Port Forwarding issue

RouterOS Scripting
1

hi, i am new bie here,

need all yours help to port forward a local server ip to ppp network..

i have 2 type of networks:
first pppoe that is A: 10.10.10.1/24
second is normal ip pool that is B: 10.10.20.1/24
Both A and B are in same bridge
have an static public IP for WAN too.
i have a web and application server in network b on an specific IP
i have port forwarded that IP of B network to WAN successfully and can be accessible globally but i cant access that machine in my pppoe network and the requirment is to access that Machine using DNS or via WAN IP not with local IP..

your kind suggesions will be a great help for me.
and sorry for my bad english.

2

It seems you’re looking for https://wiki.mikrotik.com/wiki/Hairpin_NAT

3

Thanks for reply Sir,
But what i think hairpinat works with same network segment, and in my secerio i have two different network segment A and B so when i did that after googling it is not working.

4

You’re right, sorry. It could be something with firewall filter, but without seeing it it’s hard to tell what exactly. Or dstnat rules, common problem is using in-interface=WAN and then it can’t work from LAN. If that’s not it, you can export your config, post it here and hopefully someone will spot the problem.

5

actually the main problem is my first LAN network is PPPoE and second is of Normal without dhcp ip based, now PPPoE users are unable to access that web server.

ADDRESS NETWORK INTERFACE

0 172.40.51.100/24 172.40.51.0 bridge1
1 10.10.20.100/24 10.10.20.0 bridge1
2 192.168.5.1/24 192.168.5.0 bridge1
3 192.168.11.12/24 192.168.11.0 bridge1
4 X.X.X.X/29 X.X.X.X ether5 (WAN)

PPPoE Pool

NAME RANGES

0 PPPOE 10.10.10.0/24

/ip firewall NAT
0 X chain=srcnat action=src-nat to-addresses=10.10.20.44 to-ports=8080 protocol=tcp src-address-list=pppoe out-interface=bridge1 dst-port=8080 log=no
log-prefix=""

1 X chain=srcnat action=src-nat to-addresses=10.10.20.44 to-ports=443 protocol=tcp src-address-list=pppoe out-interface=bridge1 dst-port=443 log=no
log-prefix=""

2 X chain=srcnat action=src-nat to-addresses=10.10.20.44 to-ports=80 protocol=tcp src-address-list=pppoe out-interface=bridge1 dst-port=80 log=no
log-prefix=""

3 X chain=dstnat action=dst-nat to-addresses=10.10.20.44 to-ports=80 protocol=tcp dst-address=X.X.X.X dst-port=80 log=no log-prefix=""

4 chain=dstnat action=dst-nat to-addresses=10.10.20.44 to-ports=443 protocol=tcp dst-address=X.X.X.X dst-port=443 log=no log-prefix=""

5 chain=dstnat action=dst-nat to-addresses=10.10.20.44 to-ports=8080 protocol=tcp dst-address=X.X.X.X dst-port=8080 log=no log-prefix=""

6 chain=dstnat action=dst-nat to-addresses=10.10.20.44 to-ports=5060 protocol=tcp dst-address=X.X.X.X dst-port=5060 log=no log-prefix=""

in nat rules 0,1,2,3 are disabled 4,5,6, are working fine and gave me global access to my web server

now need to add what rule to access web server trough PPPoE user from dns name.

Any help will ne appriciated ..

6

No One Available here to help :frowning:

need it on a bit urgent basis

7

There’s nothing wrong with your dstnat rules. Any tcp connection to X.X.X.X:443/8080/5060 coming to this router will be dstnatted to 10.10.20.44:sameport, no matter where it came from. It can still be blocked by firewall filter, or possibly by some other misconfigurations (RouterOS offers many ways how to do that).

8

thanks for revert,

yes with those dstnat rules server is accesible from all host either in same ip series or from out side of network except the PPPoE network (10.10.10.1/24) how i can do that??

