Port forwarding through 2 Mikrotik's

RouterOS Beginner Basics
1

I am attempting to port forward port 22, Ports 2074-2094 (UDP) and 15245-15427 (TCP) through a couple of RB433’s. The first is the internet connection, and works fine for all internet traffic now. Using NAT, DHCP and a few other rules.
I think the problem comes, where I am trying to send these ports to a box, that is connected to ANOTHER RB433, that is in bridge STATION WDS mode in another area close by.
Do I need to add the port forwarding to that RB as well? Or should that one be transparent?

Here is the output of my /ip firewall nat settings:

0 chain=srcnat action=masquerade out-interface=ether1

1 chain=dstnat action=dst-nat to-addresses=192.168.1.115 to-ports=5900 protocol=tcp dst-address=xx.xx.xx.xx
dst-port=5900

2 chain=dstnat action=dst-nat to-addresses=192.168.1.115 to-ports=5900 protocol=udp dst-address=xx.xx.xx.xx
dst-port=5900

3 chain=dstnat action=dst-nat to-addresses=192.168.1.55 to-ports=22 protocol=tcp dst-address=xx.xx.xx.xx dst-port=22

4 chain=dstnat action=dst-nat to-addresses=192.168.1.55 to-ports=2074-2093 protocol=udp dst-address=xx.xx.xx.xx
dst-port=2074-2093

5 chain=dstnat action=dst-nat to-addresses=192.168.1.55 to-ports=15425-15427 protocol=tcp dst-address=xx.xx.xx.xx
dst-port=15425-15427


Any help is greatly appreciated!!

Issue with ports filter / NAT rules that no longer work.
2

It seems traffic can be routed/bridged to another RB433, so the should not be necessity for extra NAT rules elsewhere.

3

Can anyone confirm if my firewall rules look correct?

4

You can leave out the to-ports. Otherwise - I guess. That will certainly destination NAT traffic to those ports. Can’t speak to the actual firewall filters since you aren’t showing those.

5

Sorry for the long delay.. Summer has almost closed out now, and I can get back to this finally!!

OK, here is the text from the export I did today. I have obviously tried a few different things, and nothing has worked. I have read through the wiki’s, and don’t quite understand what it is that I should be doing, I guess. between Mangle and NAT, I thought I should have had it. Please take a look and correct any errors you may see, and / or tell me what I did wrong so I can learn from my current disaster!!
By the way, what I want is the following:
port 5900 (VNC) to be forwarded to my internal address of 192.168.1.115
Ports 2074-2093 (IRLP-1) to be forwarded to my internal address of 192.168.1.55
Ports 15425-15427 (IRLP-2) to be forwarded to my internal address of 192.168.1.55
Port 22 (SSH) to be forwarded to my internal address of 192.168.1.55
Port 3389 (RDP) to be forwarded to my internal address of 192.168.1.51

Also, I would be happy having to 192.168.1.55 address in the DMZ, rather than the middle 3 rules, if that is an easy task as well!

Thanks in advance for any and all help!!

