port forwarding needs what kind of firewall rules?

mkonsultor · October 20, 2019, 7:42pm

A server on the LAN needs access from the Internet via a hAP ac lite (ver 6.45.6). Have created dst-nat entries for several TCP ports (Since it is a dynamic IP address from the ISP, the src address is not used. When attempting to connect, so far I get ‘connection refused.’ This is true for SSH, Telnet, and http.
Saw a comment in this forum about enabling the port in the Forward chain, but it was incomplete about how to do that and where in the rule list that rule should be placed. I have enteed rules:

[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN 
      ipsec-policy=out,none 

 1    ;;; WAN access to Cockpit on Metrics
      chain=dstnat action=dst-nat to-addresses=192.168.1.15 to-ports=9090 
      protocol=tcp dst-address-type="" src-port=9090 dst-port=9090 log=no 
      log-prefix="" 

 2 X  ;;; ssh to Metrics
      chain=dstnat action=dst-nat to-addresses=192.168.1.15 to-ports=22 
      protocol=tcp src-port=22 dst-port=22 log=no log-prefix="" 

 3    ;;; port 3000 access
      chain=dstnat action=dst-nat to-addresses=192.168.1.15 to-ports=3000 
      protocol=tcp src-port=3000 dst-port=3000 log=no log-prefix="" 

 4 X  ;;; telnet port forwarding
      chain=dstnat action=dst-nat to-addresses=192.168.1.15 to-ports=23 
      protocol=tcp src-port=23 dst-port=23 log=no log-prefix=""

Have not specified protocols above TCP: could be http, https, or something else.
Suggestions and hints greatly appreciated.

akschu · October 21, 2019, 3:16pm

Telling the router to do destination nat is one thing, allowing that packet through the firewall is different. So if you have:

chain=dstnat action=dst-nat to-addresses=192.168.1.15 to-ports=9090 protocol=tcp dst-address-type=“” src-port=9090 dst-port=9090 log=no log-prefix=“”

then in /ip firewall filter you would also need:

add chain=forward action=accept dst-address=192.168.1.5 protocol=tcp dst-port=9090

or if you want a catch-all rule that works well:

add chain=forward action=accept connection-state=new connection-nat-state=dstnat in-interface-list=WAN

That will match all new connection packets that have been modified by dstnat that also show up on any interface in the WAN list and allow them to forward.

mkx · October 21, 2019, 3:39pm

The NAT rules are too restrictive … src-port and dst-port are both selection criteria (those are compared against to check if certain rule needs to apply or not). It’s a thin chance that some client from internet, trying to connect to ssh port, will use port 22 on its own side (that’s what src-port is about). On the other hand the same rule is too permissive and (after src-port gets removed as selection criteria) will capture also out-going ssh connections.

So usual DST-NAT rule for ssh would look something like this (catching only connections originating from internet):

/ip firewall nat
add chain=dstnat action=dst-nat in-interface-list=WAN protocol=tcp dst-port=<WAN port> to-addresses=<LAN IP address> to-ports=22

where can either be standard ssh port 22 or some other random port. If WAN port number is the same as port on the LAN server, then setting to-ports is not necessary.

BTW, the catch-all firewall filter rule from post by @akschu above is present in default firewall setup (on SOHO routerboards, the pro boxes come without default firewall).

JohnRauner · October 27, 2019, 6:34am

Can somebody help me with this please. I have tried several different options but cannot get the router to port forward. I am new to Mikrotik so this is a bit confusing. I am pretty sure the NAT rule is correct and I suspect the firewall filter rule is the problem.

mkonsultor · November 6, 2019, 4:36pm

Working more on the network, I realize that I didn’t describe the configuration fully. Access from the Internet is needed to reach a different subnet (192.168.88.0/24) through a second MikroTik router whose WAN port is 192.168.1.15. The first (gateway) router dst-nat function maps a connection to the …88.x subnet. The second router then routes that to the proper subnet.
Forwarding rules are needed in the g/w router for a DstAddress of …88.0 . Does that sound right? Unfortunately, connections from the Internet intended for …88.x are refused.

mkx · November 6, 2019, 5:10pm

There are a few things to be configured/checked:

WAN router needs to perform DST-NAT to LAN2 address and its firewall has to allow it
WAN router needs a route towards LAN2 using Router2 as gateway
Router2 firewall has to allow the connection

Now there are two possibilities:

if LAN2 devices use Router2 as their default gateway and Router2 uses WAN router as its default gateway, then the above list is more or less complete.
if LAN2 devices don’t use Router2 as their default gateway, only specific gateway towards LAN1 … or if LAN2 devices don’t know that Router2 is router at all, then another NAT (src-nat in particular) has to be done as step #4. Whether to do it on WAN router or Router2 depends on how LAN2 devices see Router2, but in any case this NAT can be done on Router2.
If this NAT gets done, then LAN2 devices won’t get information about real originator of incoming connection.

Surely there are other possibilities, such as double DST-NAT (done on both routers) …

GrasDK · April 18, 2023, 3:19pm

Sob:

add chain=forward action=accept connection-state=new connection-nat-state=dstnat in-interface-list=WAN
That will match all new connection packets that have been modified by dstnat that also show up on any interface in the WAN list and allow them to forward.

I liked this for its genericity, worked like a charm.

anav · April 18, 2023, 3:37pm

https://forum.mikrotik.com/viewtopic.php?t=179343

ckonsultor · April 18, 2023, 5:58pm

Dear MKX,

You did it for me. Along with a typo or two your outline let me gain all the accesses I want.
Thanks