Port-forwarding does not work, but why?

dg3feh · January 31, 2017, 9:09pm

Hello!

I run my LAN on 192.168.1.0/24 and a xDSL connection via a modem (192.168.0.2) which is connected to ether23-MODEM. The internet connections worksfine. The firewall is like this
Flags: X - disabled, I - invalid, D - dynamic

0 ;;; Kaputte Pakete DROP
chain=input action=drop connection-state=invalid log=no
1 ;;; Bestehende und initierte Verbindungen OK
chain=input action=accept connection-state=established,related log=no
2 ;;; Von 192.168.1.0/24 nach draussen
chain=input action=accept src-address=192.168.1.0/24
in-interface=ether23-MODEM log=no
3 ;;; von 192.168.1.0 -> 192.168.0.0 OK
chain=input action=accept src-address=192.168.1.0/24
dst-address=192.168.0.0/24 log=no
4 ;;; von 192.168.0.0 -> 192.168.1.0 OK
chain=input action=accept src-address=192.168.0.0/24
dst-address=192.168.1.0/24 log=no log-prefix=""
5 ;;; von 192.168.1.0 -> 192.168.1.0 OK
chain=input action=accept src-address=192.168.1.0/24
dst-address=192.168.1.0/24 log=no log-prefix=""
6 ;;; Der Rest geht in den Orkus....
chain=input action=drop log=no log-prefix="FW"

I run a small server on 192.168.1.252 and want to reach the WWW-Service from the Internet. For masqurading and port-forwarding I use the following NAT parameters:

Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Maskierung LAN
chain=srcnat action=masquerade src-address=192.168.1.0/24 log=no
1 ;;; Port-forwarding HTTP zum Server
chain=dstnat action=dst-nat to-addresses=192.168.1.252 to-ports=80
protocol=tcp in-interface=ether23-MODEM dst-port=80 log=yes
log-prefix="FW80"
2 ;;; Port-forwarding HTTPS zum Server
chain=dstnat action=dst-nat to-addresses=192.168.1.252 to-ports=443
protocol=tcp in-interface=ether23-MODEM dst-port=443 log=yes
log-prefix="FW443"

The mikrotik-webinterface uses port 81 and 444:

NAME PORT ADDRESS CERTIFICATE

0 telnet 23 192.168.1.0/24
1 XI ftp 21
2 www 81 192.168.1.0/24
3 ssh 22
4 www-ssl 444 mikrotik-https
5 api 8728
6 winbox 8291
7 api-ssl 8729 *FFFFFFFF

I can't connect from the outside to the WWW-Server and I can't see any log entries from the NAT-Rules (marked by FW80 and FW443). Some hints what is wrong?

BR Holger

lbachero · January 31, 2017, 9:42pm

Who has the Public IP?
You need to redirect on this device too.

Sent from my XT1225 using Tapatalk

pe1chl · January 31, 2017, 9:43pm

Do you have any forward rules in your firewall? That is what is important, not the input rules.

dg3feh · January 31, 2017, 10:26pm

The public IP is held by the PPP Interface on ether23-MODEM.

What kind of forward rule? U can see all my rules in the post.

effndc · January 31, 2017, 10:56pm

So the public IP address is assigned to a PPPoE connection on the Mikrotik?

Do you have firewall forward rules to accept the incoming connection? dst-nat only tells the system what you want the packets re-written to, it doesn’t give it permission to actually forward the traffic. You likely need to add something like:

/ip firewall filter
add action=accept chain=forward comment=weathercat dst-address=192.168.1.252 dst-port=80,443 protocol=tcp

Just be sure to put that above your forward drop rule.

dg3feh · January 31, 2017, 11:12pm

effndc:

So the public IP address is assigned to a PPPoE connection on the Mikrotik?