10.10.20.44 is accessible with PPPoE network via local (10.10.20.44) ip but not accessible via dns name (abc.co.in) or via X.X.X.X ip too.

for this i need your help…

9

It’s easier said than done, without seeing what you have. This is good start:

/export hide-sensitive file=yourconfig

And then post content of yourconfig.rsc here in code tags.

10 
# oct/28/2020 02:46:40 by RouterOS 6.46.7
# software id = JUWA-DRPX
#
# model = 850Gx2
# serial number = 71DC071F24E4
/interface bridge
add comment=ppoe fast-forward=no name=bridge1
add fast-forward=no name=wan
/interface ethernet
set [ find default-name=ether1 ] comment="local switch" speed=100Mbps
set [ find default-name=ether2 ] comment=free speed=100Mbps
set [ find default-name=ether3 ] comment=direct_testing speed=100Mbps
set [ find default-name=ether4 ] comment=server speed=100Mbps
set [ find default-name=ether5 ] comment=input speed=100Mbps
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=PPPOE ranges=10.10.10.0/24
/ppp profile
add dns-server=8.8.8.8,4.2.2.2 local-address=x.x.x.x name=profile1 \
    remote-address=PPPOE
/system logging action
set 1 disk-file-name=flash/log
/user group
set write policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pa\
    ssword,web,sniff,sensitive,api,romon,tikapp,!dude"
/interface bridge port
add bridge=bridge1 hw=no interface=ether1
add bridge=bridge1 hw=no interface=ether4
add bridge=wan hw=no interface=ether3
add bridge=wan hw=no interface=ether5
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes
/interface pppoe-server server
add default-profile=profile1 disabled=no interface=bridge1 service-name=\
    1_tripleplay
add interface=bridge1 service-name=2_tp
/ip address
add address=172.40.51.100/24 interface=bridge1 network=172.40.51.0
add address=10.10.20.100/24 interface=bridge1 network=10.10.20.0
add address=192.168.5.1/24 interface=bridge1 network=192.168.5.0
add address=192.168.11.12/24 interface=bridge1 network=192.168.11.0
add address=x.x.x.x/29 interface=ether5 network=y.y.y.y
/ip cloud advanced
set use-local-address=yes
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=x.x.x.x name=abc.co.in
/ip firewall nat
add action=masquerade chain=srcnat src-address=10.10.10.0/24
add action=dst-nat chain=dstnat dst-address=x.x.x.x dst-port=80 \
    protocol=tcp to-addresses=10.10.20.44 to-ports=80
add action=dst-nat chain=dstnat dst-address=x.x.x.x dst-port=443 \
    protocol=tcp to-addresses=10.10.20.44 to-ports=443
add action=dst-nat chain=dstnat dst-address=x.x.x.x dst-port=8080 \
    protocol=tcp to-addresses=10.10.20.44 to-ports=8080
add action=dst-nat chain=dstnat dst-address=103.70.146.190 dst-port=5060 \
    protocol=tcp to-addresses=10.10.20.44 to-ports=5060
add action=masquerade chain=srcnat comment=d/c_nvr src-address=192.168.5.245
add action=masquerade chain=srcnat comment=d/c_dvr1 src-address=192.168.5.247
add action=masquerade chain=srcnat comment=d/c_nvr2 src-address=192.168.5.246
add action=masquerade chain=srcnat src-address=10.10.20.20
add action=masquerade chain=srcnat src-address=10.10.20.44
add action=masquerade chain=srcnat src-address=10.10.20.101
add action=masquerade chain=srcnat src-address=10.10.20.120
add action=masquerade chain=srcnat src-address=10.10.20.10
add action=dst-nat chain=dstnat dst-address=x.x.x.x dst-port=19690 \
    protocol=tcp to-addresses=10.10.20.10 to-ports=80
add action=dst-nat chain=dstnat dst-address=x.x.x.x dst-port=1812 \
    protocol=udp to-addresses=172.40.51.51 to-ports=1812
add action=dst-nat chain=dstnat dst-address=x.x.x.x dst-port=1813 \
    protocol=udp to-addresses=172.40.51.51 to-ports=1813
add action=dst-nat chain=dstnat dst-address=x.x.x.x dst-port=122 \
    protocol=tcp to-addresses=10.10.20.2 to-ports=22
add action=dst-nat chain=dstnat dst-address=x.x.x.x dst-port=1280 \
    protocol=tcp to-addresses=10.10.20.21 to-ports=80
add action=dst-nat chain=dstnat dst-address=x.x.x.x dst-port=59 \
    protocol=tcp to-addresses=172.40.51.51 to-ports=8291
add action=accept chain=dstnat disabled=yes dst-address=x.x.x.x \
    dst-port=80 protocol=tcp src-address=10.10.10.0/24
add action=redirect chain=dstnat disabled=yes dst-port=80 protocol=tcp \
    src-address=10.10.10.0/24 to-ports=1080
/ip route
add distance=1 gateway=z.z.z.z
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=180
set ssh disabled=yes
set api disabled=yes
set winbox port=62
set api-ssl disabled=yes
/ppp aaa
set use-radius=yes
/radius
add address=10.10.20.10 service=ppp timeout=500ms
/snmp
set contact=TheRectifiers enabled=yes location="SHRI Radha Valley" \
    trap-community=TRVALLEY trap-version=2
/system clock
set time-zone-name=Asia/Kolkata
/system logging
add disabled=yes prefix=valley topics=firewall
/system ntp client
set enabled=yes primary-ntp=10.10.20.10 secondary-ntp=10.10.20.10
/system package update
set channel=long-term
/system scheduler
add disabled=yes interval=1h name=radius on-event=\
    "/radius disable number=0\r\
    \n:delay 25s\r\
    \n/radius enable number=0" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=oct/21/2020 start-time=07:00:00
/tool graphing interface
add interface=ether1
add interface=ether5
add interface=ether4
add
/tool graphing resource
add
/code]
x.x.x.x is my public IP
y.y.y.y is network add
z.z.z.z is my gateway
abc.co.in is my website Domain name
11

