Port forwarding not working

upviqq · May 15, 2018, 5:41am

I need to open samba share from internet for a couple of minutes, but usual port forwarding rule doesn’t work.
Can you help me?
And I know about samba security issues, so firstly I tried with “src-address=my_current_address”, but it didn’t work.
So trying most simple rule, doesn’t work too. Forwarding all 137,138, 139 and 445 ports.

/ip firewall nat add action=netmap chain=dstnat dst-port=139 protocol=tcp to-addresses=192.168.123.123 to-ports=139

sindy · May 15, 2018, 6:13am

I’m not sure action=netmap accepts a single IP address as to-addresses value, you should use action=dst-nat instead. And put back the src-address=your.current.ip.address, as it was not the reason why it did not work. Plus you don’t need to use to-ports if you don’t need to change the original dst-port value.

Anumrak · May 15, 2018, 6:15am

try action dst-nat instead of netmap and specify in-interface.

Anumrak · May 15, 2018, 6:16am

you’re never sleep, hah

upviqq · May 15, 2018, 7:13am

No, didn’t help.
I have several perfectly working forwards like rdp, vnc and ssh, but problem with samba.

Anumrak · May 15, 2018, 7:31am

Do you have counters moving in this rule? If yes, then problem in PCs.

RoadkillX · May 15, 2018, 10:07am

Samba also uses 445 for file sharing it is after all microsoft-ds so same port you’d open on windows, 139 you don’t need across the internet they’ll get to you by public ip address or dns name no need for Netbios name resolution, use a dst-nat rule to forward 445 to your samba host and may god help you, security wise i mean. make sure you have the latest build of samba pkg for you distro.

upviqq · May 16, 2018, 6:18am

Counters are zero, nothing helps.
Tried several PC’s with public shared folder allowed for all to read/write.

RoadkillX · May 16, 2018, 8:23am

Export your filter, mangle and Nat rules.

upviqq · May 16, 2018, 9:02am

Mangle is empty. NAT is full of netmap rules, simple port forwarding, no samba ports.

/ip firewall filter
add action=accept chain=input comment=PPTPD dst-port=1723 protocol=tcp
add action=drop chain=forward dst-address-list="***" protocol=!icmp src-address=192.168.123.123
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log-prefix=INVALID
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=internet
add action=accept chain=input comment=defconf connection-state=established,related
add action=drop chain=input comment=defconf in-interface-list=internet
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=internet src-address=192.168.123.0/24

RoadkillX · May 16, 2018, 9:34am

Again all rules are needed to determine which one is causing the problem something is forwarding your publicip:445 to an internal host before it gets to the samba dst-nat rule,try in nat move the samba dst-nat to the begginng of the list am sure it’ll work or your samba is blocking connections.

*netmap - creates a static 1:1 mapping of one set of IP addresses to another one. Often used to distribute public IP addresses to hosts on private networks

Not familiar with this, but clearly if your nat chain is full of netmaps you’re mapping 1:1 so you can’t use the same public ip of any netmap rules for samba since the port 445 is already mapped to another internal ip.

upviqq · May 16, 2018, 11:30am

No, there are not even 3-digit ports in my rules, only 2,4,5-digits.
Placed rules on top of list - nothing changes.

sindy · May 16, 2018, 11:43am

I may be wrong, but I believe action=netmap ignores ports even if you provide dst-port as rule parameter. So if a netmap rule is before a dst-nat one and matches, the dst-nat one never sees the packet.

upviqq · May 16, 2018, 11:48am

No, I have several netmap rules with different ports. I can change any netmap action to dst-nat action and it works. And I tried to place samba rules on top.

sindy · May 16, 2018, 11:49am

OK. In such case, add

/ip firewall mangle
add action=passthrough chain=prerouting protocol=tcp dst-port=139
add action=passthrough chain=prerouting protocol=tcp dst-port=445

and then move these two rules as high in the chain as possible (i.e. make them the very first static rules in that chain).

If they count packets when you attempt the SMB connection, the issue is in your firewall; if they don’t, your ISP is blocking the port whose rule does not count.

RoadkillX · May 16, 2018, 11:49am

if you can, post the netmap rules and remove public ips from them, not sure if hide-sensitive will do that. Maybe you missed something or misunderstood how something works and someone else can spot it, can’t troubleshoot with limited information.

*netmap - creates a static 1:1 mapping of one set of IP addresses to another one. Often used to distribute public IP addresses to hosts on private networks

netmap is a direct 1:1 mapping public to private there is no port choosing here that is in dst-nat.

You’re not getting any traffic on the dst-nat rule for samba so the problem is in mangle since that is the packet flow.

i wouldn’t discard this, it’s very possible if you are just been handed /24 bit address blocks and ISP knows you’re corporate and might be unpatched.

upviqq · May 16, 2018, 12:05pm

I think the problem is ISP, mangle counts zero packets from internet, but packets from lan are counted.
I’ll figure it out from ISP.