strange port forwarding

DeIM · May 10, 2014, 10:40am

Hi,

I’ve RB751U-2HnD v5.26 and on my small server are two java programs (SIP based).

When I connect from inside of local network it runs flawlessly (new lines in log file).
When I wanna connect from internet (or outside of local network) it seems one program is unreachable, but second runs flawlessly.

interface list is attached.

When I torch 2) it writes:
SRC | DEST
:<program 1 port> | :
:<program 1 port> | :<program 1 port>

Then progam on PC writes that program 1 on server seems to be down (no communication).
(in program 1 log is nothing new)

:<program 2 port> | :

Program 2 runs well.
(new lines in log)

My firewall nat options:
6 chain=dstnat action=dst-nat to-addresses= protocol=tcp
in-interface=ether1-gateway dst-port=<program 2 port>,<program 1 port>,

7 chain=dstnat action=dst-nat to-addresses= protocol=udp
in-interface=ether1-gateway dst-port=<program 2 port>,<program 1 port>,

From Internet I’m able to probe ports by Angry IP Scanner - shows <program 1 port> and <program 2 port> open.

When I connect PC to local network I’m unable (or I don’t know how) to torch this communication on any interface

Thanks for help.

Rudios · May 10, 2014, 12:35pm

How are your firewall rules build?

DeIM · May 11, 2014, 11:55am

Rudios … good point it could be the problem.

/ip firewall filter> print 
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; default configuration
     chain=input action=accept protocol=icmp 

 1   ;;; default configuration
     chain=input action=accept connection-state=established 

 2   ;;; default configuration
     chain=input action=accept connection-state=related 

 3   ;;; default configuration
     chain=input action=drop in-interface=ether1-gateway 

 4   ;;; default configuration
     chain=forward action=accept connection-state=established 

 5   ;;; default configuration
     chain=forward action=accept connection-state=related 

 6   ;;; default configuration
     chain=forward action=drop connection-state=invalid

Rudios · May 11, 2014, 12:04pm

If these are your only rules I am very surprised that the connection is even starting.
I do not know the applications you are using but keep in mind that UDP is a connectionless protocol so a firewall rule with connection-state=established will not work there!

On the other hand, you do not have a generic drop rule at the end which drops all remaining traffic, so it makes sense.
The rules you now actually have only block invalid traffic.

DeIM · May 11, 2014, 1:10pm

It’s strange - I see now. But I can’t figure out how to set firewall rules properly. I’ve made final forward firewall rule:

 8   chain=forward action=log log-prefix="drop::"

And log prints drop on both program 1 and 2 - but program 2 has higher size of packet (>1k).
Log also prints priority changes.

My Mangle rules for packet sizes are these:

3   ;;; low_size_in
     chain=postrouting action=set-priority new-priority=3 passthrough=yes 
     packet-size=0-512 

 4   ;;; low_size_out
     chain=prerouting action=set-priority new-priority=3 passthrough=yes 
     packet-size=0-512 

 5   ;;; hi_size_in
     chain=postrouting action=set-priority new-priority=7 passthrough=yes 
     packet-size=513-65535 

 6   ;;; hi_size_out
     chain=prerouting action=set-priority new-priority=7 passthrough=yes 
     packet-size=513-65535

I figure out now it shouldn’t work anyway. Could you please guide me or give some good resources?

DeIM · May 15, 2014, 6:08pm

I’ve tried add <program 1 port> to SIP service ports and program 1 seems to work . I must do some more tests.
I’ve also recreated firewall rules.