Ok, so you don’t have any firewall at all. That’s not ideal, if nothing else, your router is now open dns resolver (not good). But on the upside, if it doesn’t exist, it can’t block anything.

I don’t see anything clearly wrong, so try to find out what exactly happens. You can use some logging rules, for example:

/ip firewall mangle
add chain=prerouting src-address=10.10.10.x dst-address=x.x.x.x protocol=tcp dst-port=80 connection-state=new \
    action=mark-connection new-connection-mark=debug passthrough=yes log=yes log-prefix=NEW
add action=log chain=prerouting connection-mark=debug
add action=log chain=postrouting connection-mark=debug

Then when you try to connect from 10.10.10.x to x.x.x.x:80, it will log all packets and you will be able to see if request goes to server, if server sends any response, everything.

12

thanks again sir,

As i already told you that i am a new bie here so dont know how to setup firewall and how to change it to closed DNS Resolver needed ur help too in that please..

and after adding those log rule to prerouting i didnt understand any thing with those logs as posted below:...

oct/28/2020 10:37:33 by RouterOS 6.46.7

software id = JUWA-DRPX

10:37:13 firewall,info NEW prerouting: in:bridge1(ether1) out:(unknown 0), proto TCP (SYN), 10.10.10.150:60376->103.70.146.190:80, len 64
10:37:13 firewall,info prerouting: in:bridge1(ether1) out:(unknown 0), proto TCP (SYN), 10.10.10.150:60376->103.70.146.190:80, len 64
10:37:13 firewall,info postrouting: in:(unknown 0)(ether1) out:bridge1, proto TCP (SYN), 10.10.10.150:60376->10.10.20.44:80, NAT 10.10.10.150:60376->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:13 firewall,info NEW prerouting: in:bridge1(ether1) out:(unknown 0), proto TCP (SYN), 10.10.10.150:60377->103.70.146.190:80, len 64
10:37:13 firewall,info prerouting: in:bridge1(ether1) out:(unknown 0), proto TCP (SYN), 10.10.10.150:60377->103.70.146.190:80, len 64
10:37:13 firewall,info postrouting: in:(unknown 0)(ether1) out:bridge1, proto TCP (SYN), 10.10.10.150:60377->10.10.20.44:80, NAT 10.10.10.150:60377->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:14 firewall,info NEW prerouting: in:bridge1(ether1) out:(unknown 0), proto TCP (SYN), 10.10.10.150:60378->103.70.146.190:80, len 64
10:37:14 firewall,info prerouting: in:bridge1(ether1) out:(unknown 0), proto TCP (SYN), 10.10.10.150:60378->103.70.146.190:80, len 64
10:37:14 firewall,info postrouting: in:(unknown 0)(ether1) out:bridge1, proto TCP (SYN), 10.10.10.150:60378->10.10.20.44:80, NAT 10.10.10.150:60378->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:14 firewall,info NEW prerouting: in:bridge1(ether1) out:(unknown 0), proto TCP (SYN), 10.10.10.150:60377->103.70.146.190:80, NAT (10.10.10.150:60377->10.10.20.100:60377)->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:14 firewall,info prerouting: in:bridge1(ether1) out:(unknown 0), proto TCP (SYN), 10.10.10.150:60377->103.70.146.190:80, NAT (10.10.10.150:60377->10.10.20.100:60377)->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:14 firewall,info postrouting: in:(unknown 0)(ether1) out:bridge1, proto TCP (SYN), 10.10.10.150:60377->10.10.20.44:80, NAT (10.10.10.150:60377->10.10.20.100:60377)->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:14 firewall,info NEW prerouting: in:bridge1(ether1) out:(unknown 0), proto TCP (SYN), 10.10.10.150:60376->103.70.146.190:80, NAT (10.10.10.150:60376->10.10.20.100:60376)->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:14 firewall,info prerouting: in:bridge1(ether1) out:(unknown 0), proto TCP (SYN), 