Hello, I am looking to make port forwarding 5900, from bridged router(PPPoE client), connected at the ether12, to my server at the ether10, port 22. Take I look at the following picture.
portForward.png
And use the following line:
/ip firewall nat add chain=dstnat in-interface=ether12 protocol=tcp dst-port=5900 action=dst-nat to-addresses=192.168.150.2 to-ports=22
But nothing happens!!! I need your help! If you need more information please tell me!
RouterOS 6.31
Looks like from your diagram the Mikrotik is handling the PPPoE, if so change your in-interface to the PPPoE interface not the physical interface.
I have tested! Same result!!
Have you tried a different incoming port? 5900 is the standard VNC port and you ISP may be blocking?
I have tried 3389 and 65000. But the problem remains!
Not that you cant but not sure why you are trying to nat 5900, 3389, etc to dst port of 22. Is your dst host actually listening on 22? Can you test internal and see if there is any response on 22?
The port 22 is just an example! 3389 I have test it internally and is working fine! The ISP is not blocking this port!
Hi,
the port forwarding is just one thing to do.
Propably you must also add a firewall rule in the forward chain to allow the incoming traffic.
Ape
Can you give me an example, please?
Hi,
this is an example port forwarding for port 80:
/ip firewall nat add action=dst-nat chain=dstnat disabled=no in-interface=<your wan interface> dst-port=80 protocol=tcp to-addresses=<IP of host> to-ports=80
/ip firewall filter add action=accept chain=forward connection-state=new \
disabled=no dst-address=<IP of host> dst-port=80 protocol=tcp
In the example I assume, that you have a working stateful firewall.
Ape
Thanks for your response! I try your rules and they’re not working.
Hi,
please post the output of the
/export
command.
Thank you.
Ape
Here is my configuration:
# nov/25/2015 14:12:55 by RouterOS 6.31
#
/interface pppoe-client
add add-default-route=yes interface=ether11 max-mru=1480 max-mtu=1480 mrru=\
1600 name=username password=password user=username
add add-default-route=yes disabled=no interface=ether12 max-mru=1480 max-mtu=\
1480 mrru=1600 name=username2 password=password user=username2
/interface ethernet
set [ find default-name=ether8 ] comment=Server master-port=ether10
set [ find default-name=ether9 ] master-port=ether10
/ip neighbor discovery
set ether8 comment=Server
/ip hotspot profile
add hotspot-address=192.168.150.1 name=hsprof1
/ip pool
add name=hs-pool-10 ranges=192.168.150.3-192.168.151.254
add name=dhcp_pool1 ranges=192.168.100.2-192.168.100.254
add name=dhcp_pool2 ranges=192.168.0.50-192.168.0.150
/ip dhcp-server
add address-pool=hs-pool-10 disabled=no interface=ether10 lease-time=1h name=\
dhcp1
add address-pool=dhcp_pool2 disabled=no interface=ether4 lease-time=1h name=\
dhcp2 relay=192.168.0.254
/ip hotspot
add address-pool=hs-pool-10 disabled=no interface=ether10 name=hotspot1 \
profile=hsprof1
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=ether1 \
network=192.168.88.0
add address=192.168.150.1/23 comment="hotspot network" interface=ether10 \
network=192.168.150.0
add address=192.168.0.254/24 interface=ether4 network=192.168.0.0
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no \
interface=ether11
/ip dhcp-server network
add address=192.168.0.0/24 gateway=192.168.0.254
add address=192.168.100.0/24 gateway=192.168.100.1
add address=192.168.150.0/23 comment="hotspot network" gateway=192.168.150.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,195.170.2.2
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add chain=forward comment="added 23/11/2015" disabled=yes \
dst-address=192.168.150.2 dst-port=3389 in-interface=username2 protocol=tcp \
src-port=3389
add chain=forward disabled=yes dst-address=192.168.0.171 dst-port=3389 \
in-interface=username2 protocol=tcp src-port=3389
add chain=forward comment=" 25/11" connection-state=new dst-address=\
192.168.150.2 dst-port=3389 protocol=tcp
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
src-address=192.168.150.0/23
add action=dst-nat chain=dstnat dst-port=3389 in-interface=ether11 protocol=\
tcp to-addresses=192.168.0.171 to-ports=3389
add action=masquerade chain=srcnat out-interface=ether12
add action=dst-nat chain=dstnat dst-port=3389 in-interface=username2 protocol=\
tcp to-addresses=192.168.150.2 to-ports=3389
add action=dst-nat chain=dstnat comment="Port Forward 24/11" disabled=\
yes dst-address-list=ALLOW dst-port=3389 in-interface=ether12 protocol=\
tcp to-addresses=192.168.150.2 to-ports=22
add action=dst-nat chain=dstnat disabled=yes dst-address-type=local dst-port=\
3389 protocol=tcp to-addresses=192.168.150.2 to-ports=3389
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.150.2 \
dst-port=3389 out-interface=ether12 protocol=tcp src-address=\
192.168.150.1
add action=dst-nat chain=dstnat disabled=yes dst-port=65000 in-interface=\
username2 protocol=tcp to-addresses=192.168.150.2 to-ports=22
add action=masquerade chain=srcnat disabled=yes out-interface=ether12
add action=masquerade chain=srcnat dst-address=192.168.150.0/24 dst-port=3389 \
out-interface=ether10 protocol=tcp src-address=192.168.150.0/24
/ip route
add distance=1 dst-address=192.168.0.0/24 gateway=ether12 pref-src=\
192.168.0.254
A. You are doing DAT which means that packet with header SOURCEIP:SOURCEPORT::ROUTERPUBLICIP:5900 is translated to SOURCEIP:SOURCEPORT:192.168.150.2:22.
B. Router sends this packet to LAN
C. Server @ 192.168.150.2 receives packet with some “public” IP in source field. Public in your LAN.
D. Server has to know where it’s gateway is as it is reponding to device at “public” SOURCEIP:SOURCEPORT
E. If server has no access to outside world than the response to the originator “dies” and there is no communication.
F. if your server has no access to WAN side then you need the second rule, the SAT one, which replaces SOURCEIP to router’s IP
G. If (F) is done then server receives ROUTERIP:SOURCEPORT:192.168.150.2:22 and sends the response to router as it thinks that router is the originator.
H. If (G) the router matches “translation tables” and translates source IP in the header ROUTERIP back to the SOURCEIP and sends it to WAN.
I. Remember that DAT is done before SAT so SAT rules should operate on IPs and ports already “DATed to”
This examples makes SAT for all packets incoming not from LAN and with 22 destination port so only these with IPs not from LAN pool are translated by router - assuming that router is 192.168.150.1
/ip firewall nat add chain=dstnat in-interface=ether12 protocol=tcp dst-port=5900 action=dst-nat to-addresses=192.168.150.2 to-ports=22
/ip firewall nat add chain=srcnat src-address=!192.168.150.0/24 action=src-nat to-addresses=192.168.150.1 dst-address=192.168.150.2 dst-port=22 protocol=tcp
Thanks for your detailed explanation! I try your example still it doesn’t working!
(H) is not quite correct…it should be:
H. If (G) the router matches “translation tables” and translates source IP in the header ROUTERIP back to the SOURCEIP.
H1. Router matches “translation tables” for taken DAT rule and translates SOURCEIP:SOURCEPORT:192.168.150.2:22 back SOURCEIP:SOURCEPORT::ROUTERPUBLICIP:5900
H2. Router sends packet to WAN.
BartoszP, I review my nat’s again, I try your configuration and it’s works!!! Thanks again!