.0/16 address would pass internally over the local network while anything else, i.e. Internet-bound, would be tunnelled through the pppoe network and be routed to the public gateway. So in theory (?) as long as the routing is correct nothing with a 10.0.0.0/16 address should need to be NATted or masqueraded at all (?).

So in fact I can’t see the reason for the 10.0.0.0/16 masquerade rule at all in my box, except if it’s not there I can’t contact ANY other 10.0.0.0/16 address on the network.

Does this make any sense to you?

SweetSunday · October 4, 2007, 8:48pm

Anybody?