Port forwarding not working.

RouterOS General
1

I am trying to setup port forwarding on my Mikrotik router RB750 but nothing I try works. I am doing exactly what the manual says on this page http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT#Port_mapping but I keep getting connection refused when testing it. I added two rules, one to accept the packets on input and one under NAT to forward the packets to the computer. The rules are below.

chain=input action=accept protocol=tcp dst-port=22




chain=dstnat action=dst-nat to-addresses=192.168.3.100 to-ports=22 
     protocol=tcp dst-port=22

I got it to work once but without changing anything it stopped working. I also watch the rules on WinBox and no packets ever seem to go through the rules that I have setup.

Port Forwarding issue
Port forwarding not working or something interfering possibly? 12 hrs later.. still don't know.
2

Hi,

Router itself runs SSH daemon and listen on port 22.
Change your rules to:

chain=input action=accept protocol=tcp dst-port=222

and

chain=dstnat action=dst-nat to-addresses=192.168.3.100 to-ports=222
     protocol=tcp dst-port=22

Set your SSH client to port 222 not 22.
Second way is to change default router SSH port in IP/Services.
Hope this helps.

Regards, Grzegorz.

3

I just tested that and got the same issue. I was also setting up a port forward to the same computer using port 9000 and set it up the same way but am getting the same issue. I am really confused about this since I have done the same thing in iptables before and was able to get it working without issue and from what I see this is just an interface for iptables.

4

Look at the packet flow diagram in the wiki - dst-nat happens right after pre-routing, so at the time the packet isn’t in the input or forward chains yet. The port forward changes the destination IP, so the packet will never be in the input chain, but will be in the forward chain. Permit it there.

5

@fewi

dst-nat happens right after pre-routing

You are right, so ‘dst-nat’ should works even without ‘accept’ action in firewall input rules.

Regards, Grzegorz.

6

Yes. The ‘input’ rule would do nothing. However, the RB750 comes with a default firewall filter ruleset that won’t accept incoming connections from the WAN in the ‘forward’ chain, so if you still have the default ruleset installed the traffic would be dropped until you make an accept rule in the ‘forward’ chain.

7

Still getting the same issue after changing from input chain to forward chain

8

Please post the output of “/ip address print detail”, “/ip route print detail”, and “/ip firewall export”. Please do not edit any information other than public IP addresses, and don’t leave out any of the output.

9

/ip address print detail

 0   ;;; default configuration
     address=192.168.3.200/24 network=192.168.3.0 broadcast=192.168.3.255 
     interface=ether2-local-master actual-interface=ether2-local-master 

 1   ;;; hotspot network
     address=192.168.88.1/24 network=192.168.88.0 broadcast=192.168.88.255 
     interface=Hostpot actual-interface=Hostpot 

 2 D address=68.231.31.95/22 network=68.231.28.0 broadcast=68.231.31.255 
     interface=ether1-gateway actual-interface=ether1-gateway

/ip route print detail

 0 ADS  dst-address=0.0.0.0/0 gateway=68.231.28.1 
        gateway-status=68.231.28.1 reachable ether1-gateway distance=1 
        scope=30 target-scope=10 

 1 ADC  dst-address=68.231.28.0/22 pref-src=68.231.31.95 gateway=ether1-gateway 
        gateway-status=ether1-gateway reachable distance=0 scope=10 

 2 ADC  dst-address=192.168.3.0/24 pref-src=192.168.3.200 
        gateway=ether2-local-master 
        gateway-status=ether2-local-master reachable distance=0 scope=10 

 3 ADC  dst-address=192.168.88.0/24 pref-src=192.168.88.1 gateway=Hostpot 
        gateway-status=Hostpot reachable distance=0 scope=10
10

I just got everything working. I got all of the other ports working. I just removed all of the firewall configurations and set them back up and it worked. The SSH did not work until I changed my server to run SSH on port 222 and forwarded that port directly instead of forwarding port 222 from the outside to port 22 on the inside.

11

Hi, I have a problem, I configured Proxy server outside of router and forwarding port 80 to Proxy server. I know that RouterOS already has Proxy. But my proxy works with SquidGuard. About proxy it works very good. But I need to know which source IP, which client blocked by SquidGuard. Now router forwards traffic with source IP of itself. So please help me. How can I redirect or forward traffic with original source IP.

