I have two Mikrotik routers with WAN ports connected to a switch
router 1 WAN - ether1, x.x.x.164/28
router 2 WAN - ether1, x.x.x.162/28
The ISP gateway x.x.x.161/28 is connected to the same switch.
I receive a RTP stream with destination x.x.x.164:10000 coming over the Internet.
Now I want to redirect this stream to the second router to port 15000 - x.x.x.162:15000
Yes, I can see the stream comming into router 1.
And I can see the packets with RouterOS’s packet sniffer on router 1, but not in router 2.
I can also forward the stream to an IP in router1’s LAN segment and it is being forwarded.
And sorry but due to security conserns I cannot post my firewall filters here.
Yes, I can see the strema comming into router 1.
I can see it with the packet sniffer and can forward it to a LAN IP without a problem.
But when I cannot see any packets comming into router 2.
And sorry but I cannot post firewall filter because of security.
I don’t know much about RTP, except that it exists, but generally when you forward packets from one public address to another, you need not only dst-nat rule, but also additional src-nat rule which makes them look like they are coming from the first router. It’s because when there are any reply packets, second router would send them directly to source server from its own public address. But source server does not know about second router, it expects replies only from the first one. If second router thinks they came from first one, it sends replies there and first router knows they are part of redirected connection and sends them to proper destination.
In my case the stream is one way only. So the src-nat should not be a issue.
Anyway I have already tried adding src-nat in router 1. Router 2 still does not get any stream.
So I guess the packet counter for your dst-nat rule does not increase? That would mean either:
a) some other rule catches the packets first and they don’t get to this one
b) stream does not come at all or is different, this can be easily verified using Torch tool, you must see incoming udp to port 10000 and address x.x.x.164.
Or if it does increase, then forwarded packets can be blocked in forward chain.
The stream does not come to router2.
I have verified this using the Torch tool.
So I guess router 1 is the problem but I can’t understand why
I have noticed something strange in the packet sniffer:
Router 1 sends some ICMP Destination unsreachable messages back to the steam source.
BUT there is an ARP record for x.x.x.162 (router 2) and there is ping between both routers, so it IS reachable.
Looks like router 1 does not know how to dst-nat to IP from its WAN !?!
There are no such messages if I forward the stream to LAN.
So the stream is coming to router 1 and your dst-nat rule is redirecting it.
What about forward chain in /ip firewall filter, does it accept packets from stream source to x.x.x.162, both coming in and going out through WAN interface?
If the previous is true, do you see redirected packets leaving the router? Either in Torch or add temporary logging rule to postrouting chain in /ip firewall mangle, where you’re looking for udp with destination x.x.x.162:15000.
