Port forwarding to specific multiple IP's

lazaar · January 5, 2011, 7:31am

Hi all,

Subject says exactly what I’m trying to do, though natting it doesn’t seem to be the answer. If i specify a singular IP and test if the port is open, it works no problem. If I create a second rule for the same port(s) to a different IP it doesn’t work, probably because I’ve already natted it to the first IP.

So how would I go about port forwarding 3 specific IP’s?
Namely 10.10.0.221, 10.10.0.253, 10.2.0.2

If someone could just point me in the right direction it would be muchly appreciated.

Thanks.

blake · January 5, 2011, 7:52am

Are you wanting to access a single IP (dst-address) and forward a single port (dst-port) to multiple internal IPs (to-addresses)? If so, that’s not possible. You could forward multiple dst-address’ to different to-addresses, or different dst-ports to separate to-addresses. ie:

Different dst-address

/ip firewall nat
add action=dst-nat chain=dstnat in-interface=ether1 dst-port=22 protocol=tcp dst-address=192.0.2.2 to-addresses=10.10.0.221
add action=dst-nat chain=dstnat in-interface=ether1 dst-port=22 protocol=tcp dst-address=192.0.2.3 to-addresses=10.10.0.253
add action=dst-nat chain=dstnat in-interface=ether1 dst-port=22 protocol=tcp dst-address=192.0.2.4 to-addresses=10.2.0.2

Different dst-port

/ip firewall nat
add action=dst-nat chain=dstnat in-interface=ether1 dst-port=2222 protocol=tcp dst-address=192.0.2.2 to-addresses=10.10.0.221 to-ports=22
add action=dst-nat chain=dstnat in-interface=ether1 dst-port=2223 protocol=tcp dst-address=192.0.2.2 to-addresses=10.10.0.253 to-ports=22
add action=dst-nat chain=dstnat in-interface=ether1 dst-port=2224 protocol=tcp dst-address=192.0.2.2 to-addresses=10.2.0.2 to-ports=22

changeip · January 5, 2011, 5:28pm

you need to use nth rules or random rules to allow some connections to fall thru to the other rules below the first one. you will find random isnt all that random really.

fewi · January 5, 2011, 5:53pm

You should also be able to use PCC in prerouting to mark connections to be spread load evenly across several inside servers, and then NAT based on the connection mark. Something along the lines of:

/ip firewall mangle
add chain=prerouting in-interface=ether1 connection-mark=no-mark protocol=tcp dst-port=22 per-connection-classifier=src-address:3/0 action=mark-connection new-connection-mark=to-server1
add chain=prerouting in-interface=ether1 connection-mark=no-mark protocol=tcp dst-port=22 per-connection-classifier=src-address:3/1 action=mark-connection new-connection-mark=to-server2
add chain=prerouting in-interface=ether1 connection-mark=no-mark protocol=tcp dst-port=22 per-connection-classifier=src-address:3/2 action=mark-connection new-connection-mark=to-server3
/ip firewall nat
add chain=dstnat connection-mark=to-server1 action=dst-nat to-addresses=10.10.0.221
add chain=dstnat connection-mark=to-server2 action=dst-nat to-addresses=10.10.0.253
add chain=dstnat connection-mark=to-server3 action=dst-nat to-addresses=10.2.0.2

Never tried it, mind you.

lazaar · January 7, 2011, 10:16am

Thanks to all for your input, I tried the simple natting but like I said the first rule works, the rest don’t. I then tried the mangle, didn’t pan out either. But then instead of creating the mangle with PCC I created the NAT with PCC and it seems to be working… Only possible issue is the ports I need to open: 1500-28960 Some are TCP and others are UDP so I created the same rule for both and testing any port within the range no matter in which order it is under NAT shows good

So there may be a possible security issue here?

lazaar · January 7, 2011, 10:43am

Spoke too soon… But thinking about it again now I’m just being lazy, going to fiddle with the mangle PCC again.

rwebb616 · May 27, 2011, 2:24am

Did you ever get this to work? I’m having the same issue. Simply adding the dst-address of the alternate public-ip doesn’t work. It seems like it should, however I’m not sure what’s happening.

