Port forwarding

USvER · October 31, 2016, 4:39pm

Can’t get my port-forwarding working.
I’m doing it as described in many tutorials: added dst-nat action to dst-nat chain but it’s not working.
I guess i have to fix some filtering rules: i have tried to disable all drop actions with no luck…

So if i have clean RouterOS with WAN static IP on the eth1-gateway, how to port-forward 8080 port to Static DHCP PC?
Should be easy… but not with Mikrotik…

cdiedrich · October 31, 2016, 4:56pm

It’s really as simple as you described.
No need to modify filter rules as NAT happens before firewall.

It’ll be good to see your actual rule from /ip firewall nat export to really help you - often enough to-address is confused with dst-address.

-Chris

USvER · October 31, 2016, 5:03pm

[admin@MikroTik] > /ip firewall nat export 
# oct/31/2016 18:59:40 by RouterOS 6.37.1
# software id = X4W2-RPHY
#
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway
add action=dst-nat chain=dstnat dst-address=109.251.71.5 dst-port=8080 protocol=tcp to-addresses=192.168.88.2 to-ports=8080

Looks like everything fine… But it’s not working…

Delte · October 31, 2016, 5:37pm

Hi,

Remove both of them and insert this mentioned rule & make specific changes if your IP & Subnet is differ.

add action=masquerade chain=srcnat src-address=192.168.88.0/24
add action=dst-nat chain=dstnat dst-address=109.251.71.5 dst-port=8080 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.88.2 to-ports=8080

We hope this will resolve your issue.

echelle · October 31, 2016, 5:52pm

I need help here. my port forwarding are not working. currently i have two static ISP and i try to port forward my ip camera to one of the ISP but no luck.

Currently i dont have firewall rule co’z i reset my router into “NO TO DEFAULT CONFIGURATION”. Maybe i miss something in firewall rule.

/ip firewall nat
add action=src-nat chain=srcnat out-interface=ether1 to-addresses=121.96.x.x
add action=src-nat chain=srcnat out-interface=pppoe-out1 to-addresses=
119.92.x.x
add action=dst-nat chain=dstnat dst-address=119.92.x.x dst-port=7979
protocol=tcp to-addresses=192.168.0.12 to-ports=7979

USvER · October 31, 2016, 6:24pm

Change to masquerade rule fixed part of the problem… Now when i try to visit this port from inside i’m getting port-forwarded. But It’s not working from outside (WAN)!

If you could explain why “Quick Set” generated masquerade like this, and why it’s not working properly with port-forward:

add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway

I guess that’s because masquerading was affecting all traffic to ether1-gateway including port-forwarding… I’ve tryed to reorder this rules and put my port-forwarding on top of masquerading with no luck…
I’m seeng alot of port-forwarding question on the forum… i guess that’s becuse of auto-generated masquerading that does not allow port-forwarding.

Delte · October 31, 2016, 6:45pm

You also need to add second rule if you want to get access from outside of your network.

USvER · October 31, 2016, 6:56pm

Sorry, I don’t understand you… my current rules:

add action=masquerade chain=srcnat comment="default configuration" src-address=192.168.88.0/24
add action=dst-nat chain=dstnat dst-address=109.251.71.5 dst-port=8080 protocol=tcp to-addresses=192.168.88.2 to-ports=8080

What else should i add?
I guess i have to make srcnat like in iptables prerouting/postrouting dnat/snat…

Delte · October 31, 2016, 7:00pm

add action=dst-nat chain=dstnat dst-address=109.251.71.5 dst-port=8080 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.88.2 to-ports=8080

Add interface & try to access from WAN.

USvER · October 31, 2016, 7:12pm

Now its not working completely… not from WAN, nor from LAN…

Sob · October 31, 2016, 7:23pm

Yes, quite a lot. You need to make sure that incoming connections go back to same ISP. Something like this. One more helpful tip, do not post your problems to other people’s topics, even if they are similar. Unless it’s exactly the same problem, opening new topic is better for everyone, including yourself.

No, that was probably because you were testing it from LAN and port forwarding doesn’t work from there by default. By removing out-interface from masquerade rule, you created variant of hairpin NAT. Your last rules should work. If not, it’s either blocked by target machine (make sure it allows connections from any address) or in router’s forward chain. Add this rule to allow all forwarded ports:

/ip firewall filter
add action=accept chain=forward connection-nat-state=dstnat

Delte · October 31, 2016, 7:27pm

Agree with sob.

