Port forwarding problem.

nardionline · July 1, 2016, 2:01pm

Hello ,
We have a mikrotik that is the main router with a static ip range 80.78.65.x and we have vpn through our network with range 172.16.14.x
Now i need to forward 80.78.65.x:81 to 192.168.0.19:80 , where 192.168.0.19 stand behind 172.168.14.6
i have made some rules my self,

;;; Mapim per kamerat Fier browser
chain=dstnat action=dst-nat to-addresses=192.168.0.19 to-ports=80 protocol=tcp dst-address=80.78.65.x dst-port=81 log=yes log-prefix=“logkamerat”

this doesn’t work.
sound easy but i can not do this , can anyone help me.
Kind Regards

Revelation · July 2, 2016, 2:45am

What is the source? Are you trying to send all traffic hitting your WAN IP of 80.78.65.x:81 to 192.168.0.19:80? You want this traffic then directed over the VPN to the 172.168.14.x network? Or are you trying to get internal traffic over to the 192.168.0.19 address?

chain=dstnat action=dst-nat to-addresses=192.168.0.19 to-ports=80 protocol=tcp dst-address=80.78.65.x dst-port=81 log=yes log-prefix="logkamerat"

Can your Mikrotik ping the 192.168.0.19 address?

Are you allowing the source traffic over the VPN? When you torch or run a packet capture where is the last place the traffic is found, i.e. where is it being dropped?

nardionline · July 2, 2016, 8:24am

This is what i came u with.
I am not an expert on networking , so this is a scheme how the situation stands.

Public ip address 80.78.65.85
Vpn Network 172.16.14.0

Thank you for your help,
Regards

Sob · July 2, 2016, 1:44pm

What does 192.168.0.19 use as default gateway? Is it the 172.16.14.6 router, or is there some other router?

nardionline · July 2, 2016, 11:07pm

Yes default router is 172.16.14.6 , then behind is 192.168.0.0/24

Revelation · July 2, 2016, 11:33pm

How is the VPN setup in regards to interesting traffic allowed over the VPN? So if router1 can ping and reach the server 192.168.0.19 via port 80, then it has to due with how your VPN is configured.

ZeroByte · July 3, 2016, 4:26am

I assume that your router has a static route with dst=192.168.0.0/24 gateway=172.16.14.6

nardionline · July 3, 2016, 5:12pm

yes , this is the static route.
A S ;;; Rrjeti i Fierit
192.168.0.0/24 172.16.14.6 1
regards

Sob · July 4, 2016, 12:44am

What about default route on 172.16.14.6 router? Is it 172.16.14.2? If so, both 192.168.0.19 and 172.16.14.6 can’t send reply packets wrong way. So they must get filtered by first or second router. Try to inspect how far the packets get in both directions. Use either Tool->Torch or add some logging rules to prerouting and postrouting chains. On one of those routers, you’ll see packet coming in on one interface and not coming out on other. Check forward chain on this router and make sure that you allow these packets to pass.

jarda · July 4, 2016, 4:31am

Are you accepting the dst natted connection in forward chain of firewall filter? Otherwise it is most probably dropped after the port redirect.

azfar · July 4, 2016, 4:48am

i dont understand the VPN part, but it seems very simple to me.
first do the port forwarding (port NATTING) on the router with the public IP address i.e 80.78.65.85. turn it towards 172.16.14.6.
then
do the port forwarding in 172.16.14.6 and turn it towards the DVR i.e 192.168.0.19.
my tip…
in the TAB …General leave the src.address: and dst. address: fields blank and in Action TAB…specify your target address (To address:) and (To ports:)
hope it works.
Regards