"simple" port forwarding not working?

saphear · March 24, 2011, 11:35am

hey guys,

I tried enableing a simple port forward this morning (on a 750G)…but I can’t get it to work.
I tried it with ftp forwarding a few weeks back and it worked great. Now I tried forwarding a remote desktop (port 3389) and it just won’t do what I want it to.

Here is my ip / filter export:

/ip firewall filter
add action=accept chain=input comment="default configuration" disabled=no protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=established disabled=no in-interface=ether1-WAN1-Kabel100
add action=accept chain=input comment="default configuration" connection-state=related disabled=no in-interface=ether1-WAN1-Kabel100                                                                                 
add action=drop chain=input comment="default configuration" disabled=no in-interface=ether1-WAN1-Kabel100                                                                                                            
add action=log chain=forward comment="" disabled=yes log-prefix=connections123

Here is the ip / nat export:

/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" disabled=no out-interface=ether1-WAN1-Kabel100                                                                                                    
add action=dst-nat chain=dstnat comment=SIWA disabled=no dst-address=95.208.108.132 dst-port=3389 in-interface=ether1-WAN1-Kabel100 protocol=tcp src-address=0.0.0.0/0 to-addresses=192.168.1.30 to-ports=3389       
add action=dst-nat chain=dstnat comment=SIWA disabled=no dst-address=95.208.108.132 dst-port=3389 in-interface=ether1-WAN1-Kabel100 protocol=udp src-address=0.0.0.0/0 to-addresses=192.168.1.30 to-ports=3389

I can’t really find out, what is wrong. Any help?

SurferTim · March 24, 2011, 11:45am

I think this comes into the router as an input chain on the firewall. Then the NAT happens. I could be wrong, but you are about to find out.

/ip firewall filter
add chain=input action=accept dst-port=3389 protocol=tcp
add chain=input action=accept dst-port=3389 protocol=udp

Move these above the the “chain=input action=drop” rule. You can add additional parameters, like src-address if you want to limit it to specific ips/networks.

fewi · March 24, 2011, 1:18pm

Sorry, but that won’t work. Destination NAT happens after pre-routing, then after dest NAT the router looks at the destination IP and puts the packet into input if the IP is on a route interface, and into forward if it is not.

According to the details posted this should work. So the information posted is either edited (stuff that makes it not work is missing from those sections, such as firewall filters in prerouting, forward, or postrouting), the rule is too specific (drop the dst-address qualifier from the NAT rule if you have a dynamic IP and it had changed since), or a firewall is dropping things outside of the router (on the RDP host, or on the way to the router somewhere in an ISP).

Just for completeness post the output of “/ip address print detail”, “/ip route print detail”, “/interface print”, “/ip firewall export”, and an accurate network diagram. Maybe the segment that makes it not work on the router will stand out.

On a side note, RDP is tcp/3389 only.

saphear · March 24, 2011, 2:43pm

yes, I did shorten the output a little bit and changed some IP addresses, because the LAN IP is confusing.
Here is the complete output, never mind the LAN addresses, they are fine like that. It wasn’t my idea though

/ip route> print detail
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 0 X S  dst-address=0.0.0.0/0 gateway=ether1-WAN1-Kabel100 gateway-status=ether1-WAN1-Kabel100 inactive distance=1 scope=30 target-scope=10 routing-mark=viaWAN1 

 1 X S  dst-address=0.0.0.0/0 gateway=ether2-WAN2-Kabel32 gateway-status=ether2-WAN2-Kabel32 inactive distance=1 scope=30 target-scope=10 routing-mark=viaWAN2 

 2 ADS  dst-address=0.0.0.0/0 gateway=95.208.108.1 gateway-status=95.208.108.1 reachable ether1-WAN1-Kabel100 distance=1 scope=30 target-scope=10 

 3 ADC  dst-address=95.208.108.0/22 pref-src=95.208.108.132 gateway=ether1-WAN1-Kabel100 gateway-status=ether1-WAN1-Kabel100 reachable distance=0 scope=10 

 4 ADC  dst-address=181.123.1.0/24 pref-src=181.123.1.2 gateway=ether3-LAN1-master gateway-status=ether3-LAN1-master reachable distance=0 scope=10

