Port Foward Nat Rules

danielchinchilla · March 6, 2020, 7:22pm

Hello,

We are having issues with the port forward, we are trying to access an Apache server in our LAN reaching it from the Public IP, example 123.145.24.133:8080 should redirect us to 10.6.0.56:9432 but we can’t even ping this IP.

The port forward works in a simple structure using only one ISP and LAN, but when we add others ISP and create a bonding the stop working.

Functional config:

# mar/05/2020 17:07:24 by RouterOS 6.46.3
# software id = 7HLW-XGSQ
#
# model = CCR1036-12G-4S
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether3 ] comment="ISP 3" name=\
    "ether3" speed=100Mbps
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.6.0.2-10.6.0.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge1 name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
/ip address
add address=123.145.24.133 interface="ether3-Cable Wireless" network=\
    123.145.24.133
add address=10.6.0.1/24 interface=bridge1 network=10.6.0.0
/ip dhcp-server network#$
add address=10.6.0.0/24 gateway=10.6.0.1
/ip dns
set servers=8.8.8.8,10.6.0.1
/ip firewall filter
add action=drop chain=forward
add action=accept chain=input connection-state=established,related
add action=accept chain=input protocol=icmp
add action=accept chain=input in-interface=all-ethernet
add action=drop chain=input
add action=fasttrack-connection chain=forward connection-state=\
    established,related
add action=accept chain=forward connection-state=established,related
add action=accept chain=forward out-interface=all-ethernet
add action=accept chain=forward connection-nat-state=dstnat
add action=drop chain=forward
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=123.145.24.133 dst-address-type=\
    local dst-port=8080 protocol=tcp to-addresses=10.6.0.54
add action=dst-nat chain=dstnat dst-address=123.145.24.133 dst-address-type=\
    local dst-port=11194 protocol=udp to-addresses=10.6.0.56
/ip route
add distance=1 gateway=123.145.24.133 routing-mark=CableAndWireless-OUT
add distance=2 gateway=123.145.24.132
/ip service
set telnet disabled=yes
set ssh disabled=yes
/system clock
set time-zone-name=America/Costa_Rica

Below you will see a little bit more complex structure where we can’t even ping the IP. We suppose we are having some firewall problems.

