Port Forwarding

MikeMikeMike · August 24, 2016, 10:04pm

Hello Everybody

I have done a lot of web search finding information about port forwarding and can’t seen to find the correct answer.

Here is my scenario:

(Provider Public IP) xxxx.xxxx.xxxx.xxxx ----> Non Mikrotik Router 192.168.1.1/30 -----> 192.168.1.2/30 Mikrotik Router 10.0.0.1/30 ------> 10.0.0.2/30 PFSense PC (Router/Firewall)

The Non Mikrotik Router is forwarding all ports to my mikrotik and I’m forwarding all ports received from the Non Mikrotik Router to the PFSense using the below rule:

***** NAT Masquerade*****
chain=srcnat action=masquerade out-interface=Wan log=no
log-prefix=“”

***** Forward All Ports from Mikrotik Router *****
chain=dstnat action=dst-nat to-addresses=10.0.0.2
dst-address=192.168.1.2 log=no log-prefix=“”

I’m not specifying any port in the DST-NAT since I read that by doing this you are forwarding all ports to the device.
Is the above rules correct. How can I know if the ports are being forwarded to the PFSense
Clients connected through the PFSense are browsing fine, no problem at the routing level

Sob · August 24, 2016, 11:10pm

You need to swap addresses in your rule, because dst-address is condition (“if original destination address is xxx”) and to-addresses is part of action (“change destination address to xxx”).

MikeMikeMike · August 24, 2016, 11:16pm

Yes, my bad. When i was writing the scenario here I mistakenly switched addresses.

Sob · August 24, 2016, 11:49pm

So you mean you have the correct rule on router, but it still does not work?

Does the rule counter increase? If so, you may need to allow forwarded ports using this rule:

/ip firewall filter
add action=accept chain=forward connection-nat-state=dstnat

If not, check if some forwarded stuff really comes to 192.168.1.2, e.g. using logging rule in prerouting:

/ip firewall mangle
add action=log chain=prerouting connection-state=new in-interface=<WAN>

Connect from outside to public address (any random port) and assuming everything else is configured correctly, you should see it logged. If not, problem is somewhere else before your router.

MikeMikeMike · August 25, 2016, 12:08am

Sob:

So you mean you have the correct rule on router, but it still does not work?

Does the rule counter increase? If so, you may need to allow forwarded ports using this rule:
/ip firewall filter
add action=accept chain=forward connection-nat-state=dstnat
If not, check if some forwarded stuff really comes to 192.168.1.2, e.g. using logging rule in prerouting:
/ip firewall mangle
add action=log chain=prerouting connection-state=new in-interface=<WAN>
Connect from outside to public address (any random port) and assuming everything else is configured correctly, you should see it logged. If not, problem is somewhere else before your router.

Why is this rule so important?
add action=accept chain=forward connection-nat-state=dstnat

Sob · August 25, 2016, 12:51am

It depends on what other rules you have. If you block forwarding by default and only allow selected stuff (at least traffic originating from LAN), you also need to allow forwarded ports. Because NAT only changes the address and that’s it, all filtering rules still apply to it.

MikeMikeMike · August 25, 2016, 1:46am

Ok so let’s say I apply this changes, still how can I verify if the ports are allowed? Can i do it connected to the Mikrotik, if so correct me if i’m wrong, do i need to make aditional Nat rules to forward the ports to the mikrotik itself or do i need to do the test behind the PFSense ??

I used Nmap to scan my Mikrotik WAN IP and it only shows port 80 & 443 open

Sob · August 25, 2016, 12:42pm

You need to test one part after another. First you need to make sure that something is forwarded to your router, I already gave you example how. Or you can use Tools->Torch instead and look for your outside connections there. With each such connection the counter for dstnat rule will increase and so will counter for the new rule in forward chain. You can again use torch and see if forwarded packets leave the router towards PFSense. And if they do, you’re done with this router and can move to PFSense a verify there that it does what you want it to.

Important part, you need to be testing this from outside first, not from internal LAN, because that can be tricky to configure and you don’t know how the device with public IP handles it. So find some online nmap service, select some non-standard port to test with, something easy to spot and unlikely to be used by anything else (something like 33333) and try it. If it works, verify some others you’re more interested in.

MikeMikeMike · August 25, 2016, 4:58pm

Sob:

You need to test one part after another. First you need to make sure that something is forwarded to your router, I already gave you example how. Or you can use Tools->Torch instead and look for your outside connections there. With each such connection the counter for dstnat rule will increase and so will counter for the new rule in forward chain. You can again use torch and see if forwarded packets leave the router towards PFSense. And if they do, you’re done with this router and can move to PFSense a verify there that it does what you want it to.

Important part, you need to be testing this from outside first, not from internal LAN, because that can be tricky to configure and you don’t know how the device with public IP handles it. So find some online nmap service, select some non-standard port to test with, something easy to spot and unlikely to be used by anything else (something like 33333) and try it. If it works, verify some others you’re more interested in.

Yep, the Dst-NAT NAT counter is incrementing and also the Accept DST rule in the firewall section is also incrementing. Will look at the interface using torch. Thanks, will update the post once I finish doing those test