Port Forwarding Question

Aokiji · August 31, 2021, 7:31am

Good day ,

not sure if this is the right place

i have a RB3011 Ui as my main switch in my home server rack now if i use my main internet connection the forwarding works 100% ports i normally open works so that part atleast works

bough me a LHGG Cat6 LTE kit to use as a backup and it has unrestricted access as well now it will never be used as a fail over for internet as its a capped service atm but im only using it for remote access purposes if my main link goes down so i can still access my equipment.

LHGG is on 192.168.88.0/24 Range
RB3011Ui is on 192.168.0.0/24 Range

made a route from the lhg to rb3011 so it can see my local devices and natting has been done accordingly

on the logs im getting dstnat: in:lte1 out:(unknown 0)

have a masq rule in place for the LHG.

help will be appreciated

Kind Regards.

sindy · August 31, 2021, 8:06am

Post the actual configuration of the LHG, see my automatic signature below for a mini-howto.

Aokiji · August 31, 2021, 11:35am

current config on LHG

add apn=ws.supersonic.fwa name=Supersonic
add apn=unrestricted name=Vodacom
/interface lte
set [ find ] allow-roaming=yes apn-profiles=Vodacom name=lte1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=Vodacom ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add address-pool=Vodacom disabled=no interface=ether1 name=Vodacom
/interface detect-internet
set detect-interface-list=all
/ip address
add address=192.168.88.1/24 interface=ether1 network=192.168.88.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=192.168.88.0/24 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=xxx.xxx.xxx.xxx list="Allowed IP"
add address=192.168.0.0/24 list="Main Mikrotik Range"
add address=192.168.20.0/24 list="Izwe Uncapped"
add address=xxx.xxx.xxx.xxx list="Allowed IP"
/ip firewall filter
add action=accept chain=forward comment="Allow established and related" \
    connection-state=established,related
add action=accept chain=input connection-state=established,related
add action=drop chain=input comment="Drop ICMP" in-interface=lte1 protocol=\
    icmp
add action=drop chain=input comment="Drop DNS request inputs" dst-port=53 \
    in-interface=lte1 protocol=tcp
add action=drop chain=input comment="Drop invalid" connection-state=invalid \
    in-interface=lte1
add action=accept chain=input comment="Clan Zero Tolerance VPN" in-interface=\
    lte1 protocol=ipsec-esp
add action=accept chain=input dst-port=500,1701,4500 in-interface=lte1 port=\
    "" protocol=udp
add action=drop chain=input comment="Drop Unauthorized " in-interface=lte1 \
    src-address-list="!Allowed IP"
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="Port scanners to list " \
    in-interface=lte1 protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
    in-interface=lte1 protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/FIN scan" in-interface=\
    lte1 protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/RST scan" in-interface=\
    lte1 protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" \
    in-interface=lte1 protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=" port scanners" \
    address-list-timeout=2w chain=input comment=" ALL/ALL scan" in-interface=\
    lte1 protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=" port scanners" \
    address-list-timeout=2w chain=input comment=" NMAP NULL scan" \
    in-interface=lte1 protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment=" dropping port scanners" in-interface=\
    lte1 src-address-list=" port scanners"
add action=drop chain=forward comment=\
    "Drop new connections from internet which are not dst-natted" \
    connection-nat-state=!dstnat connection-state=new in-interface=lte1
/ip firewall nat
add action=masquerade chain=srcnat comment="Vodacom LTE" out-interface=lte1
add action=dst-nat chain=dstnat comment="Teamspeak 3 " dst-port=9987 \