Do you have firewall forward rules to accept the incoming connection? dst-nat only tells the system what you want the packets re-written to, it doesn’t give it permission to actually forward the traffic. You likely need to add something like:
/ip firewall filter
add action=accept chain=forward comment=weathercat dst-address=192.168.1.252 dst-port=80,443 protocol=tcp
Just be sure to put that above your forward drop rule.

I added this one, but still notworking

Is these ones correct:

2 ;;; Portforwarding HTTP zum Server
chain=dstnat action=dst-nat to-addresses=192.168.1.252 to-ports=80 protocol=tcp
in-interface=ether23-MODEM dst-port=80 log=yes log-prefix=“FW80”

3 chain=dstnat action=dst-nat to-addresses=192.168.1.252 to-ports=443 protocol=tcp
in-interface=ether23-MODEM dst-port=443 log=no

dg3feh · January 31, 2017, 11:54pm

Mistake found. I have to use the PPPoE Interface and not the port!

Next problem is the Hairpin NAT http://wiki.mikrotik.com/wiki/Hairpin_NAT

/ip firewall nat
add chain=srcnat src-address=192.168.1.0/24
dst-address=192.168.1.2 protocol=tcp dst-port=80
out-interface=LAN action=masquerade

what does LAN means here?

Sob · February 1, 2017, 12:32am

LAN means LAN, the internal network where both server and client are connected.

dg3feh · February 1, 2017, 6:53am

How do I define that? These are all ports accept 23 (where the Modem is connected to)

pe1chl · February 1, 2017, 9:04am

Please show a complete /export of your config so it can be debugged.

