Quest - Strange port forwarding

beos · April 21, 2016, 6:52pm

I have router with Router OS 6.35, 2 x ISP, IPSec VPN connections.

Strange problem when I connect to SMTP server (TCP 25):

When I connect through mobile internet (lmt.lv) - port 25, 2525 working OK.
When I connect through home WiFi (also Mikrotik) - WORKING ONLY 2525 PORT! 25 not working, can’t connect.
same thing like (2) when I connect from other wifi (TP-LINK)
same thing like (2) when I connect from other mobile internet tele2.lt.

What is this?

/ip firewall filter
add chain=forward src-address=193.203.196.0/24
add chain=forward src-address=193.111.247.0/24
add chain=forward comment="allow ping" protocol=icmp
add chain=input comment="allow VPN" in-interface=ISP1 protocol=ipsec-esp
add chain=input dst-port=500 in-interface=ISP1 protocol=udp
add chain=output out-interface=ISP1
add chain=output out-interface=ISP2
add chain=forward comment="established connections" connection-state=established
add chain=forward comment="related connections" connection-state=related
add chain=input comment="allow router access (www,winbox)" dst-port=81,8291 in-interface=ISP1 protocol=tcp
add chain=input dst-port=81,8291 in-interface=ISP2 protocol=tcp
add action=drop chain=forward comment="invalid connections" connection-state=invalid

