Port-forwarding to internal network

sanderdekkers · August 7, 2017, 11:01am

Hi,

I have RouterOS installed on a VM in our datacenter, with this configuration:

[admin@MikroTik] > /ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic 

[admin@MikroTik] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=dstnat action=dst-nat to-addresses=10.13.37.10 to-ports=80 protocol=tcp in-interface=ether1 dst-port=8011 log=yes log-prefix="" 

 1 X  chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix="" 
 
[admin@MikroTik] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                                                                                                                                                          
 0   10.13.37.1/26      10.13.37.0      ether2                                                                                                                                                                                                             
 1   81.4.66.166/27     1.1.66.160     ether1                              
                                                                                                                                                                                
[admin@MikroTik] > /ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          1.1.66.161               1
 1 ADC  10.13.37.0/26      10.13.37.1      bridge1                   0
 2 ADC  81.4.66.160/27     1.1.66.166     ether1                    0

I want to forward internet traffic 1.1.66.166:8011 to 10.13.37.10:80

Did I configure this correctly, or am I missing something, as it’s not working.

Chupaka · August 7, 2017, 12:05pm

Yes, the NAT rule is correct

sanderdekkers · August 7, 2017, 12:34pm

Could you perhaps help me as to why it’s not working?

Intention is to forward public:80 to 10.13.37.10:80

Full config:

[admin@MikroTik] > /export
# aug/07/2017 12:34:17 by RouterOS 6.40
#
/interface ethernet
set [ find default-name=ether2 ] mac-address=00:0C:29:4D:4F:F4 name=ether1
set [ find default-name=ether1 ] name=ether2
/tool user-manager customer
set admin access=own-routers,own-users,own-profiles,own-limits,config-payment-gw
/interface bridge port
add interface=ether2
/ip settings
set accept-redirects=yes accept-source-route=yes route-cache=no
/ip address
add address=10.13.37.34/26 interface=ether2 network=10.13.37.0
add address=1.1.66.166/27 interface=ether1 network=1.1.66.160
/ip dhcp-client
add dhcp-options=hostname,clientid interface=ether1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=forward
add action=accept chain=output
add action=accept chain=input
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=1.1.66.166 dst-port=80,443 in-interface=ether1 log=yes protocol=tcp to-addresses=10.13.37.10
add action=masquerade chain=srcnat out-interface=ether1
/ip route
add distance=1 gateway=1.1.66.161

Chupaka · August 7, 2017, 12:56pm

You have ‘log=yes’ - what do you see in Log when you try to connect?

sanderdekkers · August 7, 2017, 2:11pm

14:12:20 firewall,info dstnat: in:ether1 out:(none), src-mac 54:75:d0:a7:3c:00, proto TCP (SYN), xx.xx.2.42:12117->1.1.66.166:80, len 52 
14:12:20 firewall,info dstnat: in:ether1 out:(none), src-mac 54:75:d0:a7:3c:00, proto TCP (SYN), xx.xx.2.42:12119->1.1.66.166:80, len 52

This appears in the logging

Chupaka · August 7, 2017, 2:18pm

Then the rule actually works.

Check that 10.13.37.10 has access to the Internet via that router and that you don’t filter out packets to and from 10.13.37.10 in Firewall Filter.

sanderdekkers · August 7, 2017, 2:27pm

It’s strange, but it doesn’t work.

There are no firewall rules on the RouterOS configured (except for the DST-NAT and the masquerade rule), RouterOS is on a VMWare ESXi host, which has to direct the traffic to another vm on the same vSwitch, but connection always times out..

When I change the to-addresses to the same destination VM, but on it’s public IP, it does work, perhaps it doesn’t have a route back?

pe1chl · August 7, 2017, 2:59pm

Run a trace (wireshark) on the VM to see what happens.
It maybe has a firewall, or when it has several addresses (as you seem to indicate) it may have incorrectly defined routing policy.

Chupaka · August 8, 2017, 5:45am

sanderdekkers · August 8, 2017, 6:45am

Okay, so, I wasn’t thinking properly.. destination VM did not had the router as gateway, so.. problem solved now!

Thanks for the assistance.