dg3feh · February 1, 2017, 9:47am

[admin@Router-HH] > /export

feb/01/2017 10:45:22 by RouterOS 6.38.1

software id = D5X7-MT4X

/interface ethernet
set [ find default-name=ether2 ] master-port=ether1
set [ find default-name=ether3 ] master-port=ether1
set [ find default-name=ether4 ] master-port=ether1
set [ find default-name=ether5 ] master-port=ether1
set [ find default-name=ether6 ] master-port=ether1
set [ find default-name=ether7 ] master-port=ether1
set [ find default-name=ether8 ] master-port=ether1
set [ find default-name=ether9 ] master-port=ether1
set [ find default-name=ether10 ] master-port=ether1
set [ find default-name=ether11 ] master-port=ether1
set [ find default-name=ether12 ] master-port=ether1
set [ find default-name=ether13 ] master-port=ether1
set [ find default-name=ether14 ] master-port=ether1
set [ find default-name=ether15 ] master-port=ether1
set [ find default-name=ether16 ] master-port=ether1
set [ find default-name=ether17 ] master-port=ether1
set [ find default-name=ether18 ] master-port=ether1
set [ find default-name=ether19 ] master-port=ether1
set [ find default-name=ether20 ] master-port=ether1
set [ find default-name=ether21 ] master-port=ether1
set [ find default-name=ether22 ] master-port=ether1
set [ find default-name=ether23 ] name=ether23-MODEM
set [ find default-name=ether24 ] master-port=ether1
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether23-MODEM keepalive-timeout=disabled name=PPPoE-ALICE use-peer-dns=yes user=04102981391
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=192.168.1.1-192.168.1.100
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=ether1 lease-time=2h name=dhcp1
/ip settings
set accept-source-route=yes
/ip address
add address=192.168.1.254/24 interface=ether1 network=192.168.1.0
add address=192.168.0.1/24 interface=ether23-MODEM network=192.168.0.0
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.254 gateway=192.168.1.254
/ip dns
set allow-remote-requests=yes servers=4.4.4.4
/ip firewall address-list
add address=192.168.1.1-192.168.1.200 list=LAN
/ip firewall filter
add action=drop chain=input comment="Kaputte Pakete DROP" connection-state=invalid
add action=drop chain=forward comment="Kaputte Pakete Drop
\n" connection-state=invalid
add action=accept chain=input comment="Bestehende und initierte Verbindungen OK" connection-state=established,related
add action=accept chain=forward comment="Bestehende und initierte Verbindungen OK" connection-state=established,related protocol=tcp
add action=accept chain=forward comment="Forward auf Server" connection-state=established,related,new dst-address=192.168.1.252 dst-port=22,80,443 protocol=tcp
add action=accept chain=forward comment="Forward auf Router" connection-state=established,related,new dst-address=192.168.1.254 dst-port=444 protocol=tcp
add action=accept chain=input comment="von 192.168.1.0 -> 192.168.0.0 OK" dst-address=192.168.0.0/24 src-address=192.168.1.0/24
add action=accept chain=input comment="von 192.168.0.0 -> 192.168.1.0 OK" dst-address=192.168.1.0/24 src-address=192.168.0.0/24
add action=accept chain=input comment="von 192.168.1.0 -> 192.168.1.0 OK" dst-address=192.168.1.0/24 src-address=192.168.1.0/24
add action=drop chain=input comment="Der Rest geht in den Orkus...." log-prefix=FW
/ip firewall nat
add action=masquerade chain=srcnat comment="Maskierung LAN" out-interface=PPPoE-ALICE src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment=Hairpin dst-address=192.168.1.252 dst-port=22,80,443 out-interface-list=all protocol=tcp src-address=192.168.1.0/24
add action=src-nat chain=srcnat comment=NTP protocol=udp src-port=123 to-addresses=192.168.1.254
add action=dst-nat chain=dstnat comment="Portforwarding HTTP zum Server" dst-port=80 in-interface=PPPoE-ALICE log-prefix=FW80 protocol=tcp to-addresses=192.168.1.252 to-ports=80
add action=dst-nat chain=dstnat comment="Portforwarding HTTPS zum Server" dst-port=443 in-interface=PPPoE-ALICE protocol=tcp to-addresses=192.168.1.252 to-ports=443
add action=dst-nat chain=dstnat comment="Port forwarding SSH auf Server" dst-port=22 in-interface=PPPoE-ALICE protocol=tcp to-addresses=192.168.1.252 to-ports=22
add action=dst-nat chain=dstnat comment="Forward HTTPS Router" dst-port=444 in-interface=PPPoE-ALICE protocol=tcp to-addresses=192.168.1.254 to-ports=444
/ip route
add distance=1 dst-address=192.168.0.0/24 gateway=ether23-MODEM pref-src=192.168.0.1
add distance=1 dst-address=192.168.1.0/24 gateway=ether1 pref-src=192.168.1.254
/ip service
set telnet address=192.168.1.0/24
set ftp disabled=yes
set www address=192.168.1.0/24 port=81
set www-ssl certificate=mikrotik-https disabled=no port=444
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=Router-HH
/system ntp client
set enabled=yes primary-ntp=192.53.103.104 secondary-ntp=192.53.103.103
/system ntp server
set enabled=yes multicast=yes
/system scheduler
add interval=1m name=DynDNS-Strato on-event=dynDNS policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=jan/30/2017 start-time=20:31:46
/system script
add name=dynDNS owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":global ddnsuser "lange-online.net"
\n:global ddnspass "blablabla"
\n:global theinterface "PPPoE-ALICE"
\n:global ddnshost blablabla
\n:global ddnsserver dyndns.strato.com
\n:global protocol https
\n:global ipddns [:resolve $ddnshost];
\n:global ipfresh [ /ip address get [/ip address find interface=$theinterface ] address ]
\n:if ([ :typeof $ipfresh ] = nil ) do={
\n :log info ("DynDNS: No ip address on $theinterface .")
\n} else={
\n :for i from=( [:len $ipfresh] - 1) to=0 do={
\n :if ( [:pick $ipfresh $i] = "/") do={
\n :set ipfresh [:pick $ipfresh 0 $i];
\n }
\n}
\n
\n:if ($ipddns != $ipfresh) do={
\n :log info ("DynDNS: IP-DynDNS = $ipddns")
\n :log info ("DynDNS: IP-Fresh = $ipfresh")
\n :log info "DynDNS: Update IP needed, Sending UPDATE...!"
\n :global str "/nic/update\?hostname=$ddnshost&myip=$ipfresh&wildcard=NOCHG&mx=NOCHG&backmx=NOCHG"
\n /tool fetch address=$ddnsserver src-path=$str mode=$protocol user=$ddnsuser \
\n password=$ddnspass dst-path=("/DynDNS.".$ddnshost)
\n :delay 1
\n :global str [/file find name="DynDNS.$ddnshost"];
\n /file remove $str
\n :global ipddns $ipfresh
\n :log info "DynDNS: IP updated to $ipfresh!"
\n } else={
\n# :log info "DynDNS: dont need changes";
\n }
\n} "
/tool graphing interface
add interface=PPPoE-ALICE