/ip firewall nat
add chain=srcnat comment=Kosmolat dst-address=192.168.1.0/24 src-address=192.168.0.0/24
add chain=srcnat dst-address=192.168.0.0/24 src-address=192.168.1.0/24
add chain=srcnat dst-address=192.168.17.0/24 src-address=192.168.0.0/24
add chain=srcnat dst-address=192.168.18.0/24 src-address=192.168.0.0/24
add chain=srcnat dst-address=192.168.0.0/24 src-address=192.168.17.0/24
add chain=srcnat dst-address=192.168.0.0/24 src-address=192.168.18.0/24
add chain=srcnat dst-address=192.168.0.0/24 src-address=192.168.16.0/24
add chain=srcnat dst-address=192.168.2.0/24 src-address=192.168.0.0/24
add chain=srcnat dst-address=192.168.13.0/24 src-address=192.168.0.0/24
add chain=srcnat dst-address=192.168.0.0/24 src-address=192.168.13.0/24
add chain=srcnat dst-address=192.168.0.0/24 src-address=192.168.2.0/24
add chain=srcnat dst-address=192.168.3.0/24 src-address=192.168.0.0/24
add chain=srcnat dst-address=192.168.0.0/24 src-address=192.168.3.0/24
add chain=srcnat dst-address=192.168.20.0/24 src-address=192.168.0.0/24
add chain=srcnat dst-address=192.168.0.0/24 src-address=192.168.20.0/24
add chain=srcnat dst-address=192.168.4.0/24 src-address=192.168.0.0/24
add chain=srcnat dst-address=192.168.0.0/24 src-address=192.168.4.0/24
add chain=srcnat dst-address=192.168.6.0/24 src-address=192.168.0.0/24
add chain=srcnat dst-address=192.168.0.0/24 src-address=192.168.6.0/24
add chain=srcnat dst-address=192.168.7.0/24 src-address=192.168.0.0/24
add chain=srcnat dst-address=192.168.0.0/24 src-address=192.168.7.0/24
add chain=srcnat dst-address=192.168.8.0/24 src-address=192.168.0.0/24
add chain=srcnat dst-address=192.168.0.0/24 src-address=192.168.8.0/24
add chain=srcnat dst-address=192.168.9.0/24 src-address=192.168.0.0/24
add chain=srcnat dst-address=192.168.0.0/24 src-address=192.168.9.0/24
add chain=srcnat dst-address=192.168.16.0/24 src-address=192.168.0.0/24
add chain=srcnat dst-address=192.168.10.0/24 src-address=192.168.0.0/24
add chain=srcnat dst-address=192.168.0.0/24 src-address=192.168.10.0/24
add chain=srcnat dst-address=192.168.11.0/24 src-address=192.168.0.0/24
add chain=srcnat dst-address=192.168.0.0/24 src-address=192.168.11.0/24
add chain=srcnat dst-address=192.168.12.0/24 src-address=192.168.0.0/24
add chain=srcnat dst-address=192.168.0.0/24 src-address=192.168.12.0/24
add chain=srcnat dst-address=192.168.14.0/24 src-address=192.168.0.0/24
add chain=srcnat dst-address=192.168.0.0/24 src-address=192.168.14.0/24
add chain=srcnat dst-address=172.30.209.0/24 src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment=Maskarad out-interface=ISP1
add action=masquerade chain=srcnat out-interface=ISP2
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=192.168.0.0/24 out-interface=bridge1 src-address=192.168.0.0/24
add action=dst-nat chain=dstnat comment="Mail server (SMTP, POP3)" dst-port=25,2525 in-interface=ISP2 protocol=tcp to-addresses=\
    192.168.0.5 to-ports=25
add action=dst-nat chain=dstnat dst-port=25,2525 in-interface=ISP1 protocol=tcp to-addresses=192.168.0.5 to-ports=25
add action=dst-nat chain=dstnat dst-port=110 in-interface=ISP2 protocol=tcp to-addresses=192.168.0.5 to-ports=110
add action=dst-nat chain=dstnat dst-port=110 in-interface=ISP1 protocol=tcp to-addresses=192.168.0.5 to-ports=110
add action=dst-nat chain=dstnat comment=Webmail dst-address=ISP1_IP dst-port=8080 protocol=tcp to-addresses=192.168.0.5 to-ports=80
add action=dst-nat chain=dstnat dst-address=ISP2_IP dst-port=50000 in-interface=ISP1 protocol=tcp to-addresses=192.168.0.55 to-ports=\
    50000
add action=dst-nat chain=dstnat dst-address=ISP1_IP dst-port=21 protocol=tcp to-addresses=192.168.0.200 to-ports=21
add action=dst-nat chain=dstnat dst-address=ISP1_IP dst-port=80 protocol=tcp to-addresses=192.168.0.149 to-ports=80
add action=dst-nat chain=dstnat dst-address=ISP2_IP dst-port=53 protocol=udp to-addresses=192.168.0.5 to-ports=53
add action=dst-nat chain=dstnat dst-address=ISP2_IP dst-port=1614 protocol=udp to-addresses=192.168.0.5 to-ports=1614
add action=dst-nat chain=dstnat dst-address=ISP1_IP dst-port=53 in-interface=ISP2 protocol=udp to-addresses=192.168.0.5 to-ports=53