I am trying to replace an Endian firewall box with my Routerboard 750G but until I can get my multiple public IPs to work (I have two 5 IP subnets) I will be unable to use it.

-Rich

fewi · May 27, 2011, 2:42am

Post what you got, and what you’re trying to do, in as much detail as you can. A quick guess is that you did not assign all the IP addresses you are destination NATing to an interface. You either need to do that, or enable proxy ARP - otherwise the router at the other end can’t ARP for your MAC address on that IP, and won’t send traffic your way. Overloading IPs from the same subnet is MUCH cleaner than proxy ARP. But if that doesn’t do it, as said, post lots of details.

rwebb616 · May 27, 2011, 3:28am

I have two /29 subnets. Right now I’m just trying to get two IPs from the first subnet working.

For example sake I’m going to use the subnet 198.2.2.8/29

I have both IPs (198.2.2.9 and 198.2.2.10) assigned to the WAN interface (port 5)
I have a cisco T1 router on 198.2.2.13 which is the MT default gateway

I then have NAT rules set up as follows:

0 chain=srcnat action=masquerade src-address=192.168.5.0/24
out-interface=5-wan

1 chain=srcnat action=masquerade src-address=172.16.7.0/24
out-interface=5-wan

2 chain=dstnat action=dst-nat to-addresses=172.16.7.10 to-ports=3389
protocol=tcp dst-address=198.2.2.9 dst-port=3389

3 chain=dstnat action=dst-nat to-addresses=172.16.7.11 to-ports=3389
protocol=tcp dst-address=198.2.2.10 dst-port=3389

Rule #2 will work but #3 will not.

Let me know if you need more info.

-Rich

fewi · May 27, 2011, 3:43am

That looks OK so far. Please post the output of “/interface print detail”, “/ip address print detail”, “/ip route print detail”, and “/ip firewall export”. Please wrap output in

 tags to help legibility.

rwebb616 · May 27, 2011, 3:53am

interface print detail:

Flags: D - dynamic, X - disabled, R - running, S - slave 
 0  R  name="1-management" type="ether" mtu=1500 l2mtu=1524 

 1     name="2-unused" type="ether" mtu=1500 l2mtu=1524 

 2     name="3-lan" type="ether" mtu=1500 l2mtu=1524 

 3     name="4-dmz" type="ether" mtu=1500 l2mtu=1524 

 4     name="5-wan" type="ether" mtu=1500 l2mtu=1524

ip address print detail:

Flags: X - disabled, I - invalid, D - dynamic 
 0   address=192.168.88.1/24 network=192.168.88.0 broadcast=192.168.88.255 
     interface=1-management actual-interface=1-management 

 1   address=192.168.5.254/24 network=192.168.5.0 broadcast=192.168.5.255 
     interface=3-lan actual-interface=3-lan 

 2   address=198.2.2.9/29 network=198.2.2.8 broadcast=198.2.2.15 
     interface=5-wan actual-interface=5-wan 

 3   address=198.2.2.10/29 network=198.2.2.8 broadcast=198.2.2.15 
     interface=5-wan actual-interface=5-wan 

 4   address=172.16.7.254/24 network=172.16.7.0 broadcast=172.16.7.255 
     interface=4-dmz actual-interface=4-dmz

ip route print detail:

Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 0   S  dst-address=0.0.0.0/0 gateway=198.2.2.13 
        gateway-status=198.2.2.13 unreachable distance=1 scope=30 
        target-scope=10 

 1 ADC  dst-address=172.16.7.0/24 pref-src=172.16.7.254 gateway=4-dmz 
        gateway-status=4-dmz unreachable distance=0 scope=200 

 2 ADC  dst-address=192.168.5.0/24 pref-src=192.168.5.254 gateway=3-lan 
        gateway-status=3-lan unreachable distance=0 scope=200 

