Problem with port forwarding on L009UiGS, double NAT, dynamic WANIP

Hello

Yet another forwarding problem

I have followed: https://help.mikrotik.com/docs/display/RKB/Port+forwarding
also tried using the: Quick Set > Port mapping

but they both have failed.

I have 2 Unifi APs connected to the router. The whole network is on 192.168.88.x
Let’s say I want to redirect the 8000 port to 192.168.88.253

I have ISP router plugged in ETH1 as WAN and for now I have double NAT (working on that) with DMZ.
The other subnet is 192.168.100.1 (and Mikrotik has .100 static IP)
I think I either get the In. interface wrong or it is some default firewall rule that blocks my forwarding.

It is my first time with Mikrotik so any help would be great!
Thanks!

Strange sidenote.
I am running python webserver to test it:

python3 -m http.server

And at first it works with both: http://192.168.88.253:8000/ or http://localhost:8000/
But when i try to connect later with http://192.168.88.1:8000/ or http://192.168.100.100:8000/ or http://my-public-ip:8000/
The localhost and local ip stops working as well. It all hangs on my mac & I need to restart the python webserver.
Even wget/curl hangs. Strange?

# 2024-02-20 16:30:40 by RouterOS 7.12.1
# software id = ABCD-8UDB
#
# model = L009UiGS
# serial number = ABCD
/interface bridge
add admin-mac=78:9A:18:62:43:F8 auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.20-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.88.2 client-id=1:10:5b:ad:1:a6:28 mac-address=\
    10:5B:AD:01:A6:28 server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=http8000 dst-address=0.0.0.0 \
    dst-port=8000 in-interface-list=all protocol=tcp to-addresses=\
    192.168.88.253 to-ports=8000
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Bucharest
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

So you are attempting to get fancy by reachin an internal server by using the public IP address as if you were coming in from externally.
Boggles my mind, why not just use the LANIP address LOL.

In any case you are running into hairpin NAT.

1. Solved partially by adding this sourcenat rule put at the top of the order
   add action=srcnat chain=masquerade src-address=192.168.88.0/24 dst-address=192.168.88.0/24
   EDIT Above is wrong should be
   add chain=srcnat action=masquerade

2. Modify your forward chain rules to be more inclusive of direction of port forwarding so remove old default rule and replace with three better rules that are clearer and block more traffic (better security). As stated you have connections from both internal and external to wan port… thus we accept all dstnat traffic, and this is good.
   add action=drop chain=forward comment=
   “defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
   connection-state=new in-interface-list=WAN

TO:
add action=accept chain=forward comment=“internet access” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=portforwarding" connection-nat-state=dstnat
add action=drop chain=forward comment=“drop all else”

3. Your port forwarding rule is incorrect…
   Typically for port forwarding with a dynamic IP the standard port forwarding rule looks like this…
   add action=dst-nat chain=dstnat in-interface-list=WAN dst-port=8000 protocol=tcp to-addresses=192.168.88.253

Note: To-ports is only really required for port translation and thus is assumed to be same as dst-port otherwise.

However, due to hairpin nat, this rule will not work (since the actual connection is not just from external to the WAN). The easiest fix is to use your IP CLOUD DNS mynetname address.
First put it in as a firewall address list item (will be resolved automatically).

firewall address-list
add 22d877dd.sn.mynetname.net list=MyRouter
Then modify port forwarding rule:
add action=dst-nat chain=dstnat dst-address-list=MyRouter dst-port=8000 protocol=tcp to-addresses=192.168.88.253

Boggles my mind, why not just use the LANIP address LOL.

So, well, that was my usual way of testing that it works… And later I’d test it works outside of my network.
So I scratched my head, took my phone, disconnected from WiFi and… to my surprise - the forwarding from outside works!

And the issue is, as you stated, to reach the internal server by the public IP. I guess my previous routers must have done it for me.

Still… if possible, I’d like to get it fixed, because I tend to reach to my services via the domain, hooked to external ip, that is later redirected by the internal NGiNX server to the correct internal address. I am not sure how to simplfy that, that’s the way I know how to do it

Starting with:
1.

