Port forwarding baffled

RouterOS Beginner Basics
1

Good Day All.
Sorry for the really dumb question, which I can probably find by searching the forum, but I am under intense pressure to get this running.
We have an application on port 7788, which needs to be accessed over the internet.
I am not able to get the port forwarding correct, and I need the app server to be connected to ether3, but don’t seem to be able to create a static route.

This is my current setup:
(I don’t wish to post my public IP in full)
Addresses:
Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK INTERFACE

0 105.27.xx8.154/30 105.27.xx8.152 ether1
1 192.168.1.2/24 192.168.1.0 ether2-master
2 105.29.xx.232/29 105.29.xx.232 ether1
3 105.29.xx.235/29 105.29.xx.232 ether1
4 192.168.0.100/32 192.168.0.0 ether3
Routes:
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 A S 0.0.0.0/0 105.27.xx8.153 1
1 ADC 105.27.178.152/30 105.27.xx8.154 ether1 0 (Internet Gateway)
2 ADC 105.29.89.232/29 105.29.xx.232 ether1 0 (Public IP)
3 ADC 192.168.0.0/32 192.168.0.100 bridge 0 (App Server)
4 ADC 192.168.1.0/24 192.168.1.2 bridge 0 (To LAN gateway)
Firewall:
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface=ether1

1 chain=dstnat action=dst-nat to-addresses=192.168.0.100 protocol=tcp dst-address=105.29.xx.235 dst-port=7788


But using Open Port check tool, shows the port to be blocked.
What am I doing wrong?

2

Your dstnat rule takes tcp connections to 105.29.xx.235:7788 and forwards them to internal 192.168.0.100:7788, so it looks ok. Things to check:

  • Server does have access to internet, i.e. three’s no misconfigured gateway or anything like that
  • Application really listens on tcp/7788
  • Server’s firewall allows acces to this port from anywhere
  • Firewall on router allows access to this forwarded port

For the last one, you didn’t post anything about router’s firewall. If it’s default one, it should be ok. If it’s your own one, make sure that you have forwarded port allowed in filter. Either by specific rule, or all at once using:

/ip firewall filter
add chain=forward connection-nat-state=dstnat action=accept

Check what happens, you can see packets using Tools->Torch (incoming on ether1, and if they successfully passed through router on ether3). Or you can add logging rules in prerouting/postrouting, to make sure you don’t miss any.

3

Hi again. Sob, thanks for the input.

Server is listening on 7788 on 192.168.0.100
Server has no internet access via 192.168.0.100 - should I be using 192.168.0.1 as gateway?
Cannot ping router, and vice versa.
Was using default firewall, added your line - no difference.
Torch shows no packets routed to ether 3.

4

Have tried several tips with no result.
I am now chasing my own tail…

Config as below:

jun/18/2018 12:44:17 by RouterOS 6.39.2

software id = 5KP4-HC0L

/interface bridge
add admin-mac=CC:2D:E0:10:98:04 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=Internet
set [ find default-name=ether2 ] name=LAN
set [ find default-name=ether4 ] disabled=yes master-port=LAN
set [ find default-name=ether5 ] disabled=yes master-port=LAN
set [ find default-name=sfp1 ] disabled=yes

/ip neighbor discovery
set Internet discover=no
/interface ethernet
set [ find default-name=ether3 ] master-port=LAN name=Javing

/interface bridge port
add bridge=bridge comment=defconf interface=LAN

/ip address
add address=105.27.xxx.154/30 interface=Internet network=105.27.xxx.152
add address=192.168.1.2/24 interface=LAN network=192.168.1.0
add address=105.29.xx.232/29 interface=Internet network=105.29.xx.232
add address=105.29.xx.235/29 disabled=yes interface=Javing network=105.29.xx.232
add address=192.168.0.100 interface=Javing network=192.168.0.0

/ip dns
set allow-remote-requests=yes servers=41.87.126.254,41.87.127.254
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept established,related” connection-state=established,related
add action=drop chain=input comment=“defconf: drop all from WAN” in-interface=Internet
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related” connection-state=established,related
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new in-interface=Internet
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” out-interface=Internet
add action=dst-nat chain=dstnat dst-address=105.29.xx.235 dst-port=7788 protocol=tcp to-addresses=192.168.0.100
add action=dst-nat chain=dstnat dst-address=192.168.0.1 dst-port=7788 in-interface=bridge protocol=tcp to-addresses=192.168.0.100 to-ports=7788
/ip route
add distance=1 gateway=105.27.xxx.153
add distance=1 dst-address=192.168.0.100/32 gateway=Javing

5

Your config is strange. I was focusing on dstnat and missed few other obviously wrong things.

You try to forward port to 192.168.0.100, but you have the same address assigned to router (ether3). Not only that, but it’s some strange point-to-point config, where the other end is 192.168.0.0.

If it should work, you probably want 192.168.0.1/24 on router’s ether3, and then let the server use it as default gateway. In case it’s something more complex, where the server would be connected to another network with different default gateway (and you’d want to keep that), make it 192.168.0.x/24, where x is something not used in that network. Then add:

/ip firewall nat
add chain=srcnat out-interface=ether3 action=masquerade

It will prevent server from seeing original source addresses, but connections to it will work.

6

Sob, as you correctly pointed out, that configuration was a tax-up.
Many apologies.
My configuration was being messed up by some weird managed switch routing to our CCTV network that had a rogue switch configured to 192.168.0.100. (Should have been on 192.168.1.0 net)
Changed server to 192.168.2.100, and ether3 to 192.168.2.1 - all good.


Your help is much appreciated.

7

Sob, as you correctly pointed out, that configuration was a tax-up.
Many apologies.
My configuration was being messed up by some weird managed switch routing to our CCTV network that had a rogue switch configured to 192.168.0.100. (Should have been on 192.168.1.0 net)
Changed server to 192.168.2.100, and ether3 to 192.168.2.1 - all good.


Your help is much appreciated.