Port forwarding by IP

y0d4 · November 3, 2013, 2:56pm

Hello,

i have next scenario:
LAN - 10.0.1.0/24
WIFI - 10.0.2.0/24

I block between that two network communications by:

chain=forward action=drop src-address-list=local-networks dst-address-list=local-networks

Now i want only couple ports to open for specific IP in lan, example:
i want 10.0.1.10 to access 10.0.2.50 on port 80

How to do this?
I try many option but seems that filter rules blocking or i don`t know to setup proper via NAT.
for example, i try:

chain=dstnat action=dst-nat to-addresses=10.0.2.50 to-ports=80 protocol=tcp dst-address=10.0.1.10 dst-port=80

but nothing.

Any help?
thank you.

CelticComms · November 4, 2013, 3:18am

The traffic referenced in the NAT entry must also be allowed in the forwarding chain. Make sure that overall you are allowing the traffic in the forwarding chain remembering that destination entries should match the DST NATed addresses since the forward chain filters occur after DST NAT.

y0d4 · November 6, 2013, 11:59pm

Thank you for explanation, i do it:

allowing tcp 80 port

chain=forward action=accept protocol=tcp src-address=10.0.2.50 dst-address=10.0.1.10 port=80
chain=forward action=accept protocol=tcp src-address=10.0.1.10 dst-address=10.0.2.50 port=80

allowing icmp (for ping)

chain=forward action=accept protocol=icmp src-address=10.0.2.50 dst-address=10.0.1.10
chain=forward action=accept protocol=icmp src-address=10.0.1.10 dst-address=10.0.2.50

work like charm
thank you.

evangel159 · November 22, 2013, 7:13pm

Hi

I have a similar problem but I can’t fix it

I am using a simple application to try to establish a connection to the server using a TCP-IP socket. When the NAT rule I use is enabled I can see clearly how there is some traffic arriving to the server, and the application waits for some time while trying to connect to the server, but it fails. When the rule is disabled, the program immediately prompts a message indicating that the connection was refused.
From this I conclude that I am able to send data to the server, but it is unable to respond to the client to establish a connection.

My NAT rules are as following:

I am using winbox

1- srcnat
Src Address : 192.168.10.0/24
Out interface : wayout
Action: masqueradre

2- chain:dstnat
Dst Address: My Public-IP
Protocol:6(tcp)
Dst port:8087

Action

Action: dst-nat
To Addresses: server IP
To ports: 8082—is the server port

Is there any additional rule that I must use in order for a client to be able to connect to the server?. Am I missing something here?

Thanks in advance

CelticComms · November 23, 2013, 3:08am

What does the routing table on the server look like?

evangel159 · November 25, 2013, 3:26pm

Of course

I got this routes:

Route list:
Routes:

Dst. Address Gateway

AS --0.0.0.0/0 une
AS --xxx.xxx.50.0/24 192.168.20.1 “es una vpn”
AS --192.168.1.0/24 192.168.20.1

Is that what you ask?

CelticComms · November 25, 2013, 6:18pm

If you DST NAT traffic to a server it will still appear with the original source IP (unless you also SRC NAT the traffic) so the server needs a route back to the originator. It looks like you have no default route set on the server.

evangel159 · November 26, 2013, 6:50pm

This is the default route no?

AS --0.0.0.0/0 une

All the traffic will go out by that interface no? except the traffic for “xxx.xxx.50.0” and “192.168.1.0/24”

And this masquerade

1- srcnat
Src Address : 192.168.10.0/24
Out interface : wayout
Action: masqueradre

Should help to solve that no?

If you think I need another route could you please give me some advice?

Thanks a lot