Port fwd issues with firewall

martymoose · February 19, 2015, 10:09pm

Hi just set-up my new rb2011 fantastic bit of gear
have set-up firewall via info from sites IE: read the forums and set up one that’s working so they say

For the life of me cant forward to my synology
I can see them hit the log but dont go any further
5001 web page just times out
ipsec vpn just says connecting

synology 192.168.10.254
would like to fwd ports
tcp 5001

and vpn ipsec
1701 udp
500 udp
4500 udp

could somebody have a quick look on advise on where i have gone OR where it can be improved

Thanks in advance

/ip firewall nat
add action=dst-nat chain=dstnat comment=VPN dst-port=1701 log=yes protocol=udp to-addresses=192.168.10.254 to-ports=1701
add action=dst-nat chain=dstnat dst-port=4500 log=yes protocol=udp to-addresses=192.168.10.254 to-ports=4500
add action=dst-nat chain=dstnat dst-port=500 log=yes protocol=udp to-addresses=192.168.10.254 to-ports=500
add action=masquerade chain=srcnat comment=nat-internet-access out-interface=pppoe-wan
add action=dst-nat chain=dstnat comment=Synology dst-port=5001 protocol=tcp to-addresses=192.168.10.254 to-ports=5001

/ip firewall filter
add chain=forward comment=synology dst-address=192.168.10.254 dst-port=5001 log=yes protocol=tcp
add action=drop chain=input comment="Drop Invalid connections" connection-state=invalid
add chain=input comment="Allow Established connections" connection-state=established
add chain=input comment="Allow ICMP" protocol=icmp
add action=drop chain=forward comment="drop invalid connections" connection-state=invalid protocol=tcp
add chain=forward comment="allow already established connections" connection-state=established
add action=jump chain=forward comment="make jumps to new chains" jump-target=tcp protocol=tcp
add action=jump chain=forward comment="make jumps to new chains" jump-target=udp protocol=udp
add chain=forward comment="allow related connections" connection-state=related
add action=jump chain=forward comment="make jumps to new chains" jump-target=icmp protocol=icmp
add action=drop chain=tcp comment="deny TFTP" dst-port=69 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" dst-port=111 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" dst-port=135 protocol=tcp
add action=drop chain=tcp comment="deny NBT" dst-port=137-139 protocol=tcp
add action=drop chain=tcp comment="deny cifs" dst-port=445 protocol=tcp
add action=drop chain=tcp comment="deny NFS" dst-port=2049 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" dst-port=12345-12346 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" dst-port=20034 protocol=tcp
add action=drop chain=tcp comment="deny BackOriffice" dst-port=3133 protocol=tcp
add action=drop chain=tcp comment="deny DHCP" dst-port=67-68 protocol=tcp
add action=drop chain=udp comment="deny TFTP" dst-port=69 protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" dst-port=111 protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" dst-port=135 protocol=udp
add action=drop chain=udp comment="deny NBT" dst-port=137-139 protocol=udp
add action=drop chain=udp comment="deny NFS" dst-port=2049 protocol=udp
add action=drop chain=udp comment="deny BackOriffice" dst-port=3133 protocol=udp
add chain=icmp comment="echo reply" icmp-options=0:0 protocol=icmp
add chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp
add chain=icmp comment="host unreachable" icmp-options=3:1 protocol=icmp
add chain=icmp comment="host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add chain=icmp comment="allow source quench" icmp-options=4:0 protocol=icmp
add chain=icmp comment="allow echo request" icmp-options=8:0 protocol=icmp
add chain=icmp comment="allow time exceed" icmp-options=11:0 protocol=icmp
add chain=icmp comment="allow parameter bad" icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="deny all other types"
add action=drop chain=forward comment="block bogon ip addresses" src-address=0.0.0.0/8
add action=drop chain=forward comment="block bogon ip addresses" dst-address=0.0.0.0/8
add action=drop chain=forward comment="block bogon ip addresses" src-address=127.0.0.0/8
add action=drop chain=forward comment="block bogon ip addresses" dst-address=127.0.0.0/8
add action=drop chain=forward comment="block bogon ip addresses" src-address=224.0.0.0/3
add action=drop chain=forward comment="block bogon ip addresses" dst-address=224.0.0.0/3
add action=jump chain=forward comment="make jumps to new chains" jump-target=tcp protocol=tcp
add action=jump chain=forward comment="make jumps to new chains" jump-target=udp protocol=udp
add action=jump chain=forward comment="make jumps to new chains" jump-target=icmp protocol=icmp

Rudios · February 20, 2015, 10:38am

I think you should add the in-interface parameter on your dstnat rules.
At this stage, all the traffic, both from inside and outside is dst-nat’ted to the Synology.