pe1chl · February 1, 2017, 5:06pm

Ok in your case your LAN is “ether1”, as all ethernet ports except your modem have master-port=ether1.
This means that they are hardware-switched together and the port ether1 is the one that the router sees.

Under /ip route, this entry should not be required:
add distance=1 dst-address=192.168.1.0/24 gateway=ether1 pref-src=192.168.1.254

This is already covered by:
/ip address
add address=192.168.1.254/24 interface=ether1 network=192.168.1.0

Looking at this, I think the port forwarding should work from the outside. For your hairpin NAT you required the LAN name which is ether1.
Normally you would have some more forward firewall rules as well but it appears you deleted them.
Then it at least should work. And with single external IP address and no NAT it does not make that much of a difference.

dg3feh · February 2, 2017, 7:55am

Hello!

Thank u for ur answer. The routing from the outside works fine for HTTP, HTTPS and SSH. For the Harpin rule u mean:
/ip firewall nat add action=masquerade chain=srcnat comment=Hairpin dst-address=192.168.1.252 dst-port=22,80,443 out-interface-list=ether1 protocol=tcp src-address=192.168.1.0/24

…but that one does not work, but why!?

Beside that I changed the port for the Miktrotik HTTPS-Access to 444 (see config above) and tried to route that one to the outside:

/ip firewall nat add action=dst-nat chain=dstnat comment=“Portforwarding HTTPS zum Router” dst-port=444 in-interface=PPPoE-ALICE protocol=tcp to-addresses=192.168.1.254 to-ports=444

That doen’t work neither

…and what kind of forward rules do u miss? I like the firewall very strict and open ports if it is necassary.

Some hints for me?

Thanx, Holger

pe1chl · February 2, 2017, 9:26am

I overlooked some forward entries. However, it is not required to explicitly forward your dstnatted ports.
The default forward rules, which should be OK for you, are like this:

/ip firewall filter
filter add chain=forward action=fasttrack-connection connection-state=established,related
filter add chain=forward action=accept connection-state=established,related
filter add chain=forward action=drop connection-state=invalid
filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=PPPoE-ALICE

(delete all forward rules and then paste this in a terminal window)

dg3feh · February 2, 2017, 9:41am

And what about the Hairpin? I need to get that working to get access to the addressbooks an calendars from smartphones while they are connected to the LAN via WLAN

pe1chl · February 2, 2017, 10:32am

Does it not work after you apply the above forward rules and you insert the hairpin rule with ether1 instead of LAN?

dg3feh · February 2, 2017, 11:09am

I implemented ur hints, and the Harpin still doesn’t work

also the redirect of the Router HTTPS Interface doesn’t work

pe1chl · February 2, 2017, 5:24pm

I have no experience with hairpin nat, but I think it should work. Maybe check again at the wiki.

