Port forwarding - Why it IS working

neki · October 6, 2023, 8:10pm

Hi,

I have a torrent client on my home server and when I was setting up my new mikrotik router I was expecting to have to enable UPnP or set up port forwarding.

But to my surprise uploads works fine and I’m not sure why. May someone look at my config please?

/ip firewall filter
add action=accept chain=input comment="allow established" connection-state=\
    established,related
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="allow local connections" \
    in-interface-list=local
add action=drop chain=input comment="drop all other connections"
add action=fasttrack-connection chain=forward connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new \
    in-interface-list=wan
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-modem
add action=masquerade chain=srcnat out-interface=VDSL
add action=masquerade chain=srcnat out-interface=LTE
add action=masquerade chain=srcnat comment="Hairpin NAT" disabled=yes \
    dst-address=10.0.0.10 out-interface=bridge-lan src-address=10.0.0.0/24
add action=dst-nat chain=dstnat comment="Redirect DNS to server" disabled=yes \
    dst-port=53 in-interface=bridge-lan protocol=tcp src-address=!10.0.0.10 \
    to-addresses=10.0.0.10
add action=dst-nat chain=dstnat disabled=yes dst-port=53 in-interface=\
    bridge-lan protocol=udp src-address=!10.0.0.10 to-addresses=10.0.0.10
add action=dst-nat chain=dstnat disabled=yes in-interface=VDSL protocol=tcp \
    src-port=37367 to-addresses=10.0.0.10 to-ports=37367
add action=dst-nat chain=dstnat disabled=yes in-interface=VDSL protocol=udp \
    src-port=37367 to-addresses=10.0.0.10 to-ports=37367

tangent · October 6, 2023, 8:24pm

Your question calls for speculation. If it isn’t dstnat doing the work, then showing us that all your dstnat rules are disabled is diagnostic of nothing.

You want an alternate hypothesis to begin chasing? Okay, start with the many forms of NAT traversal.

Is that the answer? Without a packet trace in hand showing it occurring, I wouldn’t bet on it.

neki · October 8, 2023, 5:44pm

Hi tangent,

thank you for reply! Here is packet sniffer log file. The torrent client is running on 10.0.0.10 and port should be 37367

tangent · October 9, 2023, 12:59am

Sorry, but I wasn’t offering to dig through 2114 packets looking for evidence of a complicated protocol like STUN + TURN for you. I was suggesting that if you wanted to know whether this was occurring that learning these protocols and then designing packet sniffing tests to check for evidence of their use is the only way to get from speculation to certainty.

Plan B: Select an open-source Torrent client and see if it does the same thing. If so, then a quick search in its source code for these protocols’ acronyms should settle the question quickly.

neki · October 9, 2023, 7:57pm

Again, thank you for reply!

I think that we got it from the wrong end..

I do not care about torrents at all, I’m not trying to stop uploads or anything like that…

I have my first Mikrotik for only few weeks now and I was just surprised that those uploads work when I didn’t setup it up… (..and on Mikrotik you have to setup everything by yourself)

My only consern is security of my home network, it basicaly freaked me out when I discovered that incoming traffic is comming through without UPnP

That’s why I’m asking for explanation and friendly advice, because I have only basic knowledge about the networks and I have no idea “why it is working”…

tangent · October 9, 2023, 11:36pm

Then I suggest you dive into the NAT traversal article linked above. It’s a deep pool, and it will give you a sense of the many possible answers to your question. By the time your start eyes begin crossing involuntarily to the point that you decide to step away from the Wikipedia lest you do yourself an ocular injury, you should have a good sense for why there isn’t a checkbox in WinBox labeled “make my network secure.”

Or, maybe you wanted a simpler answer: many view NAT as a problem, and a lot of brain-power has gone into clever ways to get around it.

optio · October 11, 2023, 9:43am

@neki are you sure that port is actually open? Do you know that over torrent protocol for download and upload is enough that just one of the peers has open port? If you don’t have open port, your client will connect to open port of other peer which can generate upload traffic, which means other peer is downloading from you.
Having open port for torrent client just means that you will have more peers available for download/upload because other peers that doesn’t have open port can connect to your client and it will get more download/upload speed per torrent since you will be connected to more peers.