10.10.10.150:60376->103.70.146.190:80, NAT (10.10.10.150:60376->10.10.20.100:60376)->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:14 firewall,info postrouting: in:(unknown 0)(ether1) out:bridge1, proto TCP (SYN), 10.10.10.150:60376->10.10.20.44:80, NAT (10.10.10.150:60376->10.10.20.100:60376)->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:15 firewall,info NEW prerouting: in:bridge1(ether1) out:(unknown 0), proto TCP (SYN), 10.10.10.150:60378->103.70.146.190:80, NAT (10.10.10.150:60378->10.10.20.100:60378)->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:15 firewall,info prerouting: in:bridge1(ether1) out:(unknown 0), proto TCP (SYN), 10.10.10.150:60378->103.70.146.190:80, NAT (10.10.10.150:60378->10.10.20.100:60378)->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:15 firewall,info postrouting: in:(unknown 0)(ether1) out:bridge1, proto TCP (SYN), 10.10.10.150:60378->10.10.20.44:80, NAT (10.10.10.150:60378->10.10.20.100:60378)->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:15 firewall,info NEW prerouting: in:bridge1(ether1) out:(unknown 0), proto TCP (SYN), 10.10.10.150:60377->103.70.146.190:80, NAT (10.10.10.150:60377->10.10.20.100:60377)->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:15 firewall,info prerouting: in:bridge1(ether1) out:(unknown 0), proto TCP (SYN), 10.10.10.150:60377->103.70.146.190:80, NAT (10.10.10.150:60377->10.10.20.100:60377)->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:15 firewall,info postrouting: in:(unknown 0)(ether1) out:bridge1, proto TCP (SYN), 10.10.10.150:60377->10.10.20.44:80, NAT (10.10.10.150:60377->10.10.20.100:60377)->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:15 firewall,info NEW prerouting: in:bridge1(ether1) out:(unknown 0), proto TCP (SYN), 10.10.10.150:60376->103.70.146.190:80, NAT (10.10.10.150:60376->10.10.20.100:60376)->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:15 firewall,info prerouting: in:bridge1(ether1) out:(unknown 0), proto TCP (SYN), 10.10.10.150:60376->103.70.146.190:80, NAT (10.10.10.150:60376->10.10.20.100:60376)->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:15 firewall,info postrouting: in:(unknown 0)(ether1) out:bridge1, proto TCP (SYN), 10.10.10.150:60376->10.10.20.44:80, NAT (10.10.10.150:60376->10.10.20.100:60376)->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:16 firewall,info NEW prerouting: in:bridge1(ether1) out:(unknown 0), proto TCP (SYN), 10.10.10.150:60378->103.70.146.190:80, NAT (10.10.10.150:60378->10.10.20.100:60378)->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:16 firewall,info prerouting: in:bridge1(ether1) out:(unknown 0), proto TCP (SYN), 10.10.10.150:60378->103.70.146.190:80, NAT (10.10.10.150:60378->10.10.20.100:60378)->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:16 firewall,info postrouting: in:(unknown 0)(ether1) out:bridge1, proto TCP (SYN), 10.10.10.150:60378->10.10.20.44:80, NAT (10.10.10.150:60378->10.10.20.100:60378)->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:16 firewall,info NEW prerouting: in:bridge1(ether1) out:(unknown 0), proto TCP (SYN), 10.10.10.150:60377->103.70.146.190:80, NAT (10.10.10.150:60377->10.10.20.100:60377)->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:16 firewall,info prerouting: in:bridge1(ether1) out:(unknown 0), proto TCP (SYN), 10.10.10.150:60377->103.70.146.190:80, NAT (10.10.10.150:60377->10.10.20.100:60377)->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:16 firewall,info postrouting: in:(unknown 0)(ether1) out:bridge1, proto TCP (SYN), 10.10.10.150:60377->10.10.20.44:80, NAT (10.10.10.150:60377->10.10.20.100:60377)->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:16 firewall,info NEW prerouting: in:bridge1(ether1) out:(unknown 0), proto TCP (SYN), 10.10.10.150:60376->103.70.146.190:80, NAT (10.10.10.150:60376->10.10.20.100:60376)->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:16 firewall,info prerouting: in:bridge1(ether1) out:(unknown 0), proto TCP (SYN), 10.10.10.150:60376->103.70.146.190:80, NAT (10.10.10.150:60376->10.10.20.100:60376)->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:16 firewall,info postrouting: in:(unknown 0)(ether1) out:bridge1, proto TCP (SYN), 10.10.10.150:60376->10.10.20.44:80, NAT (10.10.10.150:60376->10.10.20.100:60376)->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:17 firewall,info NEW prerouting: in:bridge1(ether1) out:(unknown 0), proto TCP (SYN), 10.10.10.150:60378->103.70.146.190:80, NAT (10.10.10.150:60378->10.10.20.100:60378)->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:17 firewall,info prerouting: in:bridge1(ether1) out:(unknown 0), proto TCP (SYN), 10.10.10.150:60378->103.70.146.190:80, NAT (10.10.10.150:60378->10.10.20.100:60378)->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:17 firewall,info postrouting: in:(unknown 0)(ether1) out:bridge1, proto TCP (SYN), 10.10.10.150:60378->10.10.20.44:80, NAT (10.10.10.150:60378->10.10.20.100:60378)->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:17 firewall,info NEW prerouting: in:bridge1(ether1) out:(unknown 0), proto TCP (SYN), 10.10.10.150:60377->103.70.146.190:80, NAT (10.10.10.150:60377->10.10.20.100:60377)->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:17 firewall,info prerouting: in:bridge1(ether1) out:(unknown 0), proto TCP (SYN), 10.10.10.150:60377->103.70.146.190:80, NAT (10.10.10.150:60377->10.10.20.100:60377)->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:17 firewall,info postrouting: in:(unknown 0)(ether1) out:bridge1, proto TCP (SYN), 10.10.10.150:60377->10.10.20.44:80, NAT (10.10.10.150:60377->10.10.20.100:60377)->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:17 firewall,info NEW prerouting: in:bridge1(ether1) out:(unknown 0), proto TCP (SYN), 10.10.10.150:60376->103.70.146.190:80, NAT (10.10.10.150:60376->10.10.20.100:60376)->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:17 firewall,info prerouting: in:bridge1(ether1) out:(unknown 0), proto TCP (SYN), 10.10.10.150:60376->103.70.146.190:80, NAT (10.10.10.150:60376->10.10.20.100:60376)->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:17 firewall,info postrouting: in:(unknown 0)(ether1) out:bridge1, proto TCP (SYN), 10.10.10.150:60376->10.10.20.44:80, NAT (10.10.10.150:60376->10.10.20.100:60376)->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:18 firewall,info NEW prerouting: in:bridge1(ether1) out:(unknown 0), proto TCP (SYN), 10.10.10.150:60378->103.70.146.190:80, NAT (10.10.10.150:60378->10.10.20.100:60378)->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:18 firewall,info prerouting: in:bridge1(ether1) out:(unknown 0), proto TCP (SYN), 10.10.10.150:60378->103.70.146.190:80, NAT (10.10.10.150:60378->10.10.20.100:60378)->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:18 firewall,info postrouting: in:(unknown 0)(ether1) out:bridge1, proto TCP (SYN), 10.10.10.150:60378->10.10.20.44:80, NAT (10.10.10.150:60378->10.10.20.100:60378)->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:18 firewall,info NEW prerouting: in:bridge1(ether1) out:(unknown 0), proto TCP (SYN), 10.10.10.150:60377->103.70.146.190:80, NAT (10.10.10.150:60377->10.10.20.100:60377)->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:18 