Hi guys,
I’m trying to forward port ports 1701, 500, and 4500 to internal IP 10.0.1.89
I have a NAT rule set up to forward both TCP and UDP for the ports but no matter what I do I simply cannot get the ports to show as open through a port tester, nor can I access them.
I’ve even tried adding filter rules to accept all three ports, and still nada. Adding screenshots to show what I have set up.
Am I doing something wrong? I can see the packages and data coming in but it just won’t go through for some reason. Please help! I’m at the end of my wits
This is the full export of all of my NAT rules:
When you create dst-nat rule, is not important to specify in interface, but need to specify destination address (WAN IP [Public])
mkx
July 10, 2019, 3:52am
4
Are you sure that firewall on 10.0.1.89 is not freaking out on inbound VPN connections?
Affirmative. I’m SSHed into the USG pro at 10.0.1.89 and am running a sniff on those three ports and I don’t see any packets coming in
Hi,
Please specify your right destination address in general tab.
Thank you! I’ve updated the dst address but they still wont show as open
giriv
July 12, 2019, 5:31pm
8
I’ve tried everything I can think of and can’t get the traffic to passthrough. Does anyone have any ideas?
2frogs
July 12, 2019, 6:09pm
9
Your NAT rules do not need a to-port unless your are changing ports. They should look like this:
/ip firewall nat
add action=dst-nat chain=dstnat comment="ALA USG VPN" dst-port=500 in-interface=ether1-gateway log=yes protocol=udp to-addresses=10.0.1.89
add action=dst-nat chain=dstnat comment="ALA USG VPN" dst-port=1701 in-interface=ether1-gateway log=yes protocol=udp to-addresses=10.0.1.89
add action=dst-nat chain=dstnat comment="ALA USG VPN" dst-port=4500 in-interface=ether1-gateway log=yes protocol=udp to-addresses=10.0.1.89
Or you can combine them in one rule like:
]/ip firewall nat
add action=dst-nat chain=dstnat comment="ALA USG VPN" dst-port=500,1701,4500 in-interface=ether1-gateway log=yes protocol=udp to-addresses=10.0.1.89
And your Filter rule need to be for chain=forward: (or enable the default drop rule)
/ip firewall filter
add action=accept chain=forward dst-port=5200,1701,4500 in-interface=ether1-gateway protocol=udp
Here is some other things that might be a factor
If your USG’s WAN is behind NAT and has a private IP, it is necessary to configure port forwarding on the upstream router to forward UDP ports 500, 1701, and 4500 to the USG’s WAN address.
In pre-4.3.41 USG firmware, L2TP remote access VPN will not work if there are already one or more site-to-site IPsec VPNs configured. Please update to the latest firmware.
In controller versions prior to 5.7.22, if UPnP is configured on the USG, an ACL will need to be created to deny UDP ports 500/4500. See this Community post for more. This community post is in the Early access section of our Community, see this article to learn How to Sign Up for Early Access.
https://help.ubnt.com/hc/en-us/articles/115005445768-UniFi-USG-Configuring-L2TP-Remote-Access-VPN
giriv
July 14, 2019, 3:37am
10
Thank you! I’ve consolidated the rules as you recommended.
I also changed the filter rule to chain=forwrad.
I also did follow that ubiiquiti guide. Actually those parts are what I’m trying to configure forwarding for.
The USG and controller firmware is up to date so those two warnings shouldnt apply
anav
July 14, 2019, 8:19pm
11
I would echo 2frogs recommendation for dst-nat rules.
However I do not agree with his assessment of moving them to forward filter rules. They are dst nat rules period.
This single rule permits all port forwarding rules from dst-nat to get through the firewall.
2frogs
July 15, 2019, 12:02am
12
@anav (or enable the default drop rule) ”
sebus
July 11, 2020, 7:25pm
13
So did the OP get it working?
That should be really simple. All my other NAT rules work (with port forwarding or not)
But no matter what I can not connect to Softether VPN server (Windows) behind Mikrotik
In log I can see:
500- dstnat: in:pppoe-out1 out:(unknown 0), src-mac xx:xx:xx:xx:xx, proto UDP, !!.!!.!!.!!:40063->??.??.??.??:500, len 816
4500- dstnat: in:pppoe-out1 out:(unknown 0), src-mac xx:xx:xx:xx:xx, proto UDP, !!.!!.!!.!!:47702->??.??.??.??:4500, len 140
xx:xx:xx:xx:xx is MAC address of Miktotik pppoe-out1 interface
anav
July 11, 2020, 9:24pm
14
sebus post your complete config please.
sebus
July 12, 2020, 9:16am
16
Gave up on this, and simply configured VPN server on Mikrotik itself using these instructions
Sob
July 12, 2020, 2:20pm
17
to-ports=0 is clearly wrong, it shouldn’t be there at all. It does exactly what it says, sends packets to port 0.
SOLVED for me!!!
Jotne:
…you still need a forward filter rules to allow that traffic past the firewall.
This single rule permits all port forwarding rules from dst-nat to get through the firewall.
…
add chain=forward action=accept comment=“Allow port forwarding” /
anav
March 1, 2021, 3:04pm
20
Hi there, glad its working for you. Normally its covered by default firewall rules and when people stray from them at all, things can get messed up pretty fast.
