Routes / Masquerading

sirdir · August 27, 2013, 6:08pm

Hi!

I’ve been using a pfsense so far, but now I’d like to try MikroTik.
Well, MikroTik has a lot more possibilities, but is also more complicated.

Some problems I have so far:
What I’d like to do is do a portforwarding on the Mikrotik itself
i.E.
Accessing Port 2000 UDP forwards to the MikroTik Port 161 UDP.
This works for Computers in the LAN, but I haven’t been able to do it on the MikroTik itself. How can it be done?

OK, let’s go on:
I have 4 WAN connections. The main connection has a default route with the lowest distance, the other connections use higher distances.

Because the forwarding 2000->161 UDP doesn’t work, I just allowed an IP to connect from the internet to that port.
When I access the router via the main connection to port 161, I get an SNMP response.
When I use another connection, I can see that the response gets to the router and a response is sent, but it never reaches my management computer.
I guess that has either something to do with masquerading or because the resonse is obviously sent out via the default route, i.E. coming in via WAN2, response going out via WAN1. But I guess that was true for my pfsense as well and it worked like this.
Of course it would be better to have responses sent out via the same gateway as it came in, but can that be done?
If it can’t, how do I get at least a working connection?

Some computers are configured to use secondary connections, I do that by prerouting mangle rules that add routing Marks to packets coming from those IPs and having default routes with thouse routing marks… is this the correct/ best way to do it?

I know, a lot of questions (and I have some more to come… ) but I’d be grateful if somebody could help me.

Regards
Patrick

pcunite · August 31, 2013, 3:39pm

There is a lot to work with on these devices. Perhaps you should read the book, “RouterOS by Example”.

CelticComms · August 31, 2013, 8:26pm

Create a NAT rule as usual, specific the router address as the Dst Address, specific a Dst Port then in Action select dst-nat and only specify To ports - leave To Addresses blank/default.

sirdir · September 12, 2013, 5:07pm

Thank you. The router address would be the public ip, wouldn’t it? Tried that and it seems to receive traffic (as seen in nat firewall tab) if I connect to the specified port, but I only get a timeout, no connection… so I guess it’s not dst-nated to the router?

derr12 · September 12, 2013, 7:43pm

Yes that’s correct, the public IP is the dst address.

an example of port forwarding 49000 would be;

add action=dst-nat chain=dstnat comment="Example SIP" disabled=\
    no dst-address=*publicIP* dst-port=49000 protocol=tcp to-addresses=\
    *localIP*

Rudios · September 13, 2013, 12:52pm

derr12:

Yes that’s correct, the public IP is the dst address.

an example of port forwarding 49000 would be;
add action=dst-nat chain=dstnat comment="Example SIP" disabled=\
    no dst-address=*publicIP* dst-port=49000 protocol=tcp to-addresses=\
    *localIP*

And if you have a dynamic public IP, you can also specify the in-interface and leave out the dst-address

sirdir · September 13, 2013, 1:41pm

Rudios:

derr12:
Yes that’s correct, the public IP is the dst address.

an example of port forwarding 49000 would be;
add action=dst-nat chain=dstnat comment="Example SIP" disabled=\
    no dst-address=*publicIP* dst-port=49000 protocol=tcp to-addresses=\
    *localIP*
And if you have a dynamic public IP, you can also specify the in-interface and leave out the dst-address

Yeah I know how ‘normal’ portforwarding works, my question was related to forwarding a port to another port on the mikrotik itself.
i.E. make ssh available on port 8000 from the outside. I haven’t got that to work yet.

friction · September 13, 2013, 3:09pm

I did it like this, you can do it without dst-address:

add action=dst-nat chain=dstnat dst-port=2161 in-interface=\
    br-WAN protocol=udp src-address-list=NXXS-mgmt to-ports=\
    161

br-WAN is the gateway interface… I used an address list for source, security-wise.