port forwarding on HEX lite

frankazoid · August 14, 2020, 9:50pm

Hi people! Been using Mikrotik for a bit but still can’t get the magic of port forwarding work. I see packet counter changing on the NAT page when I try to RDP on port 3389 or 13389 but don’t see anything on the computer 88.253. How does it manage to escape?

I have removed inactive rules, so some numbers are missing

[root@MikroTik] > /ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=forward action=accept protocol=tcp dst-port=3390,3966,3990,3991,4132,3389,13389 log=no log-prefix=“”
4 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked
5 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid
6 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp
7 ;;; defconf: accept to local loopback (for CAPsMAN)
chain=input action=accept dst-address=127.0.0.1
8 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN
9 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec
10 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec
11 X ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related
12 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked
13 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
14 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
15 ;;; deny 8.8.4.4 via reserve internet channel
chain=output action=drop dst-address=8.8.4.4 out-interface=ether2 log=no log-prefix=“”
16 chain=forward action=accept protocol=tcp dst-port=80,443 log=no log-prefix=“”

[root@MikroTik] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; RDP
chain=dstnat action=dst-nat to-addresses=192.168.88.253 to-ports=3389 protocol=tcp dst-port=3390,3966,3990,3991,4132,3389,13389 log=no log-prefix=“”

1 ;;; NAT ISP1
chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix=“” ipsec-policy=out,none

2 ;;; NAT ISP2
chain=srcnat action=masquerade out-interface=ether2 log=no log-prefix=“”

anav · August 20, 2020, 3:36pm

Your situation is more complicated due using two WANIPs as we have no clue how you have setup your router.
Also are they fixed or dynamic WANIPs?
Finally, are you concerned about external users accessing your server OR
a. internal users via lanip OR
b. internal users via WANIP

/export hide-sensitive file=anynameyouwish