Port Forwarding Problem

lorell · August 23, 2013, 3:22am

This should be a simple problem. I’ve been pounding my head against it for a couple of weeks. Hopefully someone here can spot my mistake and help me out.

I’m trying to forward port 80 (http) and 23 (telnet) from the external WAN interface through to an internal IP (10.1.1.2). I have port forwarding working to a different internal VNC server (10.1.1.50).

When I try to locally access 10.1.1.2 via port 80 or 23 it works well. I am assured that there are no ACLs on 10.1.1.2 and that its default gateway is configured correctly.

ROS v5.23 x86 platform

/ip firewall address-list
add address=83.15.210.114 disabled=yes list=hax0rs
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
    tcp-close-wait-timeout=10s tcp-established-timeout=1d \
    tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
    tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall nat
add action=masquerade chain=srcnat disabled=no src-address=10.1.1.0/24
add action=masquerade chain=srcnat comment="IPs on CMTS Network" disabled=no \
    src-address=10.2.1.0/24
add action=masquerade chain=srcnat disabled=no src-address=10.3.1.0/24
add action=dst-nat chain=dstnat comment="TV Guide Computer - VNC" disabled=no \
    dst-address=w.x.y.z dst-port=5900 protocol=tcp to-addresses=\
    10.1.1.50 to-ports=5900
add action=dst-nat chain=dstnat comment="TV Guide Computer - VNC" disabled=no \
    dst-address=w.x.y.z dst-port=5800 protocol=tcp to-addresses=\
    10.1.1.50 to-ports=5800
add action=dst-nat chain=dstnat comment=\
    "Port forward to allow web access to the CMTS" disabled=no dst-address=\
    w.x.y.z dst-port=80 protocol=tcp to-addresses=10.1.1.2 to-ports=80
add action=dst-nat chain=dstnat comment=\
    "Port forwarding to allow remote access to the CMTS from the internet" \
    disabled=no dst-address=w.x.y.z dst-port=9090 protocol=tcp \
    to-addresses=10.1.1.2 to-ports=80
add action=dst-nat chain=dstnat comment=\
    "Port forwarding to allow remote access to the CMTS from the internet" \
    disabled=no dst-address=w.x.y.z dst-port=23 protocol=tcp \
    to-addresses=10.1.1.2 to-ports=23
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no

sergeysi · August 23, 2013, 5:05am

Could you please provide content of your /ip firewall filter?
Maybe 80 and 23 TCP are blocked there.
Also try to forward another WAN ports to the same local machine, as you did in

add action=dst-nat chain=dstnat comment=\
    "Port forwarding to allow remote access to the CMTS from the internet" \
    disabled=no dst-address=w.x.y.z dst-port=9090 protocol=tcp \
    to-addresses=10.1.1.2 to-ports=80

Does that rule work?

lorell · August 23, 2013, 12:48pm

None of the rules work to that device 10.1.1.2.

And I did export all of the rules in the code below. This is what I did:

/ip firewall

export file=firewall-config

That should have gotten everything.

Do I need an accept rule? The weird thing is that the other VNC server seems to work. I assume it works because it asks me to authenticate in my VNC client. Maybe it is not working and the VNC client asks me to provide a password before it actually tries to contact the VNC server?

pcunite · September 3, 2013, 1:13am

Most filter rules (if you have any set via /ip firewall filter) are set to drop anything that did not originate from the internal interfaces or LAN. Thus it is not enough to have masquerade and dstnat options in place under the NAT menu. You need to add an allowance in the FILTER menu also.

A generic setup would therefore be like:

Make sure your public IP is on the public interface:

/ip address add address=1.2.3.4/24 interface=WAN

turn on masquerading

/ip firewall nat add chain=srcnat action=masquerade out-interface=WAN

Setup an incoming port map rule

/ip firewall nat add chain=dstnat action=dst-nat protocol=tcp to-address=192.168.0.5 dst-port=80 to-port=80

Add a filter exception for the above incoming nat rule. Move this rule via GUI to be above any DROP rules you may have

/ip firewall filter add chain=forward action=accept protocol=tcp dst-port=80