Sob · February 2, 2017, 8:15pm

If you want your forwarded ports to work also from LAN, you can’t have dstnat rules with in-interface=PPPoE-ALICE. If you connect from LAN, in-interface will be ether1. So remove in-interface=PPPoE-ALICE and instead add dst-address-type=local. Then your hairpin NAT rule, I don’t see any interface list defined in your config, so you probably meant out-interface=ether1 and not out-interface-list=ether1.

dg3feh · February 2, 2017, 11:46pm

Hello!

the Hairpin and the forwarding for the Router still does not work. Here the actual export:

[admin@Router-HH] > /export

feb/03/2017 00:42:43 by RouterOS 6.38.1

software id = D5X7-MT4X

/interface ethernet
set [ find default-name=ether2 ] master-port=ether1
set [ find default-name=ether3 ] master-port=ether1
set [ find default-name=ether4 ] master-port=ether1
set [ find default-name=ether5 ] master-port=ether1
set [ find default-name=ether6 ] master-port=ether1
set [ find default-name=ether7 ] master-port=ether1
set [ find default-name=ether8 ] master-port=ether1
set [ find default-name=ether9 ] master-port=ether1
set [ find default-name=ether10 ] master-port=ether1
set [ find default-name=ether11 ] master-port=ether1
set [ find default-name=ether12 ] master-port=ether1
set [ find default-name=ether13 ] master-port=ether1
set [ find default-name=ether14 ] master-port=ether1
set [ find default-name=ether15 ] master-port=ether1
set [ find default-name=ether16 ] master-port=ether1
set [ find default-name=ether17 ] master-port=ether1
set [ find default-name=ether18 ] master-port=ether1
set [ find default-name=ether19 ] master-port=ether1
set [ find default-name=ether20 ] master-port=ether1
set [ find default-name=ether21 ] master-port=ether1
set [ find default-name=ether22 ] master-port=ether1
set [ find default-name=ether23 ] name=ether23-MODEM
set [ find default-name=ether24 ] master-port=ether1
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether23-MODEM
keepalive-timeout=disabled name=PPPoE-ALICE use-peer-dns=yes user=
04102981391
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=192.168.1.1-192.168.1.100
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=ether1 lease-time=2h name=
dhcp1
/ip settings
set accept-source-route=yes
/ip address
add address=192.168.1.254/24 interface=ether1 network=192.168.1.0
add address=192.168.0.1/24 interface=ether23-MODEM network=192.168.0.0
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.254 gateway=192.168.1.254
/ip dns
set allow-remote-requests=yes servers=4.4.4.4
/ip firewall address-list
add address=192.168.1.1-192.168.1.200 list=LAN
/ip firewall filter
add action=drop chain=input comment="Kaputte Pakete DROP" connection-state=
invalid
add action=drop chain=forward comment="Kaputte Pakete Drop
\n" connection-state=invalid
add action=fasttrack-connection chain=forward connection-state=
established,related
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=
new in-interface=PPPoE-ALICE
add action=accept chain=input comment=
"Bestehende und initierte Verbindungen OK" connection-state=
established,related
add action=accept chain=forward comment=
"Bestehende und initierte Verbindungen OK" connection-state=
established,related protocol=tcp
add action=accept chain=forward comment="Forward auf Server"
connection-state=established,related,new dst-address=192.168.1.252
dst-port=22,80,443 protocol=tcp
add action=accept chain=forward comment="Forward auf Router"
connection-state=established,related,new dst-address=192.168.1.254
dst-port=444 protocol=tcp
add action=accept chain=input comment="von 192.168.1.0 -> 192.168.0.0 OK"