/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
    tcp-close-wait-timeout=10s tcp-established-timeout=1d \
    tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
    tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=forward disabled=no dst-port=8291 protocol=tcp
add action=accept chain=input disabled=no dst-port=8291 protocol=tcp
add action=accept chain=forward disabled=no dst-address=192.168.1.115 \
    dst-port=5900 in-interface=ether1 protocol=tcp src-port=5900
add action=accept chain=forward disabled=no dst-address=192.168.1.55 \
    dst-port=80 in-interface=ether1 protocol=tcp src-port=81
add action=accept chain=forward disabled=no dst-address=192.168.1.115 port=\
    5900 protocol=udp
/ip firewall mangle
add action=change-mss chain=forward comment="Cable Internet" disabled=no \
    new-mss=clamp-to-pmtu protocol=tcp tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat disabled=no out-interface=ether1
add action=dst-nat chain=dstnat disabled=no dst-address=xxx.xxx.89.153 \
    dst-port=5900 protocol=tcp to-addresses=192.168.1.115 to-ports=5900
add action=dst-nat chain=dstnat disabled=no dst-address=xxx.xxx.89.153 \
    dst-port=5900 protocol=udp to-addresses=192.168.1.115 to-ports=5900
add action=dst-nat chain=dstnat disabled=no dst-address=xxx.xxx.89.153 \
    dst-port=22 protocol=tcp to-addresses=192.168.1.55 to-ports=22
add action=dst-nat chain=dstnat disabled=no dst-address=xxx.xxx.89.153 \
    dst-port=2074-2093 protocol=udp to-addresses=192.168.1.55 to-ports=\
    2074-2093
add action=dst-nat chain=dstnat disabled=no dst-address=xxx.xxx.89.153 \
    dst-port=15425-15427 protocol=tcp to-addresses=192.168.1.55 to-ports=\
    15425-15427
add action=dst-nat chain=dstnat disabled=no dst-address=xxx.xxx.89.153 \
    to-addresses=192.168.1.115
add action=src-nat chain=srcnat disabled=no src-address=192.168.1.115 \
    to-addresses=xxx.xxx.89.153
add action=dst-nat chain=dstnat disabled=no dst-port=5900 protocol=tcp \
    to-addresses=192.168.1.115 to-ports=5900
add action=dst-nat chain=dstnat disabled=no dst-port=3389 protocol=tcp \
    to-addresses=192.168.1.51 to-ports=3389
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
6

Also, I would be happy having to 192.168.1.55 address in the DMZ, rather than the middle 3 rules, if that is an easy task as well!

What do you mean by that? There are two definitions of DMZ. One is with proper firewalls, where a DMZ is a completely separate network next to WAN and LAN. The LAN can access WAN and DMZ, the DMZ can access the WAN but not the LAN, and the WAN can access select policed services in the DMZ. The second is with consumer grade SoHo routers, where it just refers to unconditional port forwarding. The former is far more secure than the latter: the idea is that if a DMZ host - which has resources exposed to the Internet - gets exploited it can’t be used to then attack LAN targets because it itself doesn’t even have access to the LAN.

In your situation you obviously only have one network, so the former would require adding another network (which is easily possible with RouterOS). I’m not sure if you mean the latter and are asking how to unconditionally forward all IP traffic not already port forwarded to other hosts to 192.168.1.55.

port 5900 (VNC) to be forwarded to my internal address of 192.168.1.115
Ports 2074-2093 (IRLP-1) to be forwarded to my internal address of 192.168.1.55
Ports 15425-15427 (IRLP-2) to be forwarded to my internal address of 192.168.1.55
Port 22 (SSH) to be forwarded to my internal address of 192.168.1.55
Port 3389 (RDP) to be forwarded to my internal address of 192.168.1.51

My suggestion for a NAT and filter rule set to accomplish that - not accounting for your DMZ question - would be:

/ip firewall filter
add chain=input connection-state=established action=accept
add chain=input connection-state=related action=accept
add chain=input connection-state=invalid action=drop
add chain=input in-interface=!ether1 action=accept
add chain=input action=drop
add chain=forward connection-state=established action=accept
add chain=forward connection-state=related action=accept
add chain=forward connection-state=invalid action=drop
add chain=forward in-interface=!ether1 action=accept
add chain=forward dst-address=192.168.1.115 protocol=tcp dst-port=5900 action=accept
add chain=forward dst-address=192.168.1.55 protocol=tcp dst-port=2074-2093 action=accept
add chain=forward dst-address=192.168.1.55 protocol=tcp dst-port=15425-15427 action=accept
add chain=forward dst-address=192.168.1.55 protocol=tcp dst-port=22 action=accept
add chain=forward dst-address=192.168.1.51 protocol=tcp dst-port=3389 action=accept
add chain=forward action=drop