/ip firewall nat
add chain=srcnat action=masquerade src-address=192.168.88.0/24 dst-address=192.168.88.0/24

Works fine

a) I have disabled manually the filter “defconf: drop all from WAN not DSTNATed”
I don’t know what command I can use to disable the rule

b)

/ip/firewall/filter/
add action=accept chain=forward comment="internet access" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=portforwarding connection-nat-state=dstnat 
add action=drop chain=forward comment="drop all else"

worked and it seems all is still OK, thanks

3. Where did you take

22d877dd.sn.mynetname.net

from?

I actually have a dynamic public IP, btw.

Quite correct, most have that built-in, whereas the MT RoS is very configurable if one knows networking, even when I used consumerPRO zyxel models,
they had a simple checkbox for this, think it was called loopback.

SHOULD BE:
/ip firewall nat
add chain=srcnat action=masquerade src-address=192.168.88.0/24 dst-address=192.168.88.0/24

With steps 1 & 2 + changed the NAT Rule In. Inerface List to: “all”

It works.
I have no idea what I have done, but slowly learning “on the job”

The config I am using now is based on the commands on top, and it sum up to:


Thanks a lot for all the help!

GO to my IP tab upper left on winbox, select IP and near the top select CLOUD.
Enable DDNS, hit apply. Soon a DNS name should show up near the bottom.

This is the tried and true method of setting this up. I cannot recommend in-interface-list=ALL as a solution, mainly because I dont know if there are any security implications.

I see…

Well, I am not sure what is worse, using DDNS for a firewall loopback or ALL in the interface list

But,

1. I have enabled the cloud service

/ip/firewall/address-list/
add address=myaddress.sn.mynetname.net list=MyRouter

3. Modified the NAT rule to:
   
   and it does not work at all
   nor outside (like it used to) nor inside (fake loopback)

4. Changing back to “ALL” - everything works fine

Thats weird, okay I must have overlooked something…
Post the complete config for me to review… NM, found the issue…
Okay, so the public IP is that of the upstream router and not your own WANIP 192.168.100.100.

That makes a huge difference my apologies, forget the MYNETNAME, you can disable/remove it…
Instead…
Change the dstnat rule to:

add action=dst-nat chain=dstnat dst-address=192.168.100.100/32 dst-port=8000 protocol=tcp to-addresses=192.168.88.253

With that setting:

• http://192.168.88.1:8000/ - does not work
• http://192.168.100.100:8000/ - works (expected )
• http://my-public-ip:8000/ - works only outide of home network

I kind of feel that “ALL” will stick with me for a while

# 2024-02-20 20:43:15 by RouterOS 7.12.1
# software id = xxx
#
# model = L009UiGS
# serial number = xxx
/interface bridge
add admin-mac=78:9A:18:62:43:F8 auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.20-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1h
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.88.2 client-id=1:10:5b:ad:1:a6:28 mac-address=\
    10:5B:AD:01:A6:28 server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=hf309b9swdy.sn.mynetname.net list=MyRouter
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
add action=accept chain=forward comment="internet access" in-interface-list=\
    LAN out-interface-list=WAN
add action=accept chain=forward comment=portforwarding connection-nat-state=\
    dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.88.0/24 src-address=\
    192.168.88.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=http dst-address=192.168.100.100 \
    dst-port=8000 in-interface-list=all protocol=tcp to-addresses=\
    192.168.88.253 to-ports=8000
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Bucharest
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

It does not work because 192.168.88.1 is nonsensical. Nobody uses the interface address of the subnet to reach a server…

Either you are connect to the ROUTER WANIP, like you were coming in externally and get port forwarded to the router.
dst-address=actual WANIP for static,
in-interface=WAN for dynamic. ( dst-address-list=some dyndns URL for hairpin)

OR
you connect directly to the LANIP of the server from internally.

THere is no such thing or even a good idea to connect using the interface address of the subnet.
Its a hack, and not correct.

