Portforwarding with pppoe won't work

n4p · November 9, 2017, 5:41am

Hi there,
I am currently a little bit confused, because I the portforwarding with the pppoe connection won’t work.

It’s not my first Routerboard where I do this but the first with pppoe.

So what I already have done is to setup the default masquerade rule for die outinterface and place it as first.

If I add a second dst-nat rule the connection stops working.

Any idea for that?

Thanks!

Gesendet von meinem HUAWEI GRA-L09 mit Tapatalk

Anumrak · November 9, 2017, 8:26am

It doesn’t matter what exacly connection you use. Firewall manipulate the IP packets flows. Paste here your “ip firewall nat export”

n4p · November 10, 2017, 5:33am

Here are the current export from nat:

# nov/10/2017 06:29:34 by RouterOS 6.41rc52
# software id = R3IZ-BBCZ
#
# model = 2011UiAS
# serial number = 763107FDC325
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=\
    pppoe-out1
add action=dst-nat chain=dstnat disabled=yes dst-port=443 log=yes protocol=tcp \
    to-addresses=172.20.0.100 to-ports=443

currently i disabled the second rule.

here are the filter rules:

# nov/10/2017 06:31:16 by RouterOS 6.41rc52
# software id = R3IZ-BBCZ
#
# model = 2011UiAS
# serial number = 763107FDC325
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=\
    pppoe-out1 protocol=tcp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=pppoe-out1

just for information the ipadress assigned on the pppoe connection is dynamical.

Just now i made a second try, it looks like the problem only exist’s with port 443.

Anumrak · November 10, 2017, 7:02am

In dstnat chain try assign in-interface and your current IP address. Other settings seems fine.

n4p · November 10, 2017, 7:21am

Yes, adding the in-interface fixed the problem to arrive https websites from the lokal subnet. But now i gonna stuck, i can’t arrive my lokal website trough the external ip-address. Any idea how to fix that?

Anumrak · November 10, 2017, 8:46am

Hairpin NAT

http://forum.mikrotik.com/t/hairpin-hat-not-working/113597/16

ip firewall nat
add action=dst-nat chain=dstnat dst-address=“your global IP” dst-port=443 in-interface=“LAN interface for your web server”
protocol=tcp src-address=“your LAN” to-addresses=172.20.0.100 to-ports=443
add action=masquerade chain=srcnat dst-address=172.20.0.100 dst-port=443 out-interface=“LAN interface for your web server” protocol=tcp src-address=“your LAN”