Port Forwarding Partially works

Adamba · July 4, 2017, 8:26am

Hey,

I have set my MikroTik RouterBoard hap AC as the router instead of my Modem/Router that my ISP gave me.

I’m trying to set port forwarding to a service in 192.168.1.7 on port 8081
That’s the configuration of my Port Forwarding:

Flags: X - disabled, I - invalid, D - dynamic
0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface=ether1
chain=dstnat action=dst-nat to-addresses=192.168.1.7 to-ports=8081 protocol=tcp in-interface=ether1 dst-port=8081 log=yes

And that’s my filter rules:

Flags: X - disabled, I - invalid, D - dynamic
0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough
1    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp
2    ;;; defconf: accept established,related
      chain=input action=accept connection-state=established,related
3    chain=forward action=accept protocol=tcp in-interface=ether1 dst-port=8081 log=yes
4    chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1
5    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related
6    chain=input action=drop in-interface=ether1
7    ;;; defconf: accept established,related
      chain=forward action=accept connection-state=established,related
8    chain=forward action=drop connection-state=invalid

And that’s my router configuration:

# jul/04/2017 09:25:25 by RouterOS 6.39.2
# software id = IR4U-9KM0
#
/interface bridge
add admin-mac=xx:xx:xx:xx auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
set [ find default-name=ether5 ] master-port=ether2-master
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n channel-width=20/40mhz-Ce country=Unknown disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=BabaN wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-onlyac channel-width=20/40/80mhz-Ceee country=Unknown disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=Baba wireless-protocol=802.11
/ip neighbor discovery
set ether1 discover=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys wpa-pre-shared-key=somekey wpa2-pre-shared-key=somekey
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether2-master network=192.168.1.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 name=router
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=accept chain=forward dst-port=8081 in-interface=ether1 log=yes protocol=tcp
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=drop chain=input in-interface=ether1
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1
add action=dst-nat chain=dstnat dst-port=8081 in-interface=ether1 log=yes protocol=tcp to-addresses=192.168.1.7 to-ports=8081
/system clock
set time-zone-name=MyTimeZone
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=bridge
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=bridge

If I’m trying to reach

http://<my-public-ip>:8081

outside my network, I’m getting what I want.
But, if I try to reach it inside my network, I’m getting “Connection Refused”, like there is nothing behind that address.

What is blocking me inside my netowrk?

macgaiver · July 4, 2017, 9:16am

https://wiki.mikrotik.com/wiki/Hairpin_NAT

w177f · July 4, 2017, 9:51am

Nothing is blocking you.
In short, your computer is seeing the replies from 192.168.1.7 as invalid.

If you want to be able to communicate with the device in question from your LAN using your WAN address, you would need to setup something called a hairpin NAT.
It would be recommended however to use the local IP on the LAN - is there a specific reason you want to use the public IP? If it is because you want to use a FQDN to reach your device, you can achieve this by adding a static entry to your local DNServer.

Van9018 · July 5, 2017, 12:31am

I agree to consider DNS overrides as an alternative to hairpin NAT. I find it simpler.

Adamba · July 5, 2017, 5:57am

Thanks w177f! Adding the DNS record did the trick! And it’s really simple rather then hairpin NAT.

w177f · July 5, 2017, 1:51pm

No problem dude - please rate the post positive if I helped - gotta get me some of those fake internet points