port forwarding between different routed network

syeed · February 4, 2020, 10:50am

Hi Everyone, i have issues in doing a port forwarding between 2 different networks. below is the scenario.

there are 2 ISP providers lets say ISP A & B. ISP A router is connected to ISP B router with physical cable. now port forwarding has to be done on ISP A router to access the servers on ISP B router. So external IP of ISP A should access ISP B LAN servers.

ISP A LAN: 192.168.97.0/24
ISP B LAN: 100.80.20.64/27

routing is done on both ISP A & B router to access the LAN of each other. locally we are able to access the servers but via NAT from ISP A not working.

can someone please help me!!!

Sob · February 4, 2020, 1:22pm

It’s not clear how exactly are those routers connected and you didn’t show any part of config. Fix that, provide more info and your chance to get useful advice will increase.

syeed · February 5, 2020, 12:11am

Thanks. please find below config & network diagram:
Routes:

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 ADS 0.0.0.0/0 ISP A 0
1 ADC 10.0.0.1/32 103.x.x.x ISP A 0
2 A S 100.80.20.64/27 192.168.10.1 1
3 A S 192.168.1.0/24 192.168.10.1 1
4 ADC 192.168.10.0/30 192.168.10.2 ether3 0
5 ADC 192.168.97.0/24 192.168.97.1 bridge1 0
6 ADC 192.168.100.10/32 192.168.100.10 bridge1 0

NAT
0 chain=srcnat action=masquerade out-interface=ISP A log=no log-prefix=""
1 chain=srcnat action=src-nat to-addresses=100.80.20.75 to-ports=80 protocol=tcp src-address=192.168.100.10 src-port=80 log=yes log-prefix=""
2 chain=srcnat action=src-nat to-addresses=100.80.20.75 to-ports=22 protocol=tcp src-address=192.168.100.10 src-port=22 log=yes log-prefix=""
3 chain=srcnat action=src-nat to-addresses=100.80.20.75 to-ports=443 protocol=tcp src-address=192.168.100.10 src-port=443 log=yes log-prefix=""
4 chain=dstnat action=dst-nat to-addresses=192.168.100.10 to-ports=80 protocol=tcp in-interface=ISP A dst-port=80 log=yes log-prefix=""
5 chain=dstnat action=dst-nat to-addresses=192.168.100.10 to-ports=22 protocol=tcp in-interface=ISP A dst-port=22 log=yes log-prefix=""
6 chain=dstnat action=dst-nat to-addresses=192.168.100.10 to-ports=443 protocol=tcp in-interface=ISP A dst-port=443 log=yes log-prefix=""

not from network 192.168.97.1/24 i am able to reach 100.80.20.64/27. on ISP A router i need to do port forwarding for IP 100.80.20.75 port 22,80 & 443
Diag.pdf (310 KB)

Sob · February 5, 2020, 1:22am

Some info may still be missing (e.g. it’s not clear what the VPN is about), but it’s better. Well, in a sense that it’s possible to see what you have, but otherwise it looks completely wrong.

Route #3 looks useless, but it doesn’t break anything.

Address 192.168.100.10 on bridge and everything with it doesn’t make any sense. If you want to forward ports to remote 100.80.20.75, why do you forward them to local 192.168.100.10? That’s dstnat, and I don’t even know what to say about srcnat, because there’s no way how those rules could ever do anything useful.

If you want to forward ports from 103.x.x.x to 100.80.20.75, you want to do:

/ip firewall nat
add chain=dstnat in-interface="ISP A" protocol=tcp dst-port=22,80,443 action=dst-nat to-addresses=100.80.20.75

(I don’t like in-interface=“ISP A” and I’d prefer dst-address=103.x.x.x, but since it may not be static, this is ok too)

That’s basic config for router A. And now you have two options:

a) If you’re interested in keeping original source addresses, then this is all for router A and rest needs to be done on router B. You basically need dual-WAN config, where second WAN is the link to router A. It means another routing table where router A is default gateway, mark new incoming connections from router A, and then mark routing for responses to go back the same way. Something like:

/ip route
add dst-address=0.0.0.0/0 gateway=192.168.10.2 table=to-router-a
/ip firewall mangle
add chain=prerouting connection-state=new in-interface=<interface connected to router A> action=mark-connection new-connection-mark=from-router-a
add chain prerouting in-interface=<interface connected to servers> connection-mark=from-router-a action=mark-routing new-routing-mark=to-router-a

b) If you don’t care about source addresses, then you don’t need to do anything on router B and you can simply do this on router A:

/ip firewall nat
add chain=srcnat out-interface=ether3 src-address=!192.168.97.0/24 action=src-nat to-addresses=192.168.10.2

Some other tweaks may be required, but it depends on what other config you have.

syeed · February 5, 2020, 2:42am

Some info may still be missing (e.g. it’s not clear what the VPN is about), but it’s better. Well, in a sense that it’s possible to see what you have, but otherwise it looks completely wrong.