dst-address=192.168.0.0/24 src-address=192.168.1.0/24
add action=accept chain=input comment="von 192.168.0.0 -> 192.168.1.0 OK"
dst-address=192.168.1.0/24 src-address=192.168.0.0/24
add action=accept chain=input comment="von 192.168.1.0 -> 192.168.1.0 OK"
dst-address=192.168.1.0/24 src-address=192.168.1.0/24
add action=drop chain=input comment="Der Rest geht in den Orkus...."
log-prefix=FW
/ip firewall nat
add action=masquerade chain=srcnat comment="Maskierung LAN" out-interface=
PPPoE-ALICE src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment=Hairpin dst-address=192.168.1.252
dst-port=22,80,443 out-interface=ether1 out-interface-list=all protocol=
tcp src-address=192.168.1.0/24
add action=src-nat chain=srcnat comment=NTP protocol=udp src-port=123
to-addresses=192.168.1.254
add action=dst-nat chain=dstnat comment="Portforwarding HTTP zum Server"
dst-port=80 in-interface=PPPoE-ALICE log-prefix=FW80 protocol=tcp
to-addresses=192.168.1.252 to-ports=80
add action=dst-nat chain=dstnat comment="Portforwarding HTTPS zum Server"
dst-port=443 in-interface=PPPoE-ALICE protocol=tcp to-addresses=
192.168.1.252 to-ports=443
add action=dst-nat chain=dstnat comment="Port forwarding SSH auf Server"
dst-port=22 in-interface=PPPoE-ALICE protocol=tcp to-addresses=
192.168.1.252 to-ports=22
add action=dst-nat chain=dstnat comment="Forward HTTPS Router" dst-port=444
in-interface=PPPoE-ALICE port="" protocol=tcp to-addresses=192.168.1.254
to-ports=444
/ip route
add distance=1 dst-address=192.168.0.0/24 gateway=ether23-MODEM pref-src=
192.168.0.1
add distance=1 dst-address=192.168.1.0/24 gateway=ether1 pref-src=
192.168.1.254
/ip service
set telnet address=192.168.1.0/24
set ftp disabled=yes
set www address=192.168.1.0/24 port=81
set www-ssl certificate=mikrotik-https disabled=no port=444
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=Router-HH
/system ntp client
set enabled=yes primary-ntp=192.53.103.104 secondary-ntp=192.53.103.103
/system ntp server
set enabled=yes multicast=yes
/system scheduler
add interval=1m name=DynDNS-Strato on-event=dynDNS policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
start-date=jan/30/2017 start-time=20:31:46
/system script
add name=dynDNS owner=admin policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":
global ddnsuser "blablabla"
\n:global ddnspass "blablabla"
\n:global theinterface "PPPoE-ALICE"
\n:global ddnshost hh.lange-online.net
\n:global ddnsserver dyndns.strato.com
\n:global protocol https
\n:global ipddns [:resolve $ddnshost];
\n:global ipfresh [ /ip address get [/ip address find interface=$theinter
face ] address ]
\n:if ([ :typeof $ipfresh ] = nil ) do={
\n :log info ("DynDNS: No ip address on $theinterface .")
\n} else={
\n :for i from=( [:len $ipfresh] - 1) to=0 do={
\n :if ( [:pick $ipfresh $i] = "/") do={
\n :set ipfresh [:pick $ipfresh 0 $i];
\n }
\n}
\n
\n:if ($ipddns != $ipfresh) do={
\n :log info ("DynDNS: IP-DynDNS = $ipddns")
\n :log info ("DynDNS: IP-Fresh = $ipfresh")
\n :log info "DynDNS: Update IP needed, Sending UPDATE...!"
\n :global str "/nic/update\?hostname=$ddnshost&myip=$ipfresh&wildc
ard=NOCHG&mx=NOCHG&backmx=NOCHG"
\n /tool fetch address=$ddnsserver src-path=$str mode=$protocol user=
$ddnsuser \
\n password=$ddnspass dst-path=("/DynDNS.".$ddnshost)
\n :delay 1
\n :global str [/file find name="DynDNS.$ddnshost"];
\n /file remove $str
\n :global ipddns $ipfresh
\n :log info "DynDNS: IP updated to $ipfresh!"
\n } else={
\n# :log info "DynDNS: dont need changes";
\n }
\n} "
/tool graphing interface
add interface=PPPoE-ALICE
[admin@Router-HH] >

Some hints?

/BR

Holger