port forwarding on v.2.9.8

mrirh · December 8, 2005, 2:39am

Hello,

The Mikrotik router is set up and works great. However, I am having a terrible time forwarding public addresses and ports to internal addresses and the corresponding ports.

My public NIC has multiple addresses. For example, I want to forward html traffic from public address 10.0.0.20, port 80 to internal address (our web server) 192.168.0 20 port 80, and FTP traffic from public address 10.0.0.5, ports 20 & 21 to internal address (our ftp server) 192.168.0.5 ports 20 & 21. I tried several filter combinations but traffic is not getting through. I must not be setting up the filters correctly.

What would be the proper way to accomplish this?

Many thanks in advance.

~James

Tonda · December 8, 2005, 8:14am

You can find all necessary information here:
http://www.mikrotik.com/docs/ros/2.9/ip/nat
you can use examples from this chapter, only add apropriate ports to dst-nat rules.

mrirh · December 9, 2005, 12:10am

Thank you for your reply. Followed the instructions and there is no reply from the public side. For example, here are my rules;

2   chain=dstnat dst-address=10.0.0.5 action=dst-nat to-addresses=192.168.0.5 to-ports=20-21

 3   chain=srcnat src-address=192.168.0.5 action=src-nat to-addresses=10.0.0.5 to-ports=20-21

However, when I ftp to 10.0.0.5, from outside public network, there is no reponse from ftp; packets aren’t getting through to the local network.

What do I need to correct?

Thank you,

~James

Tonda · December 9, 2005, 6:53pm

What address do you use for ftp access from public internet?

mrirh · December 9, 2005, 6:58pm

Hello,

Thank you for pointing me in the right direction. There error was my mistake.

I left the gateway of the inside target machine pointing to the old router. Changed that and everything works perfectly.

Thank you again for sending me the link. The problem was solved.

Regards,

~James

subxtech · December 9, 2005, 8:22pm

I am confused… Plain and simple

I have given the router an external IP address XXX.XXX.XXX.254/24 on the first port, stated the gateway XXX.XXX.XXX. 1 for the same port.

On the internal interface, I have given the IP of 10.8.0.254/16.
I have made all the internal elements point to 10.8.0.254 for their gateway.

I can ping yahoo.com and any machine on the internal network from within, but when I forward ports to a internal device, I see the traffic coming in on the External interface, but nothing on the internal firewall rules?

Should I be telling the router that 10.8.0.254 is the internal gateway for the network, and if so, how do I do that, as when I set this, it will not go active?

Thanks in advance.

Tonda · December 10, 2005, 10:30am

Post your actual configuration..

subxtech · December 10, 2005, 2:46pm

Mind you this is for UDP use only.

ip address
add address=209.120.218.254/24 network=209.120.218.0 broadcast=209.120.218.255
interface=core2 comment=“Core03” disabled=no
add address=10.64.0.254/16 network=10.64.0.0 broadcast=10.64.255.255
interface=internal comment=“Gateway” disabled=no
add address=10.64.0.35/16 network=10.64.0.0 broadcast=10.64.255.255
interface=internal comment=“DNS” disabled=no
add address=209.120.218.89/24 network=209.120.218.0 broadcast=209.120.218.255
interface=“Ext VPN” comment=“Ext VPN” disabled=no
add address=192.168.1.1/30 network=192.168.1.0 broadcast=192.168.1.3
interface=“Int VPN” comment=“Internal VPN” disabled=no
add chain=srcnat out-bridge-port=“Ext VPN” action=masquerade comment=“”
disabled=yes
add chain=dstnat dst-address=209.120.218.89 action=dst-nat
to-addresses=192.168.1.2 to-ports=0-65535 comment=“” disabled=no
add chain=srcnat src-address=192.168.1.2 action=src-nat
to-addresses=209.120.218.89 to-ports=0-65535 comment=“” disabled=no

subxtech · December 10, 2005, 7:15pm

Am I on the right track?

Tonda · December 11, 2005, 1:08pm

Can you please post also your routes and explain a little bit purpose of these all interfaces?

subxtech · December 11, 2005, 2:35pm

Sure,

I am trying to set up openvpn where it would reside behind a firewall. So I choose to buy/use the ISP version of Mikrotik.

I had openvpn running on our network with a real world IP address. Now I have it behind a server with 5 (five) - 10/100 ether ports. I did this so I could have another port open just incase a config brought down the router/firewall.

We already have in place carrier class cisco routers in front of the mikrotik.
I have taken two of the real world IP addresses and assigned them to the mikrotik. One on ether1 (External), the other ether3 (External VPN). On the inside network, I also have two of the 5 ethernet ports assigned. Ether2 (Internal) and Ether4 (Internal VPN).

===Carrier Router
209.120.218.0/24 - IP 209.120.218.1
~|~
Switch 10/100/1000
~|~
209.120.218.254 Ext.\ 209.120.218.79 Ext. VPN Gateway 209.120.218.1
===Mikrotik
10.8.0.254 Internal \ 10.8.0.1 Internal VPN
~|~
Switch 10/100
~|~
~| 10.8.0.70 eth0 10.8.0.2 Br0 10.8.0.3 eth1
~~ == VPN server
~|~
== Other internal Network Elements ==

And then you can see my config above… I am really stuck here, it is like I can’t get the vpn to send or receive anything directly?

Tonda · December 12, 2005, 7:24am

Can you also post your routes?It is necessary because you have two external interfaces.

subxtech · December 12, 2005, 3:09pm

DST-ADDRESS PREFSRC G GATEWAY DISTANCE INTERFACE

0 X S 10.8.0.0/16 10.8.0.254 u 0.0.0.0
1 DC 10.8.0.0/16 10.8.0.35 internal
2 ADC 10.8.0.0/16 10.8.0.1 Int VPN
3 ADC 209.120.218.0/24 209.120.218.254 core2
4 DC 209.120.218.0/24 209.120.218.89 Ext VPN
5 A S ;;; added by setup
0.0.0.0/0 r 209.120.218.1 core2