Portforwarding to different ports

preto · April 12, 2012, 7:10am

I have a problem with the NAT / Portforwarding -Issue on a RB700.

I want forward publicIP/48443 to an internal webserver: 192.168.x.x./8443

This configuration doesent work.

Here my config:

Filter:

4   ;;; NAT Ports
     chain=forward action=accept protocol=tcp in-interface=pppoe-airlink 
     dst-port=8443

NAT:

2   ;;; ips webfront
     chain=dstnat action=dst-nat to-addresses=192.168.112.212 to-ports=8443 
     protocol=tcp dst-port=8443 

 3   ;;; masquerading
     chain=srcnat action=masquerade out-interface=pppoe-airlink

If I change the dst. port number to 8443 (the same port as internal) it works. but it is not that what i want…

Can you help me?

Thanks!

kirshteins · April 12, 2012, 8:02am

Try specifying in-interface or public IP address as dst-address for “;;; ips webfront” rule.

preto · April 12, 2012, 8:19am

Sorry no success.

Maybe it helps if I send the complete firewall config:

filter:

0   chain=input action=log log-prefix="inp_" 

 1   chain=forward action=log log-prefix="" 

 2   ;;; allow already established connections
     chain=forward action=accept connection-state=established 

 3   ;;; Accept anything from inside
     chain=forward action=accept in-interface=ether3-lan 

 4   ;;; NAT Ports
     chain=forward action=accept protocol=tcp in-interface=pppoe-airlink 
     dst-port=48443 

 5   ;;; NAT Ports
     chain=forward action=accept protocol=tcp in-interface=pppoe-airlink 
     dst-port=43389 

 6   ;;; NAT Ports
     chain=forward action=accept protocol=tcp in-interface=pppoe-airlink 
     dst-port=4822 

 7   ;;; Drop invalid connections
     chain=forward action=drop connection-state=invalid 

 8   ;;; allow releates connections
     chain=forward action=accept connection-state=related 

 9   ;;; Deny anything else
     chain=forward action=drop 

10   ;;; Drop invalid connections
     chain=input action=drop connection-state=invalid src-address-type="" 
     

11   ;;; Accept anything from inside
     chain=input action=accept in-interface=ether3-lan 

12   ;;; Allow established connections
     chain=input action=accept connection-state=established 

13   ;;; Allow ICMP
     chain=input action=accept protocol=icmp 

14   ;;; Deny anything else
     chain=input action=drop

NAT:

0   ;;; naboo ssh
     chain=dstnat action=dst-nat to-addresses=192.168.112.2 to-ports=22 protocol=tcp dst-port=4822 

 1   ;;; ips rdp
     chain=dstnat action=dst-nat to-addresses=192.168.112.212 to-ports=3389 protocol=tcp dst-port=43389 

 2   ;;; ips webfront
     chain=dstnat action=dst-nat to-addresses=192.168.112.212 to-ports=8443 protocol=tcp in-interface=pppoe-airlink dst-port=48443 

 3   ;;; masquerading
     chain=srcnat action=masquerade out-interface=pppoe-airlink

Maybe there are any mistakes here…

kirshteins · April 12, 2012, 9:32am

Take a look at http://wiki.mikrotik.com/wiki/Packet_Flow. “Destination NAT” is before “Filter Forward”, so you need to accept dst-port=8443 not dst-port=48443 traffic.

preto · April 12, 2012, 9:47am

This was the solution. Many thanks!

Is there anything else to specify on the forward rule, so that the dst-port ist only available via NAT and not direct to the wan-interface…

tinka · December 2, 2012, 8:14pm

Take a look at > http://wiki.mikrotik.com/wiki/Packet_Flow> . “Destination NAT” is before “Filter Forward”, so you need to accept dst-port=8443 not dst-port=48443 traffic.

and that just solved my problem. Thanks. For some odd reason having the firewall rules as the first tab and NAT as the second one made me assume that it was first “Filter Forward” and then “Destination NAT”.