/ip firewall nat
add chain=dstnat protocol=tcp dst-port=5900 in-interface=ether1 action=dst-nat to-addresses=192.168.1.115
add chain=dstnat protocol=tcp dst-port=2074-2093 in-interface=ether1 action=dst-nat to-addresses=192.168.1.55
add chain=dstnat protocol=tcp dst-port=15425-15427 in-interface=ether1 action=dst-nat to-addresses=192.168.1.55
add chain=dstnat protocol=tcp dst-port=22 in-interface=ether1 action=dst-nat to-addresses=192.168.1.55
add chain=dstnat protocol=tcp dst-port=3389 in-interface=ether1 action=dst-nat to-addresses=192.168.1.51
add chain=srcnat out-interface=ether1 action=masquerade

That replaces everything you already have. That said, I’m not familiar with IRLP, and you didn’t indicate a layer 3 protocol. If that is also TCP you can simplify that somewhat to this:

/ip firewall filter
add chain=input connection-state=established action=accept
add chain=input connection-state=related action=accept
add chain=input connection-state=invalid action=drop
add chain=input in-interface=!ether1 action=accept
add chain=input action=drop
add chain=forward connection-state=established action=accept
add chain=forward connection-state=related action=accept
add chain=forward connection-state=invalid action=drop
add chain=forward in-interface=!ether1 action=accept
add chain=forward dst-address=192.168.1.115 protocol=tcp dst-port=5900 action=accept
add chain=forward dst-address=192.168.1.55 protocol=tcp dst-port=22,2074-2093,15425-15427 action=accept
add chain=forward dst-address=192.168.1.51 protocol=tcp dst-port=3389 action=accept
add chain=forward action=drop

/ip firewall nat
add chain=dstnat protocol=tcp dst-port=5900 in-interface=ether1 action=dst-nat to-addresses=192.168.1.115
add chain=dstnat protocol=tcp dst-port=22,2074-2093,15425-15427 in-interface=ether1 action=dst-nat to-addresses=192.168.1.55
add chain=dstnat protocol=tcp dst-port=3389 in-interface=ether1 action=dst-nat to-addresses=192.168.1.51
add chain=srcnat out-interface=ether1 action=masquerade

Or, if you’re going for the second DMZ option emulating a D-Link/Linksys/Netgear/whatever SoHo router DMZ:

/ip firewall filter
add chain=input connection-state=established action=accept
add chain=input connection-state=related action=accept
add chain=input connection-state=invalid action=drop
add chain=input in-interface=!ether1 action=accept
add chain=input action=drop
add chain=forward connection-state=established action=accept
add chain=forward connection-state=related action=accept
add chain=forward connection-state=invalid action=drop
add chain=forward in-interface=!ether1 action=accept
add chain=forward dst-address=192.168.1.115 protocol=tcp dst-port=5900 action=accept
add chain=forward dst-address=192.168.1.51 protocol=tcp dst-port=3389 action=accept
add chain=forward dst-address=192.168.1.51 action=accept
add chain=forward action=drop

/ip firewall nat
add chain=dstnat protocol=tcp dst-port=5900 in-interface=ether1 action=dst-nat to-addresses=192.168.1.115
add chain=dstnat protocol=tcp dst-port=3389 in-interface=ether1 action=dst-nat to-addresses=192.168.1.51
add chain=dstnat in-interface=ether1 action=dst-nat to-addresses=192.168.1.55
add chain=srcnat out-interface=ether1 action=masquerade
7

Fewi.. You’re a life saver! It worked as you suspected it does, and now I understand it a bit better!
As for the DMZ, I was referring to a SOHO DMZ. However, I’m not sure now that I want that, as it’s easier to secure it when they are defined forwards.
IRLP (Internet Radio Linking Project) is a Ham Radio, Radio (Voice) over IP application. Linux, to boot.. It uses both TCP and UDP, so I changed them accordingly.

I have been out of ROS and MT hardware for just about a year now, and I seem to have forgotten so much of it, not using it everyday any longer.

Thanks again for the help!!