Port mapping not working

alik · October 31, 2013, 8:54am

Hi, I have “just” installed a new RB router, upgraded OS to 6.5 and tried to set up some port mapping with a help of http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT. Unfortunately, the connection to the “outside” port could not be established.

WAN has a public IP address set by an outer DNS. Everything after the router is in a local 192.168.3.x NAT where the local DNS server is running on the router.

I would like to [public ip]:4089 points to 192.168.3.40:3389. The [public ip]:4089 should work from the world as well as from the local NAT. Currently, the 192.168.3.40:3389 works but [public ip]:4089 does not (no response). The public ip is reachable (pingable) from NAT.

Thank you for any tips how to fix it.

[@MikroTik] /ip> route print detail
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 0 ADS  dst-address=0.0.0.0/0 gateway=[public prefix].1 
        gateway-status=[public prefix].1 reachable via  ether1-gateway distance=1 scope=30 target-scope=10 
        vrf-interface=ether1-gateway 

 1 ADC  dst-address=[public prefix].0/24 pref-src=[public prefix].234 gateway=ether1-gateway 
        gateway-status=ether1-gateway reachable distance=0 scope=10 

 2 ADC  dst-address=192.168.3.0/24 pref-src=192.168.3.1 gateway=bridge-local 
        gateway-status=bridge-local reachable distance=0 scope=10 
[@MikroTik] /ip> address print detail
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; default configuration
     address=192.168.3.1/24 network=192.168.3.0 interface=bridge-local actual-interface=bridge-local 

 1 D address=[public prefix].234/24 network=[public prefix].0 interface=ether1-gateway 
     actual-interface=ether1-gateway 
[@MikroTik] /ip> firewall nat print detail
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; default configuration
     chain=srcnat action=masquerade to-addresses=0.0.0.0 out-interface=ether1-gateway 

 1   ;;; Port Forwarding from WAN:4089 to 192.168.3.40:3389 (tcp)
     chain=dstnat action=accept protocol=tcp dst-address=192.168.3.40 src-port=4089 
     dst-port=3389 

 2   ;;; Port Forwarding from WAN:4089 to 192.168.3.40:3389 (udp)
     chain=dstnat action=accept protocol=udp dst-address=192.168.3.40 src-port=4089 
     dst-port=3389

SurferTim · October 31, 2013, 9:15am

This is what I use for port forwarding. Change xx.xx.xx.xx to your public ip.

/ip firewall nat
add chain=dstnat action=dst-nat dst-address=xx.xx.xx.xx dst-port=4089 to-addresses=192.168.3.40 to-ports=3389 protocol=tcp

This won’t work as-is from your localnet, only from the internet. To access it by public ip from your localnet, you need a hairpin nat.

alik · October 31, 2013, 9:25am

Hi, thank you for a quick reply.

I could not put my public address into the rule as it might change over time without any notice (I have a public IP but not a static IP).
As I have mentioned before, I have tried it with my current configuration even from the outer network and it has worked niether.

SurferTim · October 31, 2013, 9:36am

If you are using a dhcp ip on your WAN interface, then use this:

/ip firewall nat
add chain=dstnat action=dst-nat in-interface=ether1-gateway dst-port=4089 to-addresses=192.168.3.40 to-ports=3389 protocol=tcp

alik · October 31, 2013, 10:02am

Thank you, this works, at least from outer networks.

I have tried http://wiki.mikrotik.com/wiki/Hairpin_NAT and have come with

add chain=srcnat src-address=192.168.3.0/24 dst-address=192.168.3.0/24 protocol=tcp action=masquerade

However, the connection to [public ip]:4089 still does not work when initiated from a device inside the NAT.

Rudios · October 31, 2013, 10:56am

alik:

Thank you, this works, at least from outer networks.

I have tried http://wiki.mikrotik.com/wiki/Hairpin_NAT and have come with
add chain=srcnat src-address=192.168.3.0/24 dst-address=192.168.3.0/24 protocol=tcp action=masquerade
However, the connection to [public ip]:4089 still does not work when initiated from a device inside the NAT.

You should use the real dst-address, not a full range. Also specify an out-interface (eg. your local bridge)

alik · October 31, 2013, 11:14am

Still not working…

add chain=srcnat src-address=192.168.3.0/24 dst-address=192.168.3.40 out-interface=bridge-local protocol=tcp action=masquerade

PS: Why I should use specific dst address instead of a range? Security issue, technical limitation…

Rudios · October 31, 2013, 12:58pm

I just read your first post more clearly and I see that your dst-nat rules are not correct.

The correct rules should be
/ip firewall nat
add chain=dstnat action=dst-nat protocol=tcp dst-port=4089 in-interface=ether1 to-address=192.168.3.40 to-ports-3389EDIT
After reading the total thread again I think you already have it like that.
Maybe the order is wrong.

alik · October 31, 2013, 1:04pm

Yes, I have already corrected them and they work when connecting from outside of my network. However, I still have difficulties in connecting through the public ip when the originating device is inside my local network.

Rudios · October 31, 2013, 5:11pm

How about your firewall filter rules?

alik · October 31, 2013, 6:50pm

Just the built-in/default ones.

[@MikroTik] /ip firewall> filter print detail
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; default configuration
     chain=input action=accept protocol=icmp 

 1   ;;; default configuration
     chain=input action=accept connection-state=established 

 2   ;;; default configuration
     chain=input action=accept connection-state=related 

 3   ;;; default configuration
     chain=input action=drop in-interface=ether1-gateway 

 4   ;;; default configuration
     chain=forward action=accept connection-state=established 

 5   ;;; default configuration
     chain=forward action=accept connection-state=related 

 6   ;;; default configuration
     chain=forward action=drop connection-state=invalid

SurferTim · October 31, 2013, 7:35pm

You need to install a hairpin nat rule in “/ip firewall nat” to access that ip from your localnet. I am not proficient at that any more. It has been a while.

alik · November 4, 2013, 9:08am

I have already did my best…

[@MikroTik] /ip firewall nat> print detail
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; default configuration
     chain=srcnat action=masquerade to-addresses=0.0.0.0 out-interface=ether1-gateway 

 3   ;;; Port Forwarding from WAN:4089 to 192.168.3.40:3389 (tcp)
     chain=dstnat action=dst-nat to-addresses=192.168.3.40 to-ports=3389 protocol=tcp in-interface=ether1-gateway dst-port=4089 

 4   ;;; Port Forwarding from WAN:4089 to 192.168.3.40:3389 (udp)
     chain=dstnat action=dst-nat to-addresses=192.168.3.40 to-ports=3389 protocol=udp in-interface=ether1-gateway dst-port=4089 

 9   chain=srcnat action=masquerade protocol=tcp src-address=192.168.3.0/24 dst-address=192.168.3.40 out-interface=bridge-local 

10   chain=srcnat action=masquerade protocol=udp src-address=192.168.3.0/24 dst-address=192.168.3.40 out-interface=bridge-local

Rudios · November 4, 2013, 7:53pm

From the numbering I see you have more.
So all rules for best overview and possible solution.

alik · November 4, 2013, 8:13pm

Sorry for skipping some of the rules, the other rules are simple copies of the ones shown in the excerpt, just with another pairs of a port number and a destination ip. Everything else is the same.