# software id = 7HLW-XGSQ
#
# model = CCR1036-12G-4S
/interface ethernet
set [ find default-name=ether1 ] 
set [ find default-name=ether2 ] 
set [ find default-name=ether3 ] 
set [ find default-name=ether4 ] 
set [ find default-name=ether5 ] 
set [ find default-name=ether10 ] 
set [ find default-name=ether11 ]
set [ find default-name=ether12 ]
add comment="Bonding VLANs" mode=active-backup name=test primary=\
    "ether10-test TRUNK" slaves="ether10-test TRUNK,ether11-test TRUNK"
/interface vlan
add interface=test name=test.111-car vlan-id=111
add interface=test name=test.114-car2 vlan-id=114
add interface=test name=test.115-car3 vlan-id=115
add interface=test name=test.119-car5 vlan-id=119
add interface=test name=test.202-car4 vlan-id=202
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool4 ranges=10.6.0.2-10.6.0.254
add name=dhcp_pool5 ranges=10.9.0.2-10.9.0.254
/ip dhcp-server
add address-pool=dhcp_pool4 disabled=no interface=test.111-car name=dhcp1
add address-pool=dhcp_pool5 disabled=no interface=test.119-car5 name=\
    dhcp2
/interface bridge port
add interface="ether4-###"
add interface="ether5-###"
add interface=ether6
/ip address
add address=10.6.0.1/24 comment="VLAN car" interface=test.111-car \
    network=10.6.0.0
add address=10.5.0.1/24 comment="VLAN car2" interface=test.114-car2 \
    network=10.5.0.0
add address=10.7.0.1/24 comment="VLAN car3" interface=test.115-car3 \
    network=10.7.0.0
add address=10.8.0.1/24 comment="VLAN car4" interface=test.202-car4 network=\
    10.8.0.0
add address=10.9.0.1/24 comment="VLAN car5" interface=\
    test.119-car5 network=10.9.0.0
add address=### interface=ether1-### \
    network=###
add address=### interface=\
    ether2-### network=###
add address=123.145.24.133 interface=ether3-C&W \
    network=123.145.24.132
add address=### interface=\
    "ether4-###" network=###
add address=### interface=\
    "ether5-###" network=###
/ip dhcp-server network
add address=10.6.0.0/24 dns-server=8.8.8.8,10.6.0.1 gateway=10.6.0.1
add address=10.9.0.0/24 dns-server=8.8.8.8,10.9.0.1 gateway=10.9.0.1
/ip dns
set servers=8.8.8.8,10.5.0.1,10.6.0.1,10.7.0.1,10.8.0.1,10.9.0.1
/ip firewall filter
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established,related
add action=accept chain=input in-interface=all-ethernet
add action=drop chain=input
add action=fasttrack-connection chain=forward connection-state=\
    established,related
add action=accept chain=forward out-interface=all-ethernet
add action=accept chain=forward connection-state=established,related
add action=accept chain=forward connection-nat-state=dstnat
add action=drop chain=forward
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=C&W-OUT \
    passthrough=yes src-address=10.6.0.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="Masquerade ###" out-interface=\
    ether1-###
add action=masquerade chain=srcnat comment="Masquerade ###" \
    out-interface=ether2
add action=masquerade chain=srcnat comment="Masquerade C&W" out-interface=\
    ether3
add action=masquerade chain=srcnat comment="Masquerade ###" \
    out-interface="ether4"
add action=masquerade chain=srcnat comment="Masquerade ###" \
    out-interface="ether5"
add action=dst-nat chain=dstnat comment="APACHE TEST NAT " dst-address=\
    123.145.24.133 dst-address-type=local dst-port=8080 protocol=tcp \
    to-addresses=10.6.0.53
/ip route
add check-gateway=ping distance=1 gateway=123.145.24.132 routing-mark=TEST
add check-gateway=ping distance=1 gateway=### routing-mark=\
    ###
add check-gateway=ping distance=1 gateway=### routing-mark=\
    ###
add check-gateway=ping distance=1 gateway=### routing-mark=\
    ###
add check-gateway=ping distance=1 gateway=### routing-mark=###
/ip service
set telnet disabled=yes
set ssh disabled=yes

anav · March 7, 2020, 12:48pm

You should use the code tags to encapsulate the config in post.
I am only conversant with basic port forwarding and hairpin nat (as you need hairpin nat) in a straightforward setup. You certainly have some advanced functionality at play.
This snippet is taken from your simple config for nat.

/ip firewall nat
add action=dst-nat chain=dstnat dst-address=123.145.24.133 dst-address-type=\
local dst-port=8080 protocol=tcp to-addresses=10.6.0.54
add action=dst-nat chain=dstnat dst-address=123.145.24.133 dst-address-type=\
local dst-port=11194 protocol=udp to-addresses=10.6.0.56

… Not sure why your to addresses are different thouth 0.54 vs 0.56 ??

I would state it as such…

/ip firewall nat
add action=src-nat chain=masquerade dst-address=10.60.0.0/24 src-address=10.60.0.0/24 comment="HairpinNat"
add action=dst-nat chain=dstnat dst-address=123.145.24.133 dst-port=8080 protocol=tcp to-addresses=10.6.0.54
add action=dst-nat chain=dstnat dst-address=123.145.24.133 dst-port=11194 protocol=udp to-addresses=10.6.0.56

…

In your first config not sure if this was simply a cut and paste error?? The wanip static is 123.145.24.133 and not 138.122.26.133???

/ip address
add address=138.122.26.133 interface="ether3-Cable Wireless" network=\
138.122.26.132

anav · March 7, 2020, 1:00pm

Now lets look at the second more complex config…
…

/ip firewall nat
add action=masquerade chain=srcnat comment="Masquerade ###" out-interface=\
ether1-###
add action=masquerade chain=srcnat comment="Masquerade ###" \
out-interface=ether2
add action=masquerade chain=srcnat comment="Masquerade C&W" out-interface=\
ether3
add action=masquerade chain=srcnat comment="Masquerade ###" \
out-interface="ether4"
add action=masquerade chain=srcnat comment="Masquerade ###" \
out-interface="ether5"
add action=dst-nat chain=dstnat comment="APACHE TEST NAT " dst-address=\
123.145.24.133 dst-address-type=local dst-port=8080 protocol=tcp \
to-addresses=10.6.0.53