    in-interface=lte1 log=yes protocol=udp src-port="" to-addresses=\
    192.168.0.9 to-ports=9987
add action=dst-nat chain=dstnat dst-port=30033 in-interface=lte1 protocol=tcp \
    to-addresses=192.168.0.9
add action=dst-nat chain=dstnat disabled=yes dst-port=10011 in-interface=lte1 \
    protocol=tcp to-addresses=192.168.0.9
add action=dst-nat chain=dstnat comment="Plex Media Server" dst-port=32400 \
    in-interface=lte1 protocol=tcp to-addresses=192.168.0.5 to-ports=32400
add action=dst-nat chain=dstnat comment="Ark Evolved Dedicated Server" \
    dst-port=7777 in-interface=lte1 protocol=tcp to-addresses=192.168.0.5 \
    to-ports=7777
add action=dst-nat chain=dstnat dst-port=27015 in-interface=lte1 protocol=tcp \
    to-addresses=192.168.0.5 to-ports=27015
add action=dst-nat chain=dstnat dst-port=7778 in-interface=lte1 protocol=tcp \
    to-addresses=192.168.0.5 to-ports=7778
add action=dst-nat chain=dstnat comment="Home Cameras" disabled=yes \
    dst-address=192.168.8.2 dst-port=8081 in-interface=lte1 protocol=tcp \
    to-addresses=192.168.0.5 to-ports=8081
add action=dst-nat chain=dstnat disabled=yes dst-address=192.168.8.2 \
    dst-port=8082 in-interface=lte1 protocol=tcp to-addresses=192.168.0.5 \
    to-ports=8082
add action=dst-nat chain=dstnat comment="Raspberry Pi 4" dst-address=\
    192.168.8.2 dst-port=34 in-interface=lte1 protocol=tcp to-addresses=\
    192.168.0.9 to-ports=22
add action=dst-nat chain=dstnat comment="Clan Zero Tolerance Local Website" \
    dst-port=80 in-interface=lte1 protocol=tcp to-addresses=192.168.0.14 \
    to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-port=443 in-interface=lte1 \
    protocol=tcp to-addresses=192.168.0.13 to-ports=443
add action=dst-nat chain=dstnat disabled=yes dst-port=8443 in-interface=lte1 \
    protocol=tcp to-addresses=192.168.0.14 to-ports=8443
add action=dst-nat chain=dstnat comment="Webmin Interface" dst-port=10000 \
    in-interface=lte1 protocol=tcp to-addresses=192.168.0.9 to-ports=10000
add action=dst-nat chain=dstnat dst-port=20000 in-interface=lte1 protocol=tcp \
    to-addresses=192.168.0.9 to-ports=20000
add action=dst-nat chain=dstnat comment="Email Server Ports" dst-port=25 \
    in-interface=lte1 protocol=tcp to-addresses=192.168.0.14 to-ports=25
add action=dst-nat chain=dstnat dst-port=587 in-interface=lte1 protocol=tcp \
    to-addresses=192.168.0.14 to-ports=587
add action=dst-nat chain=dstnat dst-port=465 in-interface=lte1 protocol=tcp \
    to-addresses=192.168.0.14 to-ports=465
add action=dst-nat chain=dstnat dst-port=143 in-interface=lte1 protocol=tcp \
    to-addresses=192.168.0.14 to-ports=143
add action=dst-nat chain=dstnat dst-port=993 in-interface=lte1 protocol=tcp \
    to-addresses=192.168.0.14 to-ports=993
add action=dst-nat chain=dstnat dst-port=110 in-interface=lte1 protocol=tcp \
    to-addresses=192.168.0.14 to-ports=110
add action=dst-nat chain=dstnat comment="Dell Poweredge 750 Server" dst-port=\
    9000 in-interface=lte1 log=yes protocol=tcp to-addresses=192.168.0.14 \
    to-ports=3389
add action=dst-nat chain=dstnat comment="Server 2003 Virtual Machine" \
    dst-port=9001 in-interface=lte1 protocol=tcp to-addresses=192.168.0.16 \
    to-ports=5900
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add comment="Local Route To RB3011Ui" distance=1 dst-address=192.168.0.0/24 \
    gateway=192.168.88.254
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/snmp
set enabled=yes trap-version=2
/system clock
set time-zone-name=Africa/Johannesburg
/system identity
set name="Vodacom LTE"
/system leds settings
set all-leds-off=after-1min
/tool sms
set port=lte1 receive-enabled=yes

sindy · August 31, 2021, 12:19pm

Recommended practice of the forum, if you post large pieces of configuration inline, put them between [code] and [/code] tags, try to edit your previous post to see the difference.