firewall,info prerouting: in:bridge1(ether1) out:(unknown 0), proto TCP (SYN), 10.10.10.150:60377->103.70.146.190:80, NAT (10.10.10.150:60377->10.10.20.100:60377)->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:18 firewall,info postrouting: in:(unknown 0)(ether1) out:bridge1, proto TCP (SYN), 10.10.10.150:60377->10.10.20.44:80, NAT (10.10.10.150:60377->10.10.20.100:60377)->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:18 firewall,info NEW prerouting: in:bridge1(ether1) out:(unknown 0), proto TCP (SYN), 10.10.10.150:60376->103.70.146.190:80, NAT (10.10.10.150:60376->10.10.20.100:60376)->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:18 firewall,info prerouting: in:bridge1(ether1) out:(unknown 0), proto TCP (SYN), 10.10.10.150:60376->103.70.146.190:80, NAT (10.10.10.150:60376->10.10.20.100:60376)->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:18 firewall,info postrouting: in:(unknown 0)(ether1) out:bridge1, proto TCP (SYN), 10.10.10.150:60376->10.10.20.44:80, NAT (10.10.10.150:60376->10.10.20.100:60376)->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:19 firewall,info NEW prerouting: in:bridge1(ether1) out:(unknown 0), proto TCP (SYN), 10.10.10.150:60378->103.70.146.190:80, NAT (10.10.10.150:60378->10.10.20.100:60378)->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:19 firewall,info prerouting: in:bridge1(ether1) out:(unknown 0), proto TCP (SYN), 10.10.10.150:60378->103.70.146.190:80, NAT (10.10.10.150:60378->10.10.20.100:60378)->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:19 firewall,info postrouting: in:(unknown 0)(ether1) out:bridge1, proto TCP (SYN), 10.10.10.150:60378->10.10.20.44:80, NAT (10.10.10.150:60378->10.10.20.100:60378)->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:20 firewall,info NEW prerouting: in:bridge1(ether1) out:(unknown 0), proto TCP (SYN), 10.10.10.150:60377->103.70.146.190:80, NAT (10.10.10.150:60377->10.10.20.100:60377)->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:20 firewall,info prerouting: in:bridge1(ether1) out:(unknown 0), proto TCP (SYN), 10.10.10.150:60377->103.70.146.190:80, NAT (10.10.10.150:60377->10.10.20.100:60377)->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:20 firewall,info postrouting: in:(unknown 0)(ether1) out:bridge1, proto TCP (SYN), 10.10.10.150:60377->10.10.20.44:80, NAT (10.10.10.150:60377->10.10.20.100:60377)->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:20 firewall,info NEW prerouting: in:bridge1(ether1) out:(unknown 0), proto TCP (SYN), 10.10.10.150:60376->103.70.146.190:80, NAT (10.10.10.150:60376->10.10.20.100:60376)->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:20 firewall,info prerouting: in:bridge1(ether1) out:(unknown 0), proto TCP (SYN), 10.10.10.150:60376->103.70.146.190:80, NAT (10.10.10.150:60376->10.10.20.100:60376)->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:20 firewall,info postrouting: in:(unknown 0)(ether1) out:bridge1, proto TCP (SYN), 10.10.10.150:60376->10.10.20.44:80, NAT (10.10.10.150:60376->10.10.20.100:60376)->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:21 firewall,info NEW prerouting: in:bridge1(ether1) out:(unknown 0), proto TCP (SYN), 10.10.10.150:60378->103.70.146.190:80, NAT (10.10.10.150:60378->10.10.20.100:60378)->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:21 firewall,info prerouting: in:bridge1(ether1) out:(unknown 0), proto TCP (SYN), 10.10.10.150:60378->103.70.146.190:80, NAT (10.10.10.150:60378->10.10.20.100:60378)->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:21 firewall,info