Port Forwarding not working

joey · December 7, 2013, 5:45pm

Hi,

I have a new CRS125-24G-1S-2HnD. It’s routing traffic to the internet. I can ping all the attached computers. I’m having a problem though with port forwarding.

I want all traffic both on the LAN and the WAN to intercept port 7373 and send it to a particular computer. I have this NAT entry:

chain=dstnat action=dst-nat to-addresses=10.10.10.73 to-ports=80 protocol=tcp  dst-port=7373

When I go to 10.10.10.73 I get a web page. When I got to 10.10.10.1:7373 or :7373 or :7373 I see the traffic hit that rule but I get no reply back.

likewise, this happens with ssh coming in from the external interface

chain=dstnat action=dst-nat to-addresses=10.10.10.73 to-ports=40000 protocol=udp in-interface=ether1-WAN dst-port=40000

I’ve tried it with all firewall rules disabled with no joy. I think my routes look ok

# DST-ADDRESS PREF-SRC GATEWAY DISTANCE 0 X S 0.0.0.0/0 pptp-out1 1 1 ADS 0.0.0.0/0 71.237.36.1 0 2 ADC 10.10.10.0/24 10.10.10.1 bridge1 0 3 ADC 71.237.36.0/22 71.237.37.203 ether1-WAN 0

any I have masq entries

0 chain=srcnat action=masquerade out-interface=ether1-WAN 2 ;;; Accept all chain=srcnat action=accept to-addresses=0.0.0.0 dst-address=0.0.0.0 out-interface=ether1-WAN

so I’m at a bit of a loss. Hoping that someone might be able to give me some ideas.

I also have a proxy forward which doesn’t work and the reason may be related

chain=dstnat action=dst-nat to-addresses=10.10.10.246 to-ports=3128 protocol=tcp src-address=10.10.10.0/24 dst-port=80

joey · December 9, 2013, 4:41pm

I found the reason for all of these. I was missing an internal nat item. In my case I reused an internal nat address list.

chain=srcnat action=masquerade src-address=10.10.10.0/24 dst-address-list=Local subnet

pennytone · October 22, 2014, 6:04pm

Joey,
I’m having the same problem, with the same model mikrotik. I hope you can help. I cant get a simple port forward to work, and I’ve been using mikrotik routers for years!!! this is such a simple thing, its embarrassing to say… here is my NAT config.

chain=srcnat action=masquerade to-addresses=75.99.xx.xx out-interface=ether1-gateway log=no log-prefix=“”
chain=dstnat action=dst-nat to-addresses=192.168.1.13 to-ports=80 protocol=tcp dst-address=75.99.xx.xx in-interface=ether1-gateway dst-port=80 log=no log-prefix=“”
chain=dstnat action=dst-nat to-addresses=192.168.1.88 to-ports=8000 protocol=tcp dst-address=75.99.xx.xx in-interface=ether1-gateway dst-port=8000 log=no log-prefix=“”

am I going crazy or not? is this a bug with v6.20?
I’ve already tested that the internal host web gui is accessible locally, there are no restrictions on the hosts allow subnet list. I also tried several different internal IP’s which have port 80 open. I sniffed traffic, traffic is getting to the firewall, and host. I’m out of ideas.. can you help? Is there something about the CRS125 model that needs to be changed to make nat port forwarding work?