port forwarding

lucapost · May 31, 2014, 10:18am

I’m newbie with mikrotik rb750gl. My goal is access from my wan 192.168.0.25:81 to my local webserver 192.168.88.249:81.
I tested this config without success:
[admin@MikroTik] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK INTERFACE

0 ;;; default configuration
192.168.88.1/24 192.168.88.0 ether2-master-local
1 D 192.168.0.25/24 192.168.0.0 ether1-gateway
[admin@MikroTik] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
chain=srcnat action=masquerade to-addresses=0.0.0.0 out-interface=ether1-gateway

1 chain=dstnat action=dst-nat to-addresses=192.168.88.249 protocol=tcp dst-address=192.168.0.25 dst-port=81

2 chain=srcnat action=masquerade to-addresses=0.0.0.0 protocol=tcp src-address=192.168.88.0/24 dst-address=192.168.88.249 out-interface=ether2-master-local
dst-port=81
[admin@MikroTik] > /ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
chain=input action=accept protocol=icmp

1 ;;; default configuration
chain=input action=accept connection-state=established

2 ;;; default configuration
chain=input action=accept connection-state=related

3 ;;; default configuration
chain=input action=drop in-interface=ether1-gateway

4 chain=input action=accept protocol=tcp dst-port=81

5 chain=forward action=accept protocol=tcp dst-port=81Can anybody help me about?

scotthammersley · June 2, 2014, 2:08pm

Disable the firewall rules, then test again.

jarda · June 2, 2014, 2:53pm

How are you connected to your wan? Hope you know that your wan doesn’t have public ip…

scotthammersley · June 2, 2014, 4:54pm

Jarda,

Doesnt matter whether its a “Public IP” or not. That just defines whether the traffic can be possibly routed over the net. I can use a “public IP” and still keep it internal if we wish. So that statement is really null and void.

What he is trying to do is basic NAT. To that point though, that does bring up whether or not there is an upstream gateway that possibly needs a translation also.

jarda · June 2, 2014, 8:47pm

It depends. Maybe he do not have access to his wan at all… that I was trying to find out.

lucapost · June 4, 2014, 7:55am

With last v6.13, similar results
[admin@mikrotik] > ip address print
Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK INTERFACE

0 ;;; default configuration
192.168.88.1/24 192.168.88.0 ether2-master-local
1 D 192.168.0.25/24 192.168.0.0 ether1-gateway
[admin@mikrotik] > ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
chain=input action=accept protocol=icmp

1 ;;; default configuration
chain=input action=accept connection-state=established

2 ;;; default configuration
chain=input action=accept connection-state=related

3 ;;; default configuration
chain=forward action=accept connection-state=established

4 ;;; default configuration
chain=forward action=accept connection-state=related

5 chain=forward action=accept connection-state=new

6 chain=input action=accept protocol=tcp dst-port=81
[admin@mikrotik] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
chain=srcnat action=masquerade to-addresses=0.0.0.0 out-interface=ether1-gateway

1 chain=dstnat action=dst-nat to-addresses=192.168.88.20 to-ports=80 protocol=tcp in-interface=ether1-gateway dst-port=81from 192.168.0.0/24 (mikrotik wan subnet) i get this nmap results:

nmap -sT 192.168.0.25

Starting Nmap 6.00 ( http://nmap.org ) at 2014-06-04 09:44 CEST
Nmap scan report for MikroTik (192.168.0.25)
Host is up (0.012s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
81/tcp filtered hosts2-ns
2000/tcp open cisco-sccp
MAC Address: D4:CA:6D:E2:95:B9 (Routerboard.com)
Nmap done: 1 IP address (1 host up) scanned in 7.81 secondswhy i get filtered and not open on 192.168.0.25:81?