To the subject, there are two action=dst-nat rules with log=yes, so I assume your log snippet in the OP comes from hitting one of them. The dstnat chain handles the packets before they get routed, so it is normal that at that moment, the out-interface for the packet is not known yet, so the out:(unknown 0) part of the log row says nothing about what really happened to the packet later on.

Since the rest of the LHG configuration is dead simple, the route is there (but no static DHCP lease for the 3011 so you may get some surprise after a reboot if the 3011 is not the only device to be connected to ether1 of the LHG), and the filter rules in chain forward allow dst-nated connections to get established, I’m sure the initial packet has actually made it to the 3011. To confirm this, you can run /tool sniffer quick port=9987 (or 3389, depending on which of the two dst-nat rules you’ll use to test) on the LHG while testing the remote access, and you should see the initial packet to enter via lte1 and leave via ether1, dstnated.

So either the initial packet itself got blocked by 3011’s firewall, or the 3011 has routed the response to it somewhere else than to the LHG.

Aokiji · August 31, 2021, 12:26pm

have run that sniffer

Ether 10 - Vodacom    28.991      1 <- 08:55:31:5B:4F:FE B8:69:F4:8D:8F:BB
Ether 1 - Switch      28.991      2 -> B8:69:F4:8D:8F:B1 DC:A6:32:DF:EA:3A
Ether 10 - Vodacom    28.991      3 <- 08:55:31:5B:4F:FE B8:69:F4:8D:8F:BB
Ether 1 - Switch      28.991      4 -> B8:69:F4:8D:8F:B1 DC:A6:32:DF:EA:3A
Ether 10 - Vodacom    29.557      5 <- 08:55:31:5B:4F:FE B8:69:F4:8D:8F:BB
Ether 1 - Switch      29.557      6 -> B8:69:F4:8D:8F:B1 DC:A6:32:DF:EA:3A
Ether 10 - Vodacom    29.557      7 <- 08:55:31:5B:4F:FE B8:69:F4:8D:8F:BB
Ether 1 - Switch      29.557      8 -> B8:69:F4:8D:8F:B1 DC:A6:32:DF:EA:3A
Ether 10 - Vodacom    30.257      9 <- 08:55:31:5B:4F:FE B8:69:F4:8D:8F:BB
Ether 1 - Switch      30.257     10 -> B8:69:F4:8D:8F:B1 DC:A6:32:DF:EA:3A
Ether 10 - Vodacom    30.257     11 <- 08:55:31:5B:4F:FE B8:69:F4:8D:8F:BB
Ether 1 - Switch      30.257     12 -> B8:69:F4:8D:8F:B1 DC:A6:32:DF:EA:3A
Ether 10 - Vodacom    31.263     13 <- 08:55:31:5B:4F:FE B8:69:F4:8D:8F:BB
Ether 1 - Switch      31.263     14 -> B8:69:F4:8D:8F:B1 DC:A6:32:DF:EA:3A
Ether 10 - Vodacom    31.263     15 <- 08:55:31:5B:4F:FE B8:69:F4:8D:8F:BB
Ether 1 - Switch      31.263     16 -> B8:69:F4:8D:8F:B1 DC:A6:32:DF:EA:3A
Ether 10 - Vodacom    32.564     17 <- 08:55:31:5B:4F:FE B8:69:F4:8D:8F:BB
Ether 1 - Switch      32.564     18 -> B8:69:F4:8D:8F:B1 DC:A6:32:DF:EA:3A
Ether 10 - Vodacom     32.65     19 <- 08:55:31:5B:4F:FE B8:69:F4:8D:8F:BB
Ether 1 - Switch       32.65     20 -> B8:69:F4:8D:8F:B1 DC:A6:32:DF:EA:3A
-- [Q quit|D dump|C-z pause]

seems to be just jumping backand forward

anav · August 31, 2021, 12:57pm

How do you vpn into your home network from the LTE connection or Main router? Dont see any vpn settings??