 3 ADC  dst-address=192.168.88.0/24 pref-src=192.168.88.1 gateway=1-management 
        gateway-status=1-management reachable distance=0 scope=10 

 4 ADC  dst-address=198.2.2.8/29 pref-src=198.2.2.9 gateway=5-wan 
        gateway-status=5-wan unreachable distance=0 scope=200

ip firewall export:

# jan/02/1970 04:13:06 by RouterOS 4.11
# software id = NDPF-J2N4
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
    tcp-close-wait-timeout=10s tcp-established-timeout=1d \
    tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
    tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no out-interface=5-wan \
    src-address=192.168.5.0/24
add action=masquerade chain=srcnat comment="" disabled=no out-interface=5-wan \
    src-address=172.16.7.0/24
add action=dst-nat chain=dstnat comment="" disabled=no dst-address=\
    198.2.2.9 dst-port=3389 protocol=tcp to-addresses=172.16.7.10 \
    to-ports=3389
add action=dst-nat chain=dstnat comment="" disabled=no dst-address=\
    198.2.2.10 dst-port=3389 protocol=tcp to-addresses=172.16.7.11 \
    to-ports=3389
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no

Everything is listed as unreachable right now because the router is not currently in place. I switched back to my Endian because this wasn’t working.

Thanks for the help!
-Rich

fewi · May 27, 2011, 4:09am

That should work fine. It’s a pretty straight forward configuration - there aren’t many places things can go wrong, and you configured everything correctly.

Are you 100% sure that the hosts are configured right? Correct gateways on them? Host routes would take return traffic back through that router? If it’s Vista, 7, or 2k8 or 2k8r2 the host firewalls have that pesky concept of zones where RDP might work for local or domain traffic but not for public zone traffic so that local tests work but access from the WAN does not. How are you testing, and where from?
I know, stupid questions, but if I had a penny for every time I overlooked something like that I wouldn’t have to get up and go to work tomorrow…

rwebb616 · May 27, 2011, 4:20am

Well this is an existing setup where an Endian firewall is in place already with same IPs configured. I’m simply putting the routerboard in it’s place. In order to test I am connecting via remote desktop to another network outside and attempting to remote desktop back into 198.2.2.9 and 198.2.2.10. .9 works and .10 doesn’t.

The hosts are XP so none of the vista/7 crap.

The only thing I noticed is that I’m on 4.11 and that seems rather old compared to what is available. I would think it still should work.
-Rich

rwebb616 · May 27, 2011, 2:36pm

I am going to upgrade the router to RouterOS 5.3 and try again. If it still doesn’t work I’d almost have to say it is a bug.

A bit of information I forgot to add is that from the outside, I am unable to ping the second IP either where I can ping the first IP.

Come to think of it, could this be an arp problem where the router (198.2.2.13) has an invalid MAC for 198.2.2.10 ? I’ll have to test that theory.

-Rich

fewi · May 27, 2011, 2:41pm

Absolutely could be. It’s the same fundamental reason you need to assign both IPs to an interface or use proxy ARP to make this work - without the upstream router being able to send traffic to you on layer 2 of course nothing else works further downstream.

It’s more or less bound to be something fundamental like that. Your configuration is correct, and it’s very simple and easy to verify as correct. This is HIGHLY unlikely to be a bug. RouterOS is built on Linux, and MT doesn’t change the kernel. Literally millions of people worldwide are using iptables destination NAT. There are no fundamental bugs like “it just doesn’t work in a completely standard deployment” in that code.

rwebb616 · May 27, 2011, 2:54pm

Just tested it again and cleared the arp cache on the router and everything works.

Now I am on to creating the endless dst-nat entries for my setup.

Thanks for the help!

-Rich

fewi · May 27, 2011, 3:04pm

Glad it’s working.
I guess another option would have been to source a ping to the gateway. The ARP table likely never updated because that secondary IP isn’t the preferred source on the interface, so traffic was never sent out with that source address.

/ping 198.2.2.13 src-address=198.2.2.10