Well, 192.168.88.1:8000 i could live without.
I just compared it, as with “ALL” it works even with that.

But unfortunately, specifying 192.168.100.100 it does not work with the external IP (if I am inside the network), so the loopback does not work .
Wonder if there is a way to fix it?

Post your complete config please, it should work well?

I did post it in http://forum.mikrotik.com/t/problem-with-port-forwarding-on-l009uigs-double-nat-dynamic-wanip/173817/1

Because your Port Forwarding rule is incorrect. You still have the in-interface part in there, should be removed.

From:
add action=dst-nat chain=dstnat comment=http dst-address=192.168.100.100
dst-port=8000 in-interface-list=all protocol=tcp to-addresses=
192.168.88.253


What do you mean by specifying the external IP?
DO you mean LAN users put 192.168.100.100:8000 and it doesnt work ??

Can you confirm external users can put the DYNDNS name of your public IP and it works.
URL:8000 ??

Hi.

Sorry, my bad.
I actually noticed that issue as well, but I must have exported the config before removing “in-interface-list=all”

Anyways, answering your question

What do you mean by specifying the external IP?
Do you mean LAN users put 192.168.100.100:8000 and it doesnt work ??
Can you confirm external users can put the DYNDNS name of your public IP and it works.
URL:8000 ??

I think there is extra confusion because of my double-NAT situation, the problem is that so far “in-interface-list=all” is working exactly like I’d like it to…
Maybe I should contact Mikrotik if they see any issue with that setup? Not sure how to approach it.

I will sum up the whole thing with a table, which will I think explain best my requirements and the situation:

green - works
red - does not work

Your last firewall filter is dropping all forwards including LAN to LAN. The previous rule is allowing LAN out WAN so your internet still works, but the loopback is LAN to LAN.

Ok, I understand… But I guess I lack knowledge how to fix that.

All the beginner sources:

• http://forum.mikrotik.com/t/nat-loopback-for-beginner/115327/1
• https://www.youtube.com/watch?v=_kw_bQyX-3U

Seem to propose what @Mesquite mentioned, but that’s not really what works best in my case.

You can remove the last 2 rules as the default drop/dst-nat rule performs most of the same purpose.

Or narrow the scope of that last drop rule by adding src-address=192.168.88.0/24

I have changed the NAT rule to, like in the tutorials, Dst. Address to 192.168.100.100, removed ALL from In Interface List

And I have applied both your suggestions (separately)

1. Added src-address=192.168.88.0/24 to the last filter rule

Still the external-ip:8000, requested from the internal network does not provide any response

2. Disabled the two last rules

No difference. Basically for both cases the above table with colors still apply.

Good day atais.

After some sobering thought and discussion with someone who knows better…

There are TWO methods that users should use to reach the server.

A. Directly is the most foolproof for internal users 192.168.88.253:8000
B. Through the DYNDNS URL you are using, be it from a free or paid provider on the web, or by using your free IP CLOUD DNS name.

• this is valid for external users
• this is valid for internal lan users if they are instructed to use the dyndnsname**:8000**

C. Yes if the External IP is static, on the upstream router, and does not change then you can instead use the **staticWAN-IP:**8000 for all users

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Where I sent you off wrongly the second time was the format of the dsnat rule…

1. For a dynamic WANIP on the upstream router
   add chain=dstnat action=dst-nat dst-address-list=MyServer dst-port=8000 protocol=tcp to-addresses=192.168.88.253

Where the firewall address list entry is
add address=dyndns-name ( could be your IP cloud DNS name ) list=MyServer

2. If the WANIP is static, then simply use that
   add chain=dstnat action=dst-nat dst-address=43.567.57.4 dst-port=8000 protocol=tcp to-addresses=192.168.88.253
   ( sample wanIP only)

Anything else your are doing is non-standard and not recommended.

In terms of rules, you need a basic firewall rule allowing port forwarding
add chain=forward action=accept connection-nat-state=dstnat comment=“port fowarding”

You need a hairpin nat source nat rule in case you want internal users to be able to access the server by the WANIP or DNS name.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++