SNMP dst-nat doesn't work

hmoghani · July 24, 2020, 3:17pm

Hi,

My ISP blocked the SNMP port udp-161. So in order for me to be able to run SNMP remotely I had to add a dst-nat. I also added an “accept” rule on the port so firewall allows it. But for some reason the NAT rule doesn’t get any traffic. I can see the accept rule getting traffic which means mikrotik is receiving packets for that port, but it never reaches the dst-nat rule. SNMP works locally, meaning SNMP service is running correctly on mikrotik. I would appreciate any kind of help.

Here is my NAT rule:

chain=dst-nat action=dst-nat to-addresses=192.168.20.1 to-ports=161 protocol=udp in-interface=ether6 dst-port=1610 log=yes log-prefix="SNMP"

192.168.20.1 is the mikrotik local address
1610 is the port I send request using snmpwalk: snmpwalk -v3 host:1610
ether6 is the WAN interface

and Here are my filter rules: (I removed some of the specific rules/ports - None of the removed ones are drop rules)

0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 2    ;;; DEFAULT: Accept established, related, and untracked traffic.
      chain=input action=accept connection-state=established,related,untracked log=no log-prefix="" 

 4    ;;; SNMP
      chain=input action=accept connection-state=established,related,new connection-nat-state=dstnat protocol=udp dst-port=1610 log=no log-prefix="" 

 7    ;;; Winbox Access
      chain=input action=accept connection-state=established,related,new protocol=tcp dst-port=8291 log=no log-prefix="" 

18    ;;; DEFAULT: Drop invalid traffic.
      chain=input action=drop connection-state=invalid log=no log-prefix="" 

19    ;;; DEFAULT: Accept ICMP traffic.
      chain=input action=accept protocol=icmp log=no log-prefix="" 

20    ;;; DEFAULT: Drop all other traffic not coming from LAN.
      chain=input action=drop in-interface=ether6 log=no log-prefix="" 

21    ;;; DEFAULT: Accept In IPsec policy.
      chain=forward action=accept log=no log-prefix="" ipsec-policy=in,ipsec 

22    ;;; DEFAULT: Accept Out IPsec policy.
      chain=forward action=accept log=no log-prefix="" ipsec-policy=out,ipsec 

23 X  ;;; ACCEPT BEFORE FAST TRACK FOR QUEUES TO WORK
      chain=forward action=accept connection-state=established,related log=no log-prefix="" 

24    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix="" 

25    ;;; DEFAULT: Accept established, related, and untracked traffic.
      chain=forward action=accept connection-state=established,related,untracked log=no log-prefix="" 

26    ;;; DEFAULT: Drop invalid traffic.
      chain=forward action=drop connection-state=invalid log=no log-prefix="" 

27    ;;; DEFAULT: Drop all other traffic from WAN that is not DSTNATed.
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether6 log=no log-prefix=""

xvo · July 24, 2020, 3:35pm

First, chain=dst-nat should be chain=dstnat.
Second, firewall input chain is processed after dstnat, so in your firewall rule you should use dst-port=161 not dst-port=1610.

Sob · July 24, 2020, 3:41pm

Good catch. But it still doesn’t explain how input rule can get any hits when it contains connection-nat-state=dstnat and no dstnat happened for those packets.

hmoghani · July 24, 2020, 3:47pm

Changing both made it work. Thank you so much. I had no idea that input chain is processed after nat rules.

xvo · July 24, 2020, 3:55pm

No idea too, but we didn’t see the whole config.

xvo · July 24, 2020, 3:57pm

You are welcome!

Here is a very useful wiki article, that solves half of such questions
https://wiki.mikrotik.com/wiki/Manual:Packet_Flow