port forwarding/firewall issue

mndh · December 6, 2016, 8:04pm

Hi,

I am fresh to mikrotik configuration and I seem to have some issues with firewall config. My problem is with forwarding ports for internal/lan host.
I have a web server and (l2tp/ipsec, openvpn) vpn server on lan address 10.1.0.4; my WAN ip is let’s say: ex.ter.nal.ip and it’s connected on eth1-WAN port.
The filter rules were already created by default, also I have already tried to set up and move up and down nat rules, with no success.

I am pasting my filter and nat prints. Probably I am missing something obvious, would be happy if someone pointed me where I went wrong…

[admin@MikroTik] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp 

 2    ;;; defconf: accept established,related
      chain=input action=accept connection-state=established,related 

 3    ;;; defconf: drop all from WAN
      chain=input action=drop in-interface=ether1-WAN log=no log-prefix="" 

 4    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related 

 5    ;;; defconf: accept established,related
      chain=forward action=accept connection-state=established,related 

 6    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid log=no log-prefix="" 

 7    ;;; defconf:  drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1-WAN log=no log-prefix=""

[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=dstnat action=dst-nat to-addresses=10.1.0.4 to-ports=5001 protocol=tcp dst-address=ex.ter.nal.ip 
      in-interface=ether1-WAN dst-port=443 log=no log-prefix="" 

 1    chain=dstnat action=dst-nat to-addresses=10.1.0.4 to-ports=80 protocol=tcp dst-address=ex.ter.nal.ip 
      in-interface=ether1-WAN dst-port=80 log=no log-prefix="" 

 2    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface=ether1-WAN 

 3    chain=dstnat action=dst-nat to-addresses=10.1.0.4 to-ports=500 protocol=udp dst-address=ex.ter.nal.ip d
      log=no log-prefix="" 

 4    chain=dstnat action=dst-nat to-addresses=10.1.0.4 to-ports=1701 protocol=udp dst-address=ex.ter.nal.ip 
      log=no log-prefix="" 

 5    chain=dstnat action=dst-nat to-addresses=10.1.0.4 to-ports=4500 protocol=udp dst-address=ex.ter.nal.ip 
      log=no log-prefix=""

BartoszP · December 6, 2016, 8:16pm

Check this http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT#Forward_all_traffic_to_internal_host

mndh · December 6, 2016, 8:21pm

But that would forward all traffic going at external IP to one internal host, right? Problem is that once I fix this I will have to add more port forwards for different hosts so I guess this doesn’t help me much…

BartoszP · December 6, 2016, 8:39pm

If you have only one external IP address then you must DST-NAT each kind of traffic which means particular ports.
It is similar to telphone switchboard … one external phone number means that you cannot phone someone behind switchboard without dialing extension number. More external phones numbers (IPs) lets you assign them to particular extension numbers (internal hosts)

mndh · December 6, 2016, 8:51pm

Yes, I understand that. But my target configuration will be something like:

external:80 - internal host A:80
external:443 - internal host A:443
external:8000 - internal host B:80
external:1234 - internal host C:3000

etc
I’ve had such working configuration on some openwrt router, so I am totally sure it should be also possible here.

tl;dr One external wan address forwarding different ports to different internal hosts and ports

I’ve already started dst-natting such traffic, as pasted before in first post:

 0    chain=dstnat action=dst-nat to-addresses=10.1.0.4 to-ports=5001 protocol=tcp dst-address=ex.ter.nal.ip 
      in-interface=ether1-WAN dst-port=443 log=no log-prefix="" 

 1    chain=dstnat action=dst-nat to-addresses=10.1.0.4 to-ports=80 protocol=tcp dst-address=ex.ter.nal.ip 
      in-interface=ether1-WAN dst-port=80 log=no log-prefix=""

I guess my problem is with filter config and/or order of filters and/or nat rules…

UPDATE:
It seems that from external network I can access port-forwarded services, only issue is from inside, so forwarding kind of works.

janus20 · December 7, 2016, 9:37pm

Hi,

I think your problem accessing port forwarding services from inside using “public ip” as your point of origin is related to Hairpin NAT.
http://wiki.mikrotik.com/wiki/Hairpin_NAT

For your rules:

0 chain=dstnat action=dst-nat to-addresses=10.1.0.4 to-ports=5001 protocol=tcp dst-address=ex.ter.nal.ip
in-interface=ether1-WAN dst-port=443 log=no log-prefix=“”

1 chain=dstnat action=dst-nat to-addresses=10.1.0.4 to-ports=80 protocol=tcp dst-address=ex.ter.nal.ip
in-interface=ether1-WAN dst-port=80 log=no log-prefix=“”

try adding :

/ip firewall nat
add action=masquerade chain=srcnat comment="Acces 10.1.0.4 on 443" dst-address=10.1.0.4 \
    dst-port=443 log=no log-prefix="" out-interface=bridge protocol=tcp src-address=\
    10.1.0.0/24 to-addresses=10.1.0.4 to-ports=443
add action=masquerade chain=srcnat comment="Acces 10.1.0.4 on 80" dst-address=10.1.0.4 \
    dst-port=80 log=no log-prefix="" out-interface=bridge protocol=tcp src-address=\
    10.1.0.0/24 to-addresses=10.1.0.4 to-ports=80

assuming that
out-interface = bridge ( your local lan, presuming ether2,3..X are in bridge mode )
src-address = network segment of your web server host ( if your web server host has ip 10.1.0.4/255.255.255.0 )

Hope it helps.

kind regards,