I recently changed my internet connection to ppoe, turning my modem into bridge mode. since then the port mapping i do does not work, the only successful one i have been able to do is 8291 to the mikrotik. I have src nat configured correctly as my inside network can browse the internet, however creating a dst-nat for port 25. just doesnt want to port through. I have default firewall rules setup on mikrotik.
Thanks for your time
Post the output of “/ip address print detail”, “/ip route print detail”, “/interface print detail”, “/ip firewall export”, and an accurate network diagram.
Network Map
I have a adsl modem in bridge mode going into port one of the mikrotik. The mikrotik uses ppoe to establish connection to internet, port two on the mikrotik goes to my network switch to the rest of network.
Ip Addresses
0 ;;; default configuration
address=172.16.0.254/24 network=172.16.0.0 interface=ether2-LAN
actual-interface=ether2-LAN
1 address=10.1.1.1/30 network=10.1.1.0 interface=ether1-WAN
actual-interface=ether1-WAN
2 D address=218.101.6.208/32 network=218.101.61.124 interface=pppoe-out1
actual-interface=pppoe-out1
IP Route info
0 ADS dst-address=0.0.0.0/0 gateway=218.101.61.124
gateway-status=218.101.61.124 reachable pppoe-out1 distance=1 scope=30
target-scope=10
1 ADC dst-address=10.1.1.0/30 pref-src=10.1.1.1 gateway=ether1-WAN
gateway-status=ether1-WAN reachable distance=0 scope=10
2 ADC dst-address=172.16.0.0/24 pref-src=172.16.0.254 gateway=ether2-LAN
gateway-status=ether2-LAN reachable distance=0 scope=10
3 A S dst-address=192.168.1.1/32 gateway=ether1-WAN
gateway-status=ether1-WAN reachable distance=1 scope=30 target-scope=10
4 ADC dst-address=218.101.61.124/32 pref-src=218.101.6.208 gateway=pppoe-out1
gateway-status=pppoe-out1 reachable distance=0 scope=10
interface info
0 R name=“ether1-WAN” type=“ether” mtu=1500 l2mtu=1526
1 R name=“ether2-LAN” type=“ether” mtu=1500 l2mtu=1524 max-l2mtu=1524
2 name=“ether3-slave-local” type=“ether” mtu=1500 l2mtu=1524 max-l2mtu=1524
3 name=“ether4-slave-local” type=“ether” mtu=1500 l2mtu=1524 max-l2mtu=1524
4 name=“ether5-slave-local” type=“ether” mtu=1500 l2mtu=1524 max-l2mtu=1524
5 R name=“pppoe-out1” type=“pppoe-out” mtu=1492
firewall info
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s
tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=
10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s
tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s
udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment=“default configuration” disabled=no
in-interface=pppoe-out1 protocol=icmp
add action=accept chain=input comment=“default configuration” connection-state=
established disabled=no in-interface=pppoe-out1
add action=accept chain=input disabled=no in-interface=pppoe-out1
add action=accept chain=input comment=“default configuration” connection-state=
related disabled=no in-interface=pppoe-out1
add action=accept chain=forward disabled=no dst-address=172.16.0.1 protocol=tcp
add action=drop chain=input comment=“default configuration” disabled=no
in-interface=pppoe-out1
/ip firewall nat
add action=dst-nat chain=dstnat comment=Winbox disabled=no in-interface=
pppoe-out1 protocol=tcp to-addresses=172.16.0.254 to-ports=8291
add action=dst-nat chain=dstnat disabled=no in-interface=pppoe-out1 protocol=
tcp to-addresses=172.16.0.1 to-ports=25
add action=dst-nat chain=dstnat disabled=no in-interface=pppoe-out1 protocol=
tcp src-port=3389 to-addresses=172.16.0.1 to-ports=3389
add action=masquerade chain=srcnat disabled=no out-interface=pppoe-out1
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no
Thanks for your time.
/ip firewall nat
add action=dst-nat chain=dstnat comment=Winbox disabled=no in-interface=\
pppoe-out1 protocol=tcp to-addresses=172.16.0.254 to-ports=8291
add action=dst-nat chain=dstnat disabled=no in-interface=pppoe-out1 protocol=\
tcp to-addresses=172.16.0.1 to-ports=25
add action=dst-nat chain=dstnat disabled=no in-interface=pppoe-out1 protocol=\
tcp src-port=3389 to-addresses=172.16.0.1 to-ports=3389
add action=masquerade chain=srcnat disabled=no out-interface=pppoe-out1
Change that to:
/ip firewall nat
add action=dst-nat chain=dstnat disabled=no in-interface=pppoe-out1 protocol=tcp dst-port=25 to-addresses=172.16.0.1
add action=dst-nat chain=dstnat disabled=no in-interface=pppoe-out1 protocol=tcp dst-port=3389 to-addresses=172.16.0.1
add action=masquerade chain=srcnat disabled=no out-interface=pppoe-out1
There’s no point applying destination NAT to the Winbox connection going to the IP address of the router on the pppoe-out1 interface to the IP address of the router on the ether2-LAN interface. It’s still a router IP.
The other two rules were a little muddy. Try them as suggested. I think it still should have worked, though - you’re saying you changed your ‘internet connection to ppoe’ - does that mean you’re using a new provider? Most providers block SMTP (tcp/25). Many also block RDP (tcp/3389). It’s all under the same rule: no servers on home connections. Those two are well known ports, Winbox is not. Have you checked with your provider that they’re permitting that kind of traffic? Have you used torch or the packet sniffer to check whether you can actually see the traffic enter the WAN interface, and whether or not NAT is the actual issue at hand? If packets never make it because the ISP is dropping them there’d be nothing to NAT.
Same provider. I had port 25 working before changing my modem to bridge mode. I also had a pptp server working, which now is not, so it is really weird.
I also have a static ip. The reason i changed to ppoe (adsl bridge mode) was to skip an extra routing step and ipsec wasnt working correctly, however i havent set it up yet on this new setup.
Thanks for your input i made the specified changes with no success. any further ideas?
Have you used torch or the packet sniffer to check whether you can actually see the traffic enter the WAN interface
Also, are the NAT rules counting packets? First establish there is actually any traffic to NAT. You have to see packets destined to tcp/25 on your PPPoE WAN interface for any of this to work. Only once that is established does it make sense to troubleshoot NAT.
i see few iskmp and snmp over torch ppooe-out1 and looking at nat rules no traffic is being passed, so if it isnt nating through where would the problem lie?, my last router was with a pfsense box, so to me this is a complete different ball game im afraid.