Port Forwarding

RouterOS General
7

Sure there should be a rule permitting these connections if your firewall is a proper one (drop everything but listed exceptions). But nobody else than you can add that rule :slight_smile:

One idea is to add just chain=forward action=accept connection-nat-state=dstnat to the firewall where your permissive forward rules are, see this topic where we’ve discussed pro’s and con’s of various approaches for details.


The fact that it works without hairpin nat confuses me as well. But maybe you have some masquerade rule open enough to actually provide hairpin NAT inadvertently? It is really not easy to analyze if you post just the three rules you’ve added last and keep the rest of your firewall configuration a secret :slight_smile:

The rest is a matter of a firewall - if you permit anything from LAN back to LAN, no wonder that it worked also for the dstnat’ed connections. What I’ve just said above applies here as well.


A complete miss here. The actual purpose is the following:
As order of rules in chain is important, I needed to insert the counter rule as high as possible in its chain. The place-before parameter decides where to put the new rule, and the value of this parameter is a reference to an existing rule. The problem is that I did not know whether you have used any mangle prerouting rules at all, but RouterOS inserts some automatically (they call that “dynamic” items), and it does not let you insert anything before dynamic rules in firewall. Plus the actual pointers to the rules are special values. But if you use print to show any list of items, these items get numbered by a monotonous sequence starting from 0, and you can use these numbers to refer to the items when you want to modify or remove them, until any configuration change you’ve done affects the list (so remove and add terminate the validity of the numbers, set doesn’t).
So the whole exercise was to create an ad-hoc list of the static rules in chain prerouting of mangle and place the newly added rule before the first (0’th) one of them. dynamic=no was a filtering parameter used to exclude dynamic rules from that list.