sindy · August 31, 2021, 12:57pm

It’s not jumping back and forward, look at the MAC addresses. The packet comes in via ether10 with the source MAC address of the LHG and destination MAC address of the 3011; the 3011 routes it to the destination and sends it via ether1 with its own MAC address as source. But nothing ever comes back from the destination server at DC:A6:32:DF:EA:3A. So either the gateway of the default route of the server at DC:A6:32:DF:EA:3A is not the 3011, or the firewall/application settings on that server block incoming requests from the internet (public IPs).

I’ve got no idea why the packets come in pairs, but that’s a separate question that may not be important at all.

Also, make the terminal window as wide as your screen allows before sniffing; the sniffer adjusts the number of columns displayed to accommodate to the available window width, so the IP addresses are missing.

Aokiji · August 31, 2021, 1:11pm

not using any vpn on my network

Aokiji · August 31, 2021, 1:15pm

It’s not jumping back and forward, look at the MAC addresses. The packet comes in via ether10 with the source MAC address of the LHG and destination MAC address of the 3011; the 3011 routes it to the destination and sends it via ether1 with its own MAC address as source. But nothing ever comes back from the destination server at DC:A6:32:DF:EA:3A. So either the gateway of the default route of the server at DC:A6:32:DF:EA:3A is not the 3011, or the firewall/application settings on that server block incoming requests from the internet (public IPs).

I’ve got no idea why the packets come in pairs, but that’s a separate question that may not be important at all.

Also, make the terminal window as wide as your screen allows before sniffing; the sniffer adjusts the number of columns displayed to accommodate to the available window width, so the IP addresses are missing.

all of the devices connected to the RB3011 has the 3011 as the gateway, mac that ends with 3A happens to be the device i was testing the access to. only works with my main wan link .

the only diff is i do not have a 0.0.0.0/0 route for the LHG as im not using it for my internet only want to be able to use it for remote access.

will the missing 0.0.0.0/0 cause this problem?

anav · August 31, 2021, 1:16pm

Just to be clear then you are:
a. accessing your servers from external internet via normal port forwarding to manage them.
b. not accessing the router directly from the external internet for configuration purposes.

Aokiji · August 31, 2021, 1:26pm

anav · August 31, 2021, 1:29pm

Nice, although I dont know what you mean by cloud access to them??
You log into a cloud website that is connected to the router via VPN?

Aokiji · August 31, 2021, 1:34pm

no the cloud address provided by the mik itself or rather the mik version of DynDNS

sindy · August 31, 2021, 1:41pm

But that’s not what most people understand under the name “cloud access”. The Tik registers its public IP into the DynDNS, and you then access this address directly (or via dst-nat if the xxx.sn.mynetname.net is the one of the 3011, not of the LHG).

Cloud access means that the device, which may not be accessible via any public IP at all, actively connects to a cloud server, and you can access the device via that cloud server, typically identifying it by something else than an IP address.

anav · August 31, 2021, 3:57pm

What sindy was trying to politely say, which I will say directly.

MT CLOUD is your public IP address or more accurately is used to determine your public IP, and is used for various purposes of troubleshooting, identifying public IP if behind a private IP etc…
It is NOT used for the purposes of direct (non encrypted access) configuration of the router from external IP addresses.

CLOUD ACCESS, is typically used because a system behind your router needs to provide information to a website
(such as my solar system, or my septic system) in a one way directional feed that is secure. Folks can read the information on the website but have no access to the device behind the router.

Last question. How do you access your router for configuration purposes, when away from (aka not behind the router)… Winbox from a laptop, from smartphone?
post your firewall rules to see if they are secure!