Hi,
I would like to forward traffic from the Internet (ether1-wan) port 5000 to internal IP address 192.168.88.250 port 5000. I cannot see what I am doing wrong.
- There is a web server sitting at 192.168.88.250:5000. When I try to access http://mypublicIP:5000/ from the Internet (not from the local network), I can see that one single packet makes it through the dst-nat rule.
- However, no reply makes it back to my browser.
The NAT rule that shows a single packet through is this:
add action=dst-nat chain=dstnat comment=“To thoth filestation shared links (use http, not https)” dst-port=5000 in-interface=ether1-wan protocol=tcp src-address=0.0.0.0/0 to-addresses=192.168.88.250 to-ports=5000
/ip firewall filter export shows:
# sep/04/2020 22:51:19 by RouterOS 6.46.4
# software id = AXU3-F56H
#
# model = RouterBOARD 750G r3
# serial number = 6F390678C35C
/ip firewall filter
add action=accept chain=forward comment="management can get to Parker" dst-address=192.168.11.0/24 src-address=192.168.88.0/24
add action=accept chain=forward comment="Parker can get to management" dst-address=192.168.88.0/24 src-address=192.168.11.0/24
add action=accept chain=forward comment="vlan-trusted can talk to management" dst-address=192.168.88.0/24 src-address=192.168.87.0/24
add action=accept chain=forward comment="management can talk to vlan-trusted" dst-address=192.168.87.0/24 src-address=192.168.88.0/24
add action=accept chain=forward comment="anything on management network (88) can talk to tenant" dst-address=192.168.90.0/24 src-address=192.168.88.0/24
add action=accept chain=forward comment="anything on management can reach devices" dst-address=192.168.92.0/24 src-address=192.168.88.0/24
add action=accept chain=forward comment="anything on trusted can reach devices" dst-address=192.168.92.0/24 src-address=192.168.87.0/24
add action=accept chain=forward comment="Sonos tcp ports allowed to talk to management/trusted" dst-port=3400,3401,3500,4070,4444 in-interface=vlan-devices protocol=tcp
add action=accept chain=forward comment="Sonos UDP ports allowed from devices to trusted/management" dst-port=1900,1901,5353,6969 in-interface=vlan-devices protocol=udp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=accept chain=forward comment="Allow srcnat outbound" connection-nat-state=srcnat out-interface=ether1-wan protocol=tcp
add action=accept chain=forward comment="Allow port forwarding" connection-nat-state=dstnat connection-state=new in-interface=ether1-wan
add action=accept chain=forward comment="forward established, related" connection-state=established,related
add action=drop chain=forward comment="tenant vlan can only start connections out to Internet" in-interface=vlan-tenant out-interface=!ether1-wan
add action=drop chain=forward comment="guest vlan can only talk to Internet" in-interface=vlan-guest out-interface=!ether1-wan
add action=drop chain=forward comment="vlan-devices can only go out to Internet." in-interface=vlan-devices out-interface=!ether1-wan
add action=drop chain=forward comment="vlan-usa network can only go out the USA VPN" disabled=yes out-interface=!NordVPN src-address=192.168.89.0/24
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1-wan
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1-wan
add action=drop chain=input comment="defconf: drop all from WAN" disabled=yes dst-port=53 in-interface=ether1-wan protocol=udp
add action=drop chain=input comment="defconf: drop all from WAN" disabled=yes dst-port=21,22,23 in-interface=ether1-wan protocol=tcp
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes
And:
/ip firewall nat export shows:
# sep/04/2020 22:52:26 by RouterOS 6.46.4
# software id = AXU3-F56H
#
# model = RouterBOARD 750G r3
# serial number = 6F390678C35C
/ip firewall nat
add action=dst-nat chain=dstnat comment="Force DNS redirection for usa vlan" disabled=yes dst-port=53 protocol=udp src-address-list=usa-list to-addresses=103.86.96.100 to-ports=53
add action=src-nat chain=srcnat comment="For VPN to Parker" disabled=yes dst-address=192.168.11.0/24 src-address=!192.168.88.0/24 to-addresses=192.168.88.1
add action=accept chain=srcnat comment="For VPN to Parker" disabled=yes dst-address=192.168.11.0/24
add action=masquerade chain=srcnat disabled=yes out-interface=ExpressVPN
add action=dst-nat chain=dstnat comment="To thoth filestation shared links (use http, not https)" dst-port=5000 in-interface=ether1-wan protocol=tcp src-address=0.0.0.0/0 to-addresses=192.168.88.250 to-ports=5000
add action=masquerade chain=srcnat comment="source NAT everything outbound except going to Parker" dst-address=!192.168.11.0/24 log-prefix=srcnat-out out-interface=ether1-wan
add action=dst-nat chain=dstnat comment="To thoth admin GUI" disabled=yes dst-port=5501 log-prefix=thothadmin protocol=tcp src-address=0.0.0.0/0 to-addresses=192.168.88.250 to-ports=5001
add action=dst-nat chain=dstnat comment="To thoth cloudstation" disabled=yes dst-port=6690 protocol=tcp src-address=0.0.0.0/0 to-addresses=192.168.88.250 to-ports=6690
add action=dst-nat chain=dstnat comment="To thoth webdavs" disabled=yes dst-port=5006 protocol=tcp src-address=0.0.0.0/0 to-addresses=192.168.88.250 to-ports=5006
add action=dst-nat chain=dstnat comment="To thoth for let's encrypt" disabled=yes dst-port=80 in-interface=ether1-wan protocol=tcp src-address=0.0.0.0/0 to-addresses=192.168.88.4 to-ports=80
add action=dst-nat chain=dstnat comment="NAT the ESX root console (https) -- only enable when needed." disabled=yes dst-port=2222 protocol=tcp src-address=0.0.0.0/0 to-addresses=192.168.88.3 to-ports=443
add action=dst-nat chain=dstnat comment="ssh to thoth" disabled=yes dst-port=5002 protocol=tcp src-address=0.0.0.0/0 to-addresses=192.168.88.4 to-ports=22
add action=masquerade chain=srcnat comment="access plex from sonos" disabled=yes dst-address=192.168.88.250 dst-port=32400 out-interface=bridge1 protocol=tcp src-address=192.168.88.0/24
I feel like I’m missing something very basic but have been pounding my head against it for a few hours now, trying different things on the forum, etc. Can anyone help?
Very grateful.
Thanks