postrouting: in:(unknown 0)(ether1) out:bridge1, proto TCP (SYN), 10.10.10.150:60378->10.10.20.44:80, NAT (10.10.10.150:60378->10.10.20.100:60378)->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:25 firewall,info NEW prerouting: in:bridge1(ether1) out:(unknown 0), proto TCP (SYN), 10.10.10.150:60377->103.70.146.190:80, NAT (10.10.10.150:60377->10.10.20.100:60377)->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:25 firewall,info prerouting: in:bridge1(ether1) out:(unknown 0), proto TCP (SYN), 10.10.10.150:60377->103.70.146.190:80, NAT (10.10.10.150:60377->10.10.20.100:60377)->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:25 firewall,info postrouting: in:(unknown 0)(ether1) out:bridge1, proto TCP (SYN), 10.10.10.150:60377->10.10.20.44:80, NAT (10.10.10.150:60377->10.10.20.100:60377)->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:25 firewall,info NEW prerouting: in:bridge1(ether1) out:(unknown 0), proto TCP (SYN), 10.10.10.150:60376->103.70.146.190:80, NAT (10.10.10.150:60376->10.10.20.100:60376)->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:25 firewall,info prerouting: in:bridge1(ether1) out:(unknown 0), proto TCP (SYN), 10.10.10.150:60376->103.70.146.190:80, NAT (10.10.10.150:60376->10.10.20.100:60376)->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:25 firewall,info postrouting: in:(unknown 0)(ether1) out:bridge1, proto TCP (SYN), 10.10.10.150:60376->10.10.20.44:80, NAT (10.10.10.150:60376->10.10.20.100:60376)->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:25 firewall,info NEW prerouting: in:bridge1(ether1) out:(unknown 0), proto TCP (SYN), 10.10.10.150:60378->103.70.146.190:80, NAT (10.10.10.150:60378->10.10.20.100:60378)->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:25 firewall,info prerouting: in:bridge1(ether1) out:(unknown 0), proto TCP (SYN), 10.10.10.150:60378->103.70.146.190:80, NAT (10.10.10.150:60378->10.10.20.100:60378)->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:25 firewall,info postrouting: in:(unknown 0)(ether1) out:bridge1, proto TCP (SYN), 10.10.10.150:60378->10.10.20.44:80, NAT (10.10.10.150:60378->10.10.20.100:60378)->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:33 firewall,info NEW prerouting: in:bridge1(ether1) out:(unknown 0), proto TCP (SYN), 10.10.10.150:60377->103.70.146.190:80, len 64
10:37:33 firewall,info prerouting: in:bridge1(ether1) out:(unknown 0), proto TCP (SYN), 10.10.10.150:60377->103.70.146.190:80, len 64
10:37:33 firewall,info postrouting: in:(unknown 0)(ether1) out:bridge1, proto TCP (SYN), 10.10.10.150:60377->10.10.20.44:80, NAT 10.10.10.150:60377->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:33 firewall,info NEW prerouting: in:bridge1(ether1) out:(unknown 0), proto TCP (SYN), 10.10.10.150:60376->103.70.146.190:80, len 64
10:37:33 firewall,info prerouting: in:bridge1(ether1) out:(unknown 0), proto TCP (SYN), 10.10.10.150:60376->103.70.146.190:80, len 64
10:37:33 firewall,info postrouting: in:(unknown 0)(ether1) out:bridge1, proto TCP (SYN), 10.10.10.150:60376->10.10.20.44:80, NAT 10.10.10.150:60376->(103.70.146.190:80->10.10.20.44:80), len 64
10:37:33 firewall,info NEW prerouting: in:bridge1(ether1) out:(unknown 0), proto TCP (SYN), 10.10.10.150:60378->103.70.146.190:80, len 64
10:37:33 firewall,info prerouting: in:bridge1(ether1) out:(unknown 0), proto TCP (SYN), 10.10.10.150:60378->103.70.146.190:80, len 64
10:37:33 firewall,info postrouting: in:(unknown 0)(ether1) out:bridge1, proto TCP (SYN), 10.10.10.150:60378->10.10.20.44:80, NAT 10.10.10.150:60378->(103.70.146.190:80->10.10.20.44:80), len 64

