SNMP - Port DSNAT - not working -

Empulakcz · August 9, 2021, 8:57am

Hello guys and ladies,

hope you are doing well and i would like to ask you for support regarding SNMP DSNAT on my Mikrotik.

Here we go lets explain the situation:

I want to check my RB via SNMP. It seems that ISP blocks port 161 so i choose port 8230 as a port from the internet. I created DSNAT from port 8230 to internal address of Mikrotik 192.168.10.1 to port 161.
In Firewall > NAT i can see that bytes are counting in the rules. But only 1byte per minutes lets say.

What is the problem: Not able to connect to SNMP connection. At home with the prety same configuration its working.

SNMP on Mikrotik is enabled and reachable via Local network. So i suspect NATing as a problem.

How can i debug it please?

Please check my configuration if possible:

/ip address
add address=192.168.15.1/16 comment="default configuration" interface=bridge2 \
    network=192.168.0.0
add address=85.205.100.248/28 interface=ether1-gateway network=85.205.100.240
add address=172.100.0.2/30 interface=gre-tunnel1 network=172.100.0.0

/ip firewall filter
add action=accept chain=input comment="default configuration" protocol=icmp
add action=accept chain=input connection-nat-state=dstnat dst-port=161 \
    log-prefix=SNMP protocol=udp src-address=37.31.68.246
add action=accept chain=input dst-port=1723 protocol=tcp
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=input dst-port=1701 protocol=udp
add action=accept chain=input dst-port=4500 protocol=udp
add action=accept chain=input comment="default configuration" connection-state=\
    established
add action=accept chain=input comment="default configuration" connection-state=\
    related
add action=drop chain=input comment="default configuration" in-interface=\
    ether1-gateway
add action=accept chain=forward comment="default configuration" \
    connection-state=related
add action=drop chain=forward comment="default configuration" connection-state=\
    invalid
add action=accept chain=forward comment="default configuration" \
    connection-state=established
add action=accept chain=input disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway to-addresses=0.0.0.0
add action=dst-nat chain=dstnat disabled=yes dst-address=85.205.100.248 \
    dst-port=80 protocol=tcp to-addresses=192.168.10.110 to-ports=80
add action=dst-nat chain=dstnat dst-address=85.205.100.248 dst-port=8230 \
    protocol=udp to-addresses=192.168.15.1 to-ports=161

rextended · August 9, 2021, 9:00am

Cancella gli IP veri dal post precedente…
o se li hai messi finti, non scrivere indirizzi di altri…

Empulakcz · August 9, 2021, 11:30am

Yea. These IPs are fake.

Thank you for any answer.

Dominik

rextended · August 9, 2021, 1:50pm

Please be polite when using a fake address…
don’t use a real address …
With IPv4 gone, you pretty much always guess…

Use instead unused / unassigned from 225.x.x.x to 231.x.x.x

rextended · August 9, 2021, 2:01pm

SNMP use port 161 and 162, but if you change src port number, not all device are compatible, because expecting connection only from that ports.

Empulakcz · August 9, 2021, 2:23pm

Aha.

Does it mean that i should also do DSNAT 162 port?

Or any another advice what to try?

Thanks a lot!

rextended · August 9, 2021, 2:27pm

The solution can be one VPN…?
I can’t suggest you further, because is too hard on forum…

Empulakcz · August 9, 2021, 4:45pm

Is there any way how to confirm that the device is not compatible? I would like to debug it.

BTW in connections i can see there is a connection established ( somehow )