Struggling with Port Forwarding

csbelli · May 29, 2014, 1:54am

I am having trouble with port forwarding after trying may different combinations of settings. I want to forward any traffic for port 3389 to a server on my network. I know the port is open on the server. From within my network I can RDP into the server. All computers in my network can access the internet but it looks like nothing is getting into my network from the Internet. I am testing the RDP from a remote computer on a different network. I am not sure where the problem is, any help would be greatly appreciated.

Here is my setup:
Dynamic IP from Comcast Business account that I have confirmed is not blocking any ports.
Netgear gateway from Comcast.
Mikrotok 951G-2HnD with firmware 3.10 and RouterOS 6.13.

Current WAN IP is 67.xx.xx.xx.
The Netgear gateway LAN IP is 10.1.10.1. DHCP is enabled and using range 10.1.10.10 - 10.1.10.199. The router is assigned 10.1.10.10. If I turn off the DHCP on the gateway I lose my internet connection.

On the Mikrotik I have a DHCP server setup with 192.168.1.0/24.
Port 1 is from the gateway labeled ether1-gateway.
Ports 3-5 are slaved to port 2. Port 2 and WLAN are bridged.

Below are all the prints:
[admin@MikroTikHomeRouter] /ip address> print
Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK INTERFACE

0 ;;; LAN IP Subnet
192.168.1.1/24 192.168.1.0 bridge-local
1 D 10.1.10.10/24 10.1.10.0 ether1-gateway[admin@MikroTikHomeRouter] /ip dhcp-server> print
Flags: X - disabled, I - invalid

NAME INTERFACE RELAY ADDRESS-POOL LEASE-TIME ADD-ARP

0 dhcp1 ether1-gateway dhcp 3d[admin@MikroTikHomeRouter] /ip dhcp-client> print
Flags: X - disabled, I - invalid

INTERFACE USE-PEER-DNS ADD-DEFAULT-ROUTE STATUS ADDRESS

0 ether1-gateway yes yes bound 10.1.10.10/24[admin@MikroTikHomeRouter] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=input action=accept connection-state=established
1 chain=input action=accept connection-state=related
2 chain=input action=drop connection-state=invalid
3 chain=input action=accept in-interface=bridge-local
4 chain=input action=drop
5 chain=forward action=accept connection-state=established
6 chain=forward action=accept connection-state=related
7 chain=forward action=drop connection-state=invalid
8 chain=forward action=accept in-interface=bridge-local
9 chain=forward action=accept protocol=tcp dst-address=192.168.1.136 dst-port=3389
10 chain=forward action=drop
[admin@MikroTikHomeRouter] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; RDP
chain=dstnat action=dst-nat to-addresses=192.168.1.136 to-ports=3389
protocol=tcp dst-address=67.xx.xx.xx dst-address-type="" dst-port=3389

1 ;;; RDP
chain=dstnat action=dst-nat to-addresses=192.168.1.136 to-ports=3389
protocol=udp dst-address=67.xx.xx.xx dst-address-type="" dst-port=3389

2 chain=srcnat action=masquerade out-interface=ether1-gateway[admin@MikroTikHomeRouter] /ip route> print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 ADS 0.0.0.0/0 10.1.10.1 0
1 S 0.0.0.0/0 10.1.10.1 1
2 ADC 10.1.10.0/24 10.1.10.10 ether1-gateway 0
3 ADC 192.168.1.0/24 192.168.1.1 bridge-local 0[admin@MikroTikHomeRouter] /ip pool> print

NAME RANGES

0 dhcp 192.168.1.2-192.168.1.119Thanks for your time and assistance.

Chris

Rudios · May 29, 2014, 9:16am

Is your gateway router also forwarding the port 3389?

csbelli · May 29, 2014, 10:54am

Yes, I have it forwarding to 10.1.10.10 which is assigned to the Mikrotik but it is still not working.

Thanks for your time.

Lagered · May 29, 2014, 1:55pm

You can’t use your public address in the dst-address field. Your router does not know that address since it’s already NAT’d by your ISP gateway. I normally use the in-interface in my dstnat setups.

add chain=dstnat protocol=tcp dst-port=3389 in-interface=ether1-gateway action=dst-nat to-addresses=192.168.1.136 comment="RDP Forward"

Should be all you need.

error216216 · May 29, 2014, 2:07pm

This is how I would do it:

First two firewall rules:

ip firewall filter add chain=input protocol=tcp dst-port=3389 action=accept
ip firewall filter add chain=forward protocol=tcp dst-port=3389 action=accept

This allows all traffic on 3389 to be allowed to input and forward chain and then once it reaches the forward chain you can send it to 192.168.1.136 with nat rule:

ip firewall nat add action=dst-nat to-addresses=192.168.1.136 to-ports=3389 chain=dstnat protocol=tcp dst-port=3389 disabled=no

You can add more parameters to these rules for security if you want, and first try to connect from the 10.1.10.0 subnet to 10.1.10.10 on port 3386 and see if it works, after that try from the internet on you’re public ip. If it works from 10.1.10.0 subnet and not from internet then the router is programmed correctly and the problem is the router with the public ip.

csbelli · May 29, 2014, 2:40pm

Thanks Lagered and error216216 for the suggestions. I tried them and it is still not working.

I suspect the problem is with the gateway so I am going to work with the cable company to get the gateway in true bridge mode and see if that will solve the problem.

Chris