Port forwarding - help?

vic666 · December 14, 2015, 6:54pm

I want to forward requests to port 2222 to port 22 on internal machine.

I created the rule in WebFig, but it’s the same as:

/ip firewall nat add chain=dstnat protocol=tcp dst-port=2222 \
    action=dst-nat to-addresses=192.168.1.100 to-ports=22

I can ping the external address of the router just fine but the forwarding doesn’t seem to work.

Anything I missed that needs to be configured on top of that? I did not touch any other FW settings, they are all set on default, and the router is accessing the internet via PPPoE.

Appreciate any advice.

Vic

pukkita · December 15, 2015, 9:54am

If you used Quickset to set it, check the actual wan interface is the PPPoE interface and not the ether port PPPoE is using.

Please post the output of these commands:

/ip address export
/ip firewall filter export
/ip firewall nat export

vic666 · December 15, 2015, 4:52pm

[admin@MikroTik] > /ip address export 
# dec/15/2015 17:46:41 by RouterOS 6.32.2
# software id = 0PSH-3MGN
#
/ip address
add address=192.168.1.2/24 comment="default configuration" interface=\
    ether2-master-local network=192.168.1.0

[admin@MikroTik] > /ip firewall filter export 
# dec/15/2015 17:49:14 by RouterOS 6.32.2
# software id = 0PSH-3MGN
#
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=\
    established,related
add action=drop chain=input comment="default configuration" in-interface=\
    ether1-gateway
add action=fasttrack-connection chain=forward comment="default configuration" \
    connection-state=established,related
add chain=forward comment="default configuration" connection-state=\
    established,related
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid
add action=drop chain=forward comment="default configuration" \
    connection-nat-state=!dstnat connection-state=new in-interface=\
    ether1-gateway
 
[admin@MikroTik] > /ip firewall nat export 
# dec/15/2015 17:51:14 by RouterOS 6.32.2
# software id = 0PSH-3MGN
#
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=pppoe-out1
add action=dst-nat chain=dstnat dst-port=2222 protocol=tcp to-addresses=\
    192.168.1.1 to-ports=22

vic666 · December 16, 2015, 7:07pm

Almost 2 days waiting for my reply to be posted.. very poor moderation here.

Anyway, I found a workaround in the meantime. I just disabled the rule “FastTrack Forward” in the Filter Rules list, and voilà, the port is being properly forwarded.

Is it possible to keep fast track on and to still have proper forwarding?

pukkita · December 17, 2015, 7:32pm

I cannot see why would be that affecting dst-nat, default firewall configuration (as yours) works perfectly fine.

Upgrade to latest bugfix (6.32.3), make sure your firmware is up to date and reenable fasttrack…

p3rad0x · December 21, 2015, 9:48am

Hi,

Try and set up that last nat rule like this.

/ip firewall nat add chain=dstnat protocol=tcp dst-port=2222 dst-address=“Your Public IP address” action=dst-nat to-addresses=192.168.1.100 to-ports=22

is 192.168.1.100 running linux with something like openssh server?

If so I suggest you change the default port 22 to 2222.

Sometimes the firewall on the device running ssh will block your request if the connection is coming from outside your IP subnet.