Port forwarding - please help !

RouterOS Beginner Basics
1

Hello All,

I have just bought MikroTik RB962UiGS-5HacT2HnT and trying to set it up.

I have done all basic configuration and router works well.
Now I am on fine settings.
I nee to setup port forwarding as I have webserver behind router and I want it be accessible from Internet.

Let say external router ip 32.32.32.32 and local webserver ip : 192.168.0.10 and port is 1111 (just an example)

I went to IP->Firewall->NAT and created new NAT Rule:

General:
Chain: dstnat
Protocol: 6 (tcp)
Dst. Port: 1111
In. Interface: ether1-WAN - input internet port

Action:
Action: netmap
To Address: 192.168.0.10
To Ports: 1111

Once the rule was created I am able to access my webserver from Internet : 32.32.32.32:1111

But I got another problem I can not access that webserver from my LAN, I can not access 32.32.32.32:1111 from local host 192.168.0.11.
192.168.0.10:1111 works well but external IP doesn’t work.

Anyone able to help how to resolve the issue? I will be very grateful.

Thanks in advance.
Sergey

2

Port forward: http://bfy.tw/Heg7
Access local server with public IP from LAN: http://bfy.tw/HegK

3

Hi, thats because you Are going Out with that External IP and coming backagain to It .
Most ISP wont allow that .



Gesendet von iPhone mit Tapatalk

4

@Discmandj … it is not problem of ISP’s configuration or allow/disalow will. Look at above links.

5

as BartoszP suggested, your solution is srcnat. A little Googling goes long way.
http://forum.mikrotik.com/t/access-to-wan-ip-from-lan/93234/1
and
http://forum.mikrotik.com/t/cant-reach-public-ip-from-lan/41298/1

6

Hello again!

Thanks everyone who replied. I went through lots of links and finally found this one usefull:

https://wiki.mikrotik.com/wiki/Hairpin_NAT

I have applied following 2 scripts:

/ip firewall nat
add chain=dstnat dst-address=32.32.32.32 protocol=tcp dst-port=1111
action=dst-nat to-address=192.168.0.10
add chain=srcnat out-interface=WAN action=masquerade

/ip firewall nat
add chain=srcnat src-address=192.168.0.0/24
dst-address=192.168.0.10 protocol=tcp dst-port=1111
out-interface=LAN action=masquerade

and now I manage to access webserver from outside and insude LAN.
But, as you can see I have to use fixed external router ip 32.32.32.32
But I have dynamic external ip , so the solution will not really work for me.

Anyone can advise how can I modify these 2 scripts for dynamic IP.

Thanks in advance

Sergey

7

In dstnat rule, you can use dst-address-type=local instead of dst-address=32.32.32.32. It does exactly what it says, it will match any address assigned to router.

In case you’d want to use the same port also to access some service on router (e.g. WebFig on 192.168.0.x:80, where x s what router has on LAN interface), add another condition to create exception, i.e. dst-address=!192.168.0.x.

8

or just specify WAN interface as the in interface in the dst nat rule?

9

Not if you want it to work from LAN. Even though you’re connecting to address on WAN, in-interface will still be LAN and such rule wouldn’t match.

10

Sob!

Thanks a lot, your suggestion worked for me.

Thanks to everyone replied as well.

Sergey

11

good tip Sob, thanks!
I assume that this works for dynamic public IP as it’s assigned to the router’s WAN interface?

12

Yes. It works for any IP address assigned to any interface. Which is sometimes too much and exception is needed.

13

Hello everyone again!

I have to come back to forum as I am facing another small (I hope) problem.

I have finished my port forwarding/hairping NAT setup.
Now I have my FTP server runnig on port 21 on LAN.
The next step is to make Mikrotik internal FTP working.
As port 21 is already taken I am moving it to port 8021.

IP → Services → IP Service List → ftp : 8021
IP → Firewall → Service Poerts ->ftp : 8021

Netxt step is to setup NAT forwarding/hairpin:

/ip firewall nat
add chain=dstnat comment=“Mikrotik FTP forward” dst-address-type=local protocol=tcp dst-port=8021
action=dst-nat to-address=192.168.0.1

/ip firewall nat
add chain=srcnat comment=“Mikrotik FTP hairpin” src-address=192.168.0.0/24
dst-address=192.168.0.1 protocol=tcp dst-port=8021
out-interface-list=LAN action=masquerade


where 192.168.0.1 - Mikrotik internal IP.

So what I got now:

I can reach FTP from LAN using both internal/external IP:

ftp://192.168.0.1:8021/
ftp://32.32.32.32:8021/

where 32.32.32.32 - Mikrotik external IP.


BUT ! I can not reach FTP server from Internet. I can not figure out what is missing.

Please help.

Thanks in advance.
Sergey.

14

Important question first, do you need FTP server on router for anything? Because it’s not very useful service. It’s not required for normal operation at all. And if you’d want to use it for file sharing with USB disk, it works, but it’s very simple, there’s no good access control, encryptions or anything. And if you already have another FTP server (if I understand it correctly), I don’t see a reason why to deal with this one.

If you really want it, then:

  1. Changing port in IP->Services was correct.
  2. In IP->Firewall->Service Ports->ftp, it’s not clear if you changed the port, of if you added 8021 to existing 21. If you changed it, it’s wrong, because it can affect all FTP connections. This tells router which ports it should inspect for FTP control connections and find related data connections, so that you can allow them in firewall.
  3. If the service is on router itself, it doesn’t need NAT at all, neither dstnat not hairpin. Just allow dst-port=8021 in /ip firewall filter, chain=input and that’s it (assuming you also have standard rule to allow related connections).
15

Hi Sob.

I need Mikrotik FTP server as light-weight service to backup main server which is not online 24/7.

I have resolved the problem by removing forwarding and hairpin nat rules as you recommended and disabled firewall rule which was blocking all request from non-LAN.

It all works now.

Thanks for help.

Sergey

16

I would recommend adding an accept for input from address list before the default drop rule you disabled and re-enable it.

17

That’s right, default drop rule is good thing. If you disable it, you open everything on router to whole world. Don’t do that.

18

You are right, it is not good idea to disable default rule.

I have tried:

/ip firewall filter add chain=input protocol=tcp dst-port=8021 action=accept

but it did not work. Any idea what is the problem with that command ?

Sergey

19

It depends on your other rules:

  1. Order is important, this new accept rule must be before the last drop rule.
  2. If clients use passive move (should be probably default for most of them), you also need rule to accept connections with connection-state=related. Default firewall has such rule (combined with established state).
  3. You need to have your non-standard port in IP->Firewall->Service Ports->ftp (in addition to default 21), otherwise there would be no related connections.
20

What I find weird is only creating the one rule.
On my current router one made a port forward rule (from incoming interface (specific WAN interface) for specific port(s)/service(s) to a specific LANIP.
Then a separate FW rule to allow same traffic but delineating the Source IP(s) allowed and destination IP for the services coming from the port forwarding rule.
On the Port Forward Rule one could flip ports (incoming on non-standard port for example and flip to standard port).
FW rule would be made for standard port to the specific LANIP.

In microtik its a one shot deal. Just an FYI for those coming from other devices.
PS Order always seems to count!!