USvER · October 31, 2016, 7:51pm

I was checking from both WAN and LAN… With no luck… Target machine accepts all traffic, web-server listen on 0.0.0.0 …

This rule did not helped.

I’ve read about Hairpin NAT… I can see that i’m trying to do exactly the same scenario… But with my configuration i’m able to port-forward in LAN, but not from WAN… Wich is different from what is described in the article… I will try to dive deeper to better understand whats happening… Thank you…

Sob · October 31, 2016, 7:57pm

You can also try to post whole firewall config, maybe someone will spot something obvious.

USvER · October 31, 2016, 8:19pm

I’ve enabled logging on filtering rule(that allows all port-forwarding) and port-forwarding itsef with web-filter and web-nat respectively. Here is logs:

here is my firewall rules:

[admin@MikroTik] > /ip firewall export                                                            
# oct/31/2016 22:17:39 by RouterOS 6.37.1
# software id = X4W2-RPHY
#
/ip firewall filter
add action=accept chain=input comment="default configuration" protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
add action=fasttrack-connection chain=forward comment="default configuration" connection-state=established,related
add action=accept chain=forward comment="default configuration" connection-nat-state="" connection-state=established,related
add action=accept chain=forward connection-nat-state=dstnat log=yes log-prefix=web-filter
add action=drop chain=forward comment="default configuration" connection-state=invalid
add action=drop chain=forward comment="default configuration" connection-nat-state=!dstnat connection-state=new in-interface=ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" src-address=192.168.88.0/24
add action=dst-nat chain=dstnat dst-address=109.251.71.5 dst-port=80 log=yes log-prefix=web-nat protocol=tcp to-addresses=192.168.88.2 to-ports=80

I’m concerned about “dstnat out:(none)” … looks like this is my problem…
Thanks.

Sob · October 31, 2016, 8:33pm

Packets in dstnat chain don’t yet know where they’ll go, so “dstnat out:(none)” is fine. Looking at your log with all those repeating SYN packets, it looks like port forwarding is ok, but 192.168.88.2 is not accepting the connection.

USvER · October 31, 2016, 8:53pm

Ok, you are right here is tcpdump from the host(ubuntu 14.04)…

# tcpdump -i eth1 tcp port 80 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
20:50:47.556804 IP 167.114.118.4.56608 > 192.168.88.2.80: Flags [S], seq 3724586743, win 29200, options [mss 1460,sackOK,TS val 2990087187 ecr 0,nop,wscale 7]
20:50:48.554298 IP 167.114.118.4.56608 > 192.168.88.2.80: Flags [S], seq 3724586743, win 29200, options [mss 1460,sackOK,TS val 2990087437 ecr 0,nop,wscale 7]
20:50:50.558430 IP 167.114.118.4.56608 > 192.168.88.2.80: Flags [S], seq 3724586743, win 29200, options [mss 1460,sackOK,TS val 2990087938 ecr 0,nop,wscale 7]
20:50:54.566136 IP 167.114.118.4.56608 > 192.168.88.2.80: Flags [S], seq 3724586743, win 29200, options [mss 1460,sackOK,TS val 2990088940 ecr 0,nop,wscale 7]
^C
4 packets captured
4 packets received by filter
0 packets dropped by kernel

# ufw status
Status: inactive

# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

# netstat -tulpn | grep nginx
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      5211/nginx -g daemo

So i don’t have any firewall, my web-server is listening on all interfaces…
But i have tcp SYN packets without answer… WTF???=\

USvER · October 31, 2016, 9:41pm

Thanks to all of you!
I think i’m nailed down the issue to my Ubuntu server not responding to SYN tcp packets…
Not a Mikrotik related issue… just bad network configuration on my Ubuntu server…
Thank you again!

silversword · October 31, 2016, 10:10pm

Can you elaborate, and post what you did to fix? I have also been troubleshooting intermittent connectivity issues with hairpin enabled…and it’s been to a ubuntu server thus far (running different servers on unique ports). Was thinking it was hairpin, then fasttrack issue. Neither have panned out.

Thx

USvER · October 31, 2016, 11:00pm

My problem was really simple. I had two ethernet cards, with default ethernet card looking to other network. Thus my eth1 was facing mikrotik router but isn’t default route. That’s why SYN packets was coming to eth1 syn/ack was going to eth0 and dropped by the kernel.
Pretty stupid issue… Sorry for taking your time guyz!