12

Change your source NAT rules to not match the traffic to the proxy.

13

Hello Fewi, Thank you.

I have done. I created mangle rule, which marks route of all dst-port=80(tcp). Then added route this traffics to SquidGuard. But those traffics not to SquidProxy. It goes through Squid gateway and then squid itself redirects traffic to it`s own SquidGuard Proxy. But it really works nice.

14

Hi, could some help me. I Have the same issue, and no Firewall roules.

The weirest thing, is that the RB see the packages (in the Nat roule) but dont link the connection

I will copy here the print asked in some previous post.

/ip address print detail
0 ;;; default configuration
address=192.168.88.1/24 network=192.168.88.0 interface=WAN
actual-interface=WAN

1 address=192.168.0.1/24 network=192.168.0.0 interface=CAIB LAN
actual-interface=CAIB LAN

2 address=192.168.10.1/24 network=192.168.10.0 interface=2nd Floor
actual-interface=2nd Floor

3 D address=A.B.C.D/24 network=A.B.C.0 interface=WAN
actual-interface=WAN



/ip route print detail
0 ADS dst-address=0.0.0.0/0 gateway=A.B.C.D
gateway-status=A.B.C.D reachable via WAN distance=0
scope=30 target-scope=10 vrf-interface=WAN

1 ADC dst-address=A.B.C.0/24 pref-src=A.B.C.D55 gateway=WAN
gateway-status=WAN reachable distance=0 scope=10

2 ADC dst-address=192.168.0.0/24 pref-src=192.168.0.1 gateway=CAIB LAN
gateway-status=CAIB LAN reachable distance=0 scope=10

3 ADC dst-address=192.168.10.0/24 pref-src=192.168.10.1
gateway=2nd Floor gateway-status=2nd Floor reachable distance=0
scope=10

4 ADC dst-address=192.168.88.0/24 pref-src=192.168.88.1 gateway=WAN
gateway-status=WAN reachable distance=0 scope=10


/ip firewall export
add address=192.168.0.0/24 list=“CAIB LAN”
add address=192.168.0.1 list=“CAIB RB”
add address=192.168.0.5 list=XBONE
add address=192.168.0.15 list=ALIEN
add address=192.168.0.10 list=BMU
/ip firewall nat
add action=masquerade chain=srcnat comment=“Gateway CAIB”
out-interface=WAN src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment=“Gateway Analia”
out-interface=WAN src-address=192.168.10.0/24
add action=masquerade chain=srcnat out-interface=WAN
add action=dst-nat chain=dstnat comment=“XBONE STREAMMING” protocol=tcp
src-port=5050 to-addresses=192.168.0.5 to-ports=5050
add action=dst-nat chain=dstnat protocol=tcp src-port=4838
to-addresses=192.168.0.5 to-ports=4838
add action=dst-nat chain=dstnat protocol=udp src-port=5050
to-addresses=192.168.0.5 to-ports=5050
add action=dst-nat chain=dstnat protocol=udp src-port=4838
to-addresses=192.168.0.5 to-ports=4838
add action=dst-nat chain=dstnat comment=“ALIEN STEAM” protocol=udp
src-port=4380 to-addresses=192.168.0.15 to-ports=4380
add action=dst-nat chain=dstnat protocol=tcp src-port=4380
to-addresses=192.168.0.15 to-ports=4380
add action=dst-nat chain=dstnat comment=TEST dst-port=3389 log=yes
protocol=tcp to-addresses=192.168.0.228 to-ports=3389

I Just testing with the last roule named “TEST” to remote desktop a local computer in the network

Thanks.

15

And this is the log when the connection happen:

being: 192.168.0.228 my notebook and 192.168 0.15 a real ssh server

I’m trying to go to my public ip at the port 8000 and forward to the 22 in my internal network.

Thanks.

16

Unless you are specifying a source port in the originating connection, this is typically a high port dynamic number and wouldn’t be used in the matching portion of a dst-nat rule.

Based on what you are trying to do, this should get you where you are trying to go for SSH port forwarding on a non TCP/22 port publicly.

