Port forwarding I am lost in here , please help

schpuntak · January 11, 2016, 6:01pm

I’ d like to forward ports such as smb , ftp to my NAS behind mikrotik.
I have Cable modem from ISP connected to Mikrotik router on WAN interface, NAS is connecte on one of LAN ports

my config is:
NAT:

0    ;;; default configuration
      chain=srcnat action=masquerade out-interface=ether1-gateway log=no 
      log-prefix="" 

 1    chain=dstnat action=dst-nat to-addresses=192.168.88.112 to-ports=21 
      protocol=tcp dst-address-list=MY_PUBLIC_IP in-interface=ether1-gateway 
      dst-port=21 log=no log-prefix="" 

 2    chain=dstnat action=dst-nat to-addresses=192.168.88.112 
      to-ports=5000-5001 protocol=tcp dst-port=5000-5001 log=no log-prefix="" 

 3    chain=dstnat action=dst-nat to-addresses=192.168.88.112 to-ports=445 
      protocol=tcp dst-port=445 log=no log-prefix="" 

 4    chain=dstnat action=dst-nat to-addresses=192.168.88.112 to-ports=445 
      protocol=udp dst-port=445 log=no log-prefix="" 

 5    chain=dstnat action=dst-nat to-addresses=192.168.88.112 to-ports=137-139 
      protocol=tcp dst-port=137-139 log=no log-prefix="" 

 6    chain=dstnat action=dst-nat to-addresses=192.168.88.112 to-ports=137-139 
      protocol=udp dst-port=137-139 log=no log-prefix=""

MY FILTER RULES:

 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward 

 1    ;;; accepting icmp
      chain=input action=accept protocol=icmp log=no log-prefix="" 

 2    ;;; accept establilished & related
      chain=input action=accept connection-state=established,related 
      log=no log-prefix="" 

 3 X  ;;; dropping anything coming from externaly
      chain=input action=drop in-interface=ether1-gateway log=no 
      log-prefix="" 

 4    ;;; default configuration
      chain=forward action=fasttrack-connection 
      connection-state=established,related log=no log-prefix="" 

 5    ;;; dropping invalid forward
      chain=forward action=drop connection-state=invalid log=no 
      log-prefix="" 

 6    ;;; forward estabilished and related
      chain=forward action=accept connection-state=established,related 
      log=no log-prefix="
      
       7    ;;; accepting forward dst-nat externally and dropping non dst nat conns
      chain=forward action=drop connection-state=new 
      connection-nat-state=!dstnat in-interface=ether1-gateway log=no 
      log-prefix=""

RESULT: Accessing from SMB://MYPUBLIC IP does not work
FTP does the handshake but directory listing times out, so in at the end does not work

How NAT rules interfere with filter rules? What is superseding what?
Can I have chain input dropped to ether-gw (WAN interface) and allowed only one host by MAC?

THANKS TO ALLLLLLLL!!!

Revelation · January 24, 2016, 2:31am

Off-hand none of your other rules have the dst address of your Public IP.

From the wiki: http://wiki.mikrotik.com/wiki/Forwarding_a_port_to_an_internal_IP

/ip firewall nat add chain=dstnat dst-address=69.69.69.69 protocol=tcp dst-port=5900 \
    action=dst-nat to-addresses=192.168.1.101 to-ports=5900

skuykend · January 24, 2016, 3:10am

Most ISP’s block SMB ports, so that’s most likely your problem there.

Like Revolution alluded to, your DSTNAT is too generic and will match any traffic the router handles. You should put some other filters on it like IP address, incoming interface, etc. Otherwise they generally will use the first rule that matches in that particular chain.

Also check to make sure that the NAT ftp helper is enabled and working. /ip firewall service-port