/ip firewall> export
# mar/24/2011 15:37:05 by RouterOS 4.11
# software id = LZ3U-CMR7
#
/ip firewall address-list
add address=181.123.1.30 comment="" disabled=no list=16mbit                                                                                                                                                          
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s \     
    tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s                                                                                                         
/ip firewall filter
add action=accept chain=input comment="" disabled=no dst-address=95.208.108.132 dst-address-list="" dst-port=22 in-interface=ether1-WAN1-Kabel100 protocol=tcp src-address=0.0.0.0/0                                 
add action=accept chain=input comment="" disabled=no dst-address=95.208.108.132 dst-port=8291 in-interface=ether1-WAN1-Kabel100 protocol=tcp src-address=0.0.0.0/0
add action=accept chain=input comment="default configuration" disabled=no protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=established disabled=no in-interface=ether1-WAN1-Kabel100
add action=accept chain=input comment="default configuration" connection-state=related disabled=no in-interface=ether1-WAN1-Kabel100                                                                                 
add action=drop chain=input comment="default configuration" disabled=no in-interface=ether1-WAN1-Kabel100                                                                                                            
add action=log chain=forward comment="" disabled=yes log-prefix=connections123                                                                                                                                       
/ip firewall mangle
add action=mark-connection chain=forward comment="16mbit traffic markierung" disabled=no new-connection-mark=16mbit_connections passthrough=yes src-address-list=16mbit                                              
add action=mark-packet chain=forward comment="" connection-mark=16mbit_connections disabled=no new-packet-mark=16mbit_traffic passthrough=no
log-prefix=""                                                                                                                          
/ip firewall nat                                                                                                                                                                                                     
add action=masquerade chain=srcnat comment="default configuration" disabled=no out-interface=ether1-WAN1-Kabel100                                                                                                    
add action=dst-nat chain=dstnat comment=SIWA disabled=no dst-address=95.208.108.132 dst-port=3389 in-interface=ether1-WAN1-Kabel100 protocol=tcp src-address=0.0.0.0/0 to-addresses=181.123.1.30 to-ports=3389       
add action=dst-nat chain=dstnat comment=SIWA disabled=no dst-address=95.208.108.132 dst-port=10433 in-interface=ether1-WAN1-Kabel100 protocol=tcp src-address=0.0.0.0/0 to-addresses=181.123.1.30 to-ports=10443
add action=dst-nat chain=dstnat comment=SIWA disabled=no dst-address=95.208.108.132 dst-port=443 in-interface=ether1-WAN1-Kabel100 protocol=tcp src-address=0.0.0.0/0 to-addresses=181.123.1.30 to-ports=443
add action=dst-nat chain=dstnat comment=SIWA disabled=no dst-address=95.208.108.132 dst-port=44321 in-interface=ether1-WAN1-Kabel100 protocol=tcp src-address=0.0.0.0/0 to-addresses=181.123.1.30 to-ports=44321                                                                                                                                                                                            
add action=dst-nat chain=dstnat comment=SIWA disabled=no dst-address=95.208.108.132 dst-port=10433 in-interface=ether1-WAN1-Kabel100 protocol=udp src-address=0.0.0.0/0 to-addresses=181.123.1.30 to-ports=10443
add action=dst-nat chain=dstnat comment=SIWA disabled=no dst-address=95.208.108.132 dst-port=433 in-interface=ether1-WAN1-Kabel100 protocol=udp src-address=0.0.0.0/0 to-addresses=181.123.1.30 to-ports=443
add action=dst-nat chain=dstnat comment=SIWA disabled=no dst-address=95.208.108.132 dst-port=43321 in-interface=ether1-WAN1-Kabel100 protocol=udp src-address=0.0.0.0/0 to-addresses=181.123.1.30 to-ports=44321
/ip firewall service-port
set ftp disabled=no ports=21                                                                                                                                                                                         
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061                                                                                                                                                                                  
set pptp disabled=no

/interface> print detail
Flags: D - dynamic, X - disabled, R - running, S - slave 
 0  R  name="ether1-WAN1-Kabel100" type="ether" mtu=1500 l2mtu=1524 

 1     name="ether2-WAN2-Kabel32" type="ether" mtu=1500 l2mtu=1524 

 2  R  name="ether3-LAN1-master" type="ether" mtu=1500 l2mtu=1524 

 3     name="ether4-LAN2-slave" type="ether" mtu=1500 l2mtu=1524 

 4  R  name="ether5-LAN3-slave" type="ether" mtu=1500 l2mtu=1524

/ip address> print detail
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; default configuration
     address=181.123.1.2/24 network=181.123.1.0 broadcast=181.123.1.255 interface=ether3-LAN1-master actual-interface=ether3-LAN1-master 

 1 D address=95.208.108.132/22 network=95.208.108.0 broadcast=95.208.111.255 interface=ether1-WAN1-Kabel100 actual-interface=ether1-WAN1-Kabel100

fewi · March 24, 2011, 3:14pm

That should work. Does the host you’re trying to RDP into have general access TO the Internet, i.e. is network access outbound working fine? If yes, I’m going to bet that something other than the router is blocking traffic - either another router/firewall, or the host firewall.

saphear · March 24, 2011, 3:21pm

I just talked to the admin of 181.123.1.30:
He actually routes his traffic through 181.123.1.1 to get to the internet. So it works fine, but through another router.
Is that the cause of the problem?

fewi · March 24, 2011, 3:44pm

Yes. If it goes through another router then the Mikrotik router never sees the return traffic, so it can’t forward the return traffic to whatever client is establishing the RDP session.

You can work around that by source NATing that traffic to the router LAN interface, which will make the RDP server think that the traffic was initiated locally, so it won’t use its default route for return traffic. A side effect is that the logs on that server will always show 181.123.1.2 as the source of any RDP connections.

THIS MAY VIOLATE THE SECURITY POLICY OF THE NETWORK. CHECK WITH THE APPROPRIATE ADMINS BEFORE IMPLEMENTING THIS.

/ip firewall nat
add chain=srcnat dst-address=181.123.1.30 protocol=tcp dst-port=3389 out-interface=ether3-LAN1-master action=masquerade

saphear · March 24, 2011, 4:15pm

thanks fewi, you just got a greater karma

mohsenettehadi · April 2, 2012, 4:42am

Tanks Fewi,I have the same problem for IP Camera and your way solved my problem,So Karme is graceful for you.