Where 1.1.1.1 = your public IP

/ip firewall nat
add action=dst-nat chain=dstnat dst-address=1.1.1.1 dst-port=8000 protocol=\
    tcp to-addresses=192.168.0.15 to-ports=22
17

Hi

this is my first attempt at using a Miktotik router. I have an RB 3011 Ui AS-RM. I wish, ultimately to use this to fail over my multiple ISPs for the web services I host.. For now I am just setting up a single WAN and do port forwarding to a host in a DMZ. Later, I will expand the usage as I lean more about managing this neat little box.

So - a little embarrassing. I read this: http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT#Port_mapping and thought I’d done things right but I cannot seem to get through to my host from outside. It has been many years since I’ve created a rule manually using iptables so I’ve been using the GUI instead.

I have The following output from the commands others in this tread were asked for:

[Roger@trk-mtk-01] /ip> address print detail
Flags: X - disabled, I - invalid, D - dynamic
 0   ;;; defconf
     address=192.168.0.1/24 network=192.168.0.0 interface=ether2-master actual-interface=bridge

 1   address=64.251.74.211/29 network=64.251.74.208 interface=ether1 actual-interface=ether1




[Roger@trk-mtk-01] /ip> route print detail
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
 0 A S  dst-address=0.0.0.0/0 gateway=64.251.74.209 gateway-status=64.251.74.209 reachable via  ether1 distance=1 scope=30 target-scope=10

 1 ADC  dst-address=64.251.74.208/29 pref-src=64.251.74.211 gateway=ether1 gateway-status=ether1 reachable distance=0 scope=10

 2 ADC  dst-address=192.168.0.0/24 pref-src=192.168.0.1 gateway=bridge gateway-status=bridge reachable distance=0 scope=10




[Roger@trk-mtk-01] /ip> firewall export
# oct/18/2016 14:37:27 by RouterOS 6.34.3
# software id = 5AVW-BE3W
#
/ip firewall filter
add chain=input comment="defconf: accept ICMP" protocol=icmp
add chain=input comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1
add action=dst-nat chain=dstnat comment="RT - SSH" dst-address=64.251.74.211 dst-port=22 protocol=tcp to-addresses=192.168.0.11 to-ports=22
add action=dst-nat chain=dstnat comment="RT - SMTP" dst-address=64.251.74.211 dst-port=25 protocol=tcp to-addresses=192.168.0.11
add action=dst-nat chain=dstnat comment="RT - HTTP" dst-address=64.251.74.211 dst-port=80 protocol=tcp to-addresses=192.168.0.11
add action=dst-nat chain=dstnat comment="RT - HTTPS" dst-address=64.251.74.211 dst-port=443 protocol=tcp to-addresses=192.168.0.11
add action=dst-nat chain=dstnat comment="TRK-KVM-01 - SSH" dst-address=64.251.74.211 dst-port=2220 protocol=tcp to-addresses=192.168.0.20 to-ports=22
add action=dst-nat chain=dstnat comment="TRK-KVM-03 - SSH" dst-address=64.251.74.211 dst-port=2210 in-interface=ether1 log=yes protocol=tcp to-addresses=192.168.0.10 to-ports=22

I can ping 192.68.0.10 from the RB 3011 and other hosts on the 192.168.0.0/24 subnet.
I can ssh into 192.68.0.10 on port 22 from other hosts on the 192.168.0.0/24 subnet but not from the RB 3011 (192.168.0.1).
SSH into 64.251.74.211 ro port 2210 times out.
SSH to 64.251.74.211 port 22 times out.
I have not changed the services under >IP : services yet none of the services are available despite being listed in the GUI as active.

I’m missing something fundamental here.

Any suggestions?

Paul

18

I resolved the problem!

One of the comments on another thread where someone pointed out the importance of the target VM having the right gateway. I had multiple "default’ gateways because the host has guests on different networks.

The short story, once I correctly configured the guests gateway to point to the RB 3011 everything just started working.

I hope that helps someone else.

Paul

19

Hi Paul,

Please help me for the below ticket.
Hope you can help me on this.
http://forum.mikrotik.com/t/host-to-host-connection-not-happening-via-mikrotik-router/115741/5