I didnt ask this question on the first config but it really caught my eye here and that is WHY MASQUERADE ALL YOUR INTERFACES???
Masquerade (srcnat is typically identified for traffic outbound through external facing interfaces). Obviously we are including an exception to that for hairpin nat.
I think it should be (including the amendments from the first config)…

/ip firewall nat
add action=masquerade chain=srcnat comment="Masquerade C&W" out-interface=ether3  (you only have one ISP) 
add action=masquerade chain=srcnat comment="Hairpin Nat1" src-address=10.60.0.0/24 dst-address=10.60.0.0/24  (like the previous config access server from LAN)
Since the request to the LANA server is coming from LANB,  the next rule is NOT really required afterall.  I left it in place as it doesnt hurt.
add action=masquerade chain=srcnat comment=Hairpin Nat2" src-address=10.9.0.0/24 dst-address=10.60.0.0/24   (If you want to access server from new LAN)
add action=dst-nat chain=dstnat comment="APACHE TEST NAT " dst-address=123.145.24.133 \
dst-port=8080 protocol=tcp to-addresses=10.6.0.53

…

One final note, hopefully someone with more experience can chime in but if the wanip is static ie = fixed I believe the standard Source Nat Rule could look like…
/ip firewall nat
add chain=srcnat action=src-nat to-addresses=123.145.24.133 out-interface=eth3 (or WAN)

danielchinchilla · March 9, 2020, 11:29pm

Thanks, I was checking and the configuration now started to work pretty much as I need to. But I got just one issue with the routing mark, I am wondering why when I mark the route, it says not route to host if I am doing a ping from the Mikrotik.

# mar/09/2020 17:09:32 by RouterOS 6.46.3
# software id = 7HLW-XGSQ
#
# model = CCR1036-12G-4S
# serial number = 575005458F2D
/interface ethern
set [ find default-name=ether3 ] comment=ISP3 name=ether3 speed=\
    100Mbps
set [ find default-name=ether10 ] comment="TRUNK Master" name=\
    "ether10-VIG TRUNK"
set [ find default-name=ether11 ] comment="TRUNK BACKUP" mac-address=\
    E4:8D:8C:1B:58:C3 name="ether11-VIG TRUN
/interface bonding
add comment="VIG Bonding VLANs" mode=active-backup name=VIG primary=\
    "ether10-VIG TRUNK" slaves="ether10-VIG TRUNK,ether11-VIG TRUNK"
/interface vlan
add interface=VIG name=car1 vlan-id=1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.6.0.2-10.6.0.25
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=car1 name=dhcp
    dhcp2
/ip address
add address=10.6.0.1/24 comment="VLAN Office" interface=VIG.111-Office \
    network=10.6.0.0
add address=123.145.24.133 comment="C&W - 50MB/s" interface=ether3-C&W \
    network=123.145.24.132
/ip dhcp-server network
add address=10.6.0.0/24 
/ip dns
set servers=8.8.8.8,10.6.0.1
/ip firewall address-list
add address=10.6.0.0/24 list=VIG
add address=123.145.24.132/31 list="ISP`s"
/ip firewall filter
add action=accept chain=input comment=\
    "Allow ICMP echo (ping) request from LAN to router" protocol=icmp
add action=accept chain=input comment=\
    "Allow ICMP echo (ping) replais toLAN to router" protocol=icmp
add action=accept chain=input connection-state=established,related
add action=drop chain=input
add action=accept chain=forward connection-state=established,related
add action=accept chain=forward out-interface=all-ethernet
add action=accept chain=forward connection-nat-state=dstnat
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat comment="Masquerade ISP BW C&W" \
    out-interface=ether3-C&W
add action=dst-nat chain=dstnat dst-address=123.145.24.133 dst-address-type=\
    local dst-port=9432 protocol=tcp to-addresses=10.6.0.56
add action=dst-nat chain=dstnat dst-address=123.145.24.133 dst-address-type=\
    local dst-port=11194 protocol=udp to-addresses=10.6.0.56
/ip route
add check-gateway=ping distance=1 gateway=123.145.24.132