add action=dst-nat chain=dstnat dst-address=ISP1_IP dst-port=53 in-interface=ISP2 protocol=tcp to-addresses=192.168.0.5 to-ports=53
add action=dst-nat chain=dstnat dst-address=ISP2_IP dst-port=1433 protocol=tcp to-addresses=192.168.0.157 to-ports=1433
add action=dst-nat chain=dstnat dst-address=ISP1_IP dst-port=50000 protocol=tcp to-addresses=192.168.0.55 to-ports=50000
add action=dst-nat chain=dstnat dst-address=ISP2_IP dst-port=1723 protocol=tcp to-addresses=192.168.0.200 to-ports=1723
add action=dst-nat chain=dstnat dst-address=ISP1_IP dst-port=1723 protocol=tcp to-addresses=192.168.0.200 to-ports=1723
add action=dst-nat chain=dstnat dst-address=ISP1_IP dst-port=5901 protocol=tcp to-addresses=192.168.0.200 to-ports=5901
add action=dst-nat chain=dstnat dst-address=ISP2_IP dst-port=2121 protocol=tcp to-addresses=192.168.0.200 to-ports=2121
add action=dst-nat chain=dstnat dst-address=ISP1_IP dst-port=2121 protocol=tcp to-addresses=192.168.0.200 to-ports=2121
add action=dst-nat chain=dstnat dst-address=ISP2_IP dst-port=5910 protocol=tcp to-addresses=192.168.0.108 to-ports=5910
add action=dst-nat chain=dstnat dst-address=ISP1_IP dst-port=5910 protocol=tcp to-addresses=192.168.0.108 to-ports=5910
add action=dst-nat chain=dstnat dst-address=ISP2_IP dst-port=5901 protocol=tcp to-addresses=192.168.0.200 to-ports=5901
add action=dst-nat chain=dstnat dst-address=ISP2_IP dst-port=2222 protocol=tcp to-addresses=192.168.0.5 to-ports=2223
add action=dst-nat chain=dstnat dst-address=ISP1_IP dst-port=2222 protocol=tcp to-addresses=192.168.0.5 to-ports=2223
add action=dst-nat chain=dstnat dst-address=ISP2_IP dst-port=21 protocol=tcp to-addresses=192.168.0.200 to-ports=21
add action=dst-nat chain=dstnat dst-address=ISP2_IP dst-port=10000-10002 protocol=tcp to-addresses=192.168.0.200 to-ports=10000-10002
add action=dst-nat chain=dstnat dst-address=ISP1_IP dst-port=10000-10002 protocol=tcp to-addresses=192.168.0.200 to-ports=10000-10002
add action=dst-nat chain=dstnat dst-address=ISP2_IP dst-port=3389 protocol=tcp to-addresses=192.168.0.200 to-ports=3389
add action=dst-nat chain=dstnat comment="RDP POSTTEST" dst-address=ISP2_IP dst-port=3395 protocol=tcp to-addresses=192.168.0.130 to-ports=\
    3389
add action=dst-nat chain=dstnat dst-address=ISP2_IP dst-port=3390 protocol=tcp to-addresses=192.168.0.157 to-ports=3389
add action=dst-nat chain=dstnat dst-address=ISP2_IP dst-port=3391 protocol=tcp to-addresses=192.168.0.150 to-ports=3391
add action=dst-nat chain=dstnat dst-address=ISP2_IP dst-port=1610 protocol=udp to-addresses=192.168.0.150 to-ports=161
add action=dst-nat chain=dstnat dst-address=ISP2_IP dst-port=1615 protocol=udp to-addresses=192.168.0.159 to-ports=1615
add action=dst-nat chain=dstnat dst-address=ISP2_IP dst-port=1611 protocol=udp to-addresses=192.168.0.200 to-ports=1611
add action=dst-nat chain=dstnat dst-address=ISP1_IP dst-port=123 protocol=udp to-addresses=192.168.0.200 to-ports=123
add action=dst-nat chain=dstnat dst-address=ISP2_IP dst-port=53000 protocol=tcp to-addresses=192.168.0.157 to-ports=53000
add action=dst-nat chain=dstnat dst-address=ISP2_IP dst-port=143 protocol=tcp to-addresses=192.168.0.5 to-ports=143
add action=dst-nat chain=dstnat comment=Vsphere dst-address=ISP2_IP dst-port=443 protocol=tcp to-addresses=192.168.0.101 to-ports=443
add action=dst-nat chain=dstnat dst-address=ISP2_IP dst-port=1616 protocol=udp to-addresses=192.168.0.157 to-ports=161
add action=dst-nat chain=dstnat dst-address=ISP2_IP dst-port=3306 protocol=tcp to-addresses=192.168.0.149 to-ports=3306
add action=dst-nat chain=dstnat dst-address=ISP2_IP dst-port=2223 protocol=tcp to-addresses=192.168.0.149 to-ports=2223

Van9018 · April 25, 2016, 12:19am

Many ISPs block outbound port 25, unless the outbound connection is to one of the ISPs mail servers. They do this to prevent spam from being sent out on their network. To remove this block, you would need to upgrade your internet connection to “business” internet, which likely costs more and gives you static IPs.

Port 2525 is an alternate smtp port, often not blocked by ISPs as mail servers listening on port 2525 would expect an smtp session to be authenticated with username and password.