Route #3 looks useless, but it doesn’t break anything.

Address 192.168.100.10 on bridge and everything with it doesn’t make any sense. If you want to forward ports to remote 100.80.20.75, why do you forward them to local 192.168.100.10? That’s dstnat, and I don’t even know what to say about srcnat, because there’s no way how those rules could ever do anything useful.

If you want to forward ports from 103.x.x.x to 100.80.20.75, you want to do:
/ip firewall nat
add chain=dstnat in-interface="ISP A" protocol=tcp dst-port=22,80,443 action=dst-nat to-addresses=100.80.20.75
(I don’t like in-interface=“ISP A” and I’d prefer dst-address=103.x.x.x, but since it may not be static, this is ok too)

That’s basic config for router A. And now you have two options:

a) If you’re interested in keeping original source addresses, then this is all for router A and rest needs to be done on router B. You basically need dual-WAN config, where second WAN is the link to router A. It means another routing table where router A is default gateway, mark new incoming connections from router A, and then mark routing for responses to go back the same way. Something like:
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.10.2 table=to-router-a
/ip firewall mangle
add chain=prerouting connection-state=new in-interface=<interface connected to router A> action=mark-connection new-connection-mark=from-router-a
add chain prerouting in-interface=<interface connected to servers> connection-mark=from-router-a action=mark-routing new-routing-mark=to-router-a
b) If you don’t care about source addresses, then you don’t need to do anything on router B and you can simply do this on router A:
/ip firewall nat
add chain=srcnat out-interface=ether3 src-address=!192.168.97.0/24 action=src-nat to-addresses=192.168.10.2
Some other tweaks may be required, but it depends on what other config you have.

Thanks for the Details:
i have also tried based on port forwarding you provided but still its not working. when i do a ssh from terminal of mikrotik which is ISP A it gives me positive response as below:

[admin@ISPA] > /system ssh 100.80.20.75 src-address=192.168.97.1
password:

when i am doing it from external address of ISP A (103.43.x.x) which is public address it does not work. same type of port forwarding i have done for RDP which works. the only difference is RDP done is locally connected server on ISP A with 192.168.97.200 & what i want to achieve is remote servers connected via VPN on ISP B router.

0 chain=srcnat action=masquerade out-interface=ISP A log=no log-prefix=“”
1 chain=dstnat action=dst-nat to-addresses=100.80.20.75 protocol=tcp in-interface=ISP A dst-port=22 log=no log-prefix=“”
2 chain=dstnat action=dst-nat to-addresses=192.168.97.200 to-ports=3389 protocol=tcp in-interface=ISP A dst-port=3389 log=no log-prefix=“”

I am sorry if any information is missing. tell me i will provide the same.

Sob · February 5, 2020, 3:04am

Start with option b), it’s simpler. Add the srcnat rule I posted and see if it helps. If not, go step by step. Make sure that packets pass through router A. You can use Tools->Torch on router A’s ether3 and look for packets to 100.80.20.75:22. If they are not there, they must be blocked by firewall filter (/ip firewall filter, chain=forward). If you see them, then move to router B, look for them on incoming interface from router A and outgoing interface to servers. If it’s all ok, then look for responses in reversed order. It’s really simple, you need to find the exact failing step and fix it.

aoakeley · February 5, 2020, 3:06pm

@Syeed has given you the correct solution. you need to use Mangle rules to ensure traffic that originates at ISP-A goes back out ISP-A and not out ISP-B. Using SRC-NAT is not a good way of doing it as your destination servers in the network do not see the true internet IP Addresses

OK so lets just think about this for a moment.. your traffic is going to be

Coming in ISP-A router
Crossing to ISP-B router
Going through VPN to the servers
Return traffic going back to ISP-B Router
BUT ISP-B Router will send it back out the internet (because that is where it has its lowest cost route).
So this is broken

So you need to put this into ISP-B router so that traffic coming from ISP-A goes back that way. Replace <VPN INTERFACE> with whatever your VPN interface is called.

what comes from ether2 from ISP-A Router, goes back out from ether2 back to ISP-A Router

/ip firewall mangle add action=mark-connection chain=forward in-interface=ether2 connection-state=new new-connection-mark=ether2_fw passthrough=no disabled=no comment="fw ether2, out ether2"
/ip firewall mangle add action=mark-routing chain=prerouting in-interface=<VPN INTERFACE> connection-mark=ether2_fw new-routing-mark=ISP-A_traffic passthrough=no disabled=no

create routing rule

ip route add dst-address=0.0.0.0/0 gateway=192.168.10.2 distance=1 routing-mark=ISP-A_traffic disabled=no