Port forwarding issue

flacoste · August 13, 2015, 9:31pm

Hello to all

I’m pretty new on this Mikrotik boards and they are already winning the battle.

I need to configure a simple port forwarding NAT rule to access my DVR from the internet on port 8016.

this is what I’ve done:

/ip firewall nat add chain=dstnat dst-address=69.69.69.69 protocol=tcp dst-port=8016
action=dst-nat to-addresses=10.1.3.185 to-ports=8016

69.69.69.69 replaced by my real external IP address.

I was doing research and everyone says that is as simple as creating that nat rule… but is not working.

How can I identify what is blocking those connections?

Please help me not to start hating this devices

Thanks in advance,

lordkappa · August 15, 2015, 7:48pm

It would help to post your config so we can see what’s going on.

Also, It would be easier to use the Netmap action, with in-interface specified, to perform port forwarding. This way you won’t have to modify your rule if your external IP changes.

add action=netmap chain=dstnat comment="Your Comment" disabled=no dst-port=8888 in-interface=ether1-WAN protocol=tcp to-addresses=192.168.1.50

jarda · August 16, 2015, 3:31pm

Are you accepting the dst port in forward chain?

flacoste · August 18, 2015, 5:08pm

Hello, thank you all for the replies.

Right now I’m forwarding the port 8016 (the DVR port) on a Forward rule also.

I already have a Static IP address so there is no problem of the IP changing.

How may I send you my actual configuration?

flacoste · August 19, 2015, 7:42pm

Any ideas?

lordkappa · August 19, 2015, 7:49pm

You haven’t posted your firewall/NAT config yet.

flacoste · August 19, 2015, 8:05pm

Sorry, dont know how.. if you mean the /ip route print detail and /ip address print detail here they are:

/ip address print detail
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
address=192.168.88.1/24 network=192.168.88.0 interface=sfp1
actual-interface=bridge-local

1 address=10.1.3.1/24 network=10.1.3.0 interface=ether2
actual-interface=bridge-local

2 D address=–.–.–.–/29 network=–.–.–.-- interface=ether1-gateway
actual-interface=ether1-gateway

/ip route print detail
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 ADS dst-address=0.0.0.0/0 gateway=xxx.xxx.xxx.xxx
gateway-status=xxx.xxx.xxx.xxx reachable via ether1-gateway distance=1
scope=30 target-scope=10 vrf-interface=ether1-gateway

1 ADC dst-address=10.1.3.0/24 pref-src=10.1.3.1 gateway=bridge-local
gateway-status=bridge-local reachable distance=0 scope=10

2 ADC dst-address=xxx.xxx.xxx.xxx/29 pref-src=xxx.xxx.xxx.xxx
gateway=ether1-gateway gateway-status=ether1-gateway reachable
distance=0 scope=10

3 ADC dst-address=192.168.88.0/24 pref-src=192.168.88.1 gateway=bridge-local
gateway-status=bridge-local reachable distance=0 scope=10

/ip firewall filter
add chain=forward dst-port=8016 out-interface=ether1-gateway protocol=tcp
add chain=input comment=“default configuration” protocol=icmp
add chain=input comment=Winbox dst-port=8291 protocol=tcp
add chain=input comment=“default configuration” connection-state=established
add chain=input comment=“default configuration” connection-state=related
add action=drop chain=input comment=“default configuration” in-interface=
ether1-gateway
add chain=forward comment=“default configuration” connection-state=established
add chain=forward comment=“default configuration” connection-state=related
add action=drop chain=forward comment=“default configuration” connection-state=
invalid
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=8016 in-interface=ether1-gateway
protocol=tcp to-addresses=10.1.3.185 to-ports=8016
add chain=srcnat dst-address=10.1.1.0/24 src-address=10.1.3.0/24
add action=masquerade chain=srcnat comment=“default configuration”
out-interface=ether1-gateway

the port im trying to forward is the 8016.

Thanks

JB172 · August 19, 2015, 8:57pm

Try this

/ip firewall nat
add action=dst-nat chain=dstnat comment=“DVR”
dst-address=X.X.X.X dst-port=8016 protocol=tcp to-addresses=
10.1.3.185 to-ports=8016

where X.X.X.X is your public ip

flacoste · August 19, 2015, 9:30pm

already did that, didn’t work. I was suspecting about any firewall rule blocking something, so I disabled all restricting rules just for test… and didn;t worked either.

is there any way to activate some kind of log that tells me what is blocking those connections?

lordkappa · August 19, 2015, 9:45pm

Delete your first firewall rule.
Change your DST-NAT action to action=netmap instead. Like this,

add action=netmap chain=dstnat dst-port=8016 in-interface=ether1-gateway \
protocol=tcp to-addresses=10.1.3.185 to-ports=8016

Also, best practice is having your masquerade rule at the top of your NAT rules, and others underneath it.

flacoste · August 19, 2015, 10:09pm

that didn’t work either…

lordkappa · August 19, 2015, 10:11pm

I feel there may be something fundamentally flawed with your testing method. Are you attempting to test it by connecting to the external IP of your router from within your local LAN?

flacoste · August 19, 2015, 10:35pm

No sir, I’m trying to telnet from a remote computer outside the network (in my house actually).

If I telnet from inside the internal lan, I have a telnet connection to port 8016 just fine. So the service is working just fine.

The problem is from my house. also… I’ve tried to telnet a known mail server from my house… and I have response… so telnet is not blocked here.

lordkappa · August 19, 2015, 11:14pm

add chain=srcnat dst-address=10.1.1.0/24 src-address=10.1.3.0/24

What is the purpose of this line? Are you trying to stop 10.1.3.0/24 traffic from being masqueraded? Since it isn’t going out the gateway interface it wouldn’t be, anyway. Its existence might be stopping traffic from hitting your other rules.

Also, are you using the 192.168.88.0/24 subnet on your network? Your router still has an IP in that range.

flacoste · August 20, 2015, 1:43am

Yes, that rule is for the vpn traffic. (We have a vpn between 2 sites).

And the .88 is the default network, i gUess is there just in case. Not really necessary

flacoste · August 20, 2015, 3:27pm

actually, making the masquerade rule first, broke my VPN traffic.

flacoste · August 21, 2015, 8:48pm

is there anyway trace that traffic and see what is blocking it?

lordkappa · August 21, 2015, 9:41pm

You can try setting the ‘log’ flag on all your firewall rules and see if anything pops up. Also, clear your counters and watch if any of the NAT rules have their counters incremented when you try to connect.

I’m out of ideas; I’ve tried your config on my lab setup and everything works fine for me.

flacoste · August 21, 2015, 10:26pm

sorry for my ignorance, but how do I enable that log? and how do I look at it?

lordkappa · August 21, 2015, 10:34pm

You can append “log=yes” to your firewall rule, and optionally “log-prefix=” to apply a prefix to those log entries. “/log print” shows log if you’re using terminal.