13

Forum Guru Waiting for your Kind revert…

also want to tell you that that web server is a speedtest server which is accessible globally but not by only this PPPoE network…

14

You can see connection attempts from 10.10.10.150 to public address. Dstnat works and changes destination to 10.10.20.44. Packet then continues to bridge, where the target address should be connected. There’s also srcnat (your /ip firewall nat add action=masquerade chain=srcnat src-address=10.10.10.0/24) that changes source to 10.10.20.100. The last part should not be necessary (you can add out-interface=ether5 and it will apply only to connections to internet), but it shouldn’t break it either (although it’s not impossible, maybe the server doesn’t like connections from private addresses). The main problem is that there’s no response coming from 10.10.20.44, so you need to check what happens on that device.

One weird thing is that 10.10.10.150 is supposed to be PPPoE client, but incoming interface shows as in:bridge1(ether1). I’m not sure if it can be related to:

/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes

I never used PPPoE with bridge (and rarely PPPoE as whole), but I avoid use-ip-firewall=yes like a plague, because it does unexpected things. Maybe that’s it. But it doesn’t look like PPPoE clients are bridged. You can test it, try to disable both, unless you’re sure that you need it.

In any case, I think you’d benefit from help of someone local, who understands networking and would have enough time to properly explain everything, because it seems there’s quite a lot you need to learn. It would be especially good idea if this is anything more than just a hobby.

15

thanks for your precious advise sir,

ip firewall for pppoe was enabled previously, i have just disabled it an it worked…ip firewall is yes enabled…so should i disable it or leave it as…

waiting for your revert

again thanks a ton…:slight_smile:

16

“it worked” means that it helped with port forwarding, or just that it didn’t break anything else?

General rule: Don’t change defaults unless you’re sure that you need it and why.

Neither use-ip-firewall nor use-ip-firewall-for-pppoe is enabled by default, so you should know why you enabled them in the first place. Maybe you wanted to do some filtering within same subnet on bridge? Not very common, but possible. But only you know what you wanted. Your whole bridge with four different subnets is slightly unusual too. But not necessarily wrong either.