Hi,
I’ve been trying to port forward OpenVPN AS. When I try to access my public ip 85.1.2.3:943 from the browser I want to go to my VPN page. But I only get refused connection error.
my setup is:
# sep/11/2016 11:34:26 by RouterOS 6.37
# software id = BAHW-653L
#
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" \
in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface=ether1
add action=dst-nat chain=dstnat dst-port=943 protocol=tcp to-addresses=\
192.168.20.21 to-ports=943
add action=dst-nat chain=dstnat dst-port=443 protocol=tcp to-addresses=\
192.168.20.21 to-ports=443
add action=dst-nat chain=dstnat dst-port=1194 protocol=udp to-addresses=\
192.168.20.21 to-ports=1194
I appreciate any help, cause I’ve spend too much time on this already!
Splash
October 26, 2016, 8:29am
2
Are you getting a “connection refused” or a “connection timeout” error. The connection refused error means the NAT is working, but the server is not listening on that port.
Try disable your Mikrotik Firewall and just run the NAT rules with logging enabled?
Can you telnet to the server on that port to check that it is listening?
Does the server have a firewall running on it that you need to also open that port on?
tenasow
October 26, 2016, 11:52am
3
I think I messed it up even more, I get connection timed out error now instead.
my server doesn’t have any firewall and it is indeed listening on port 943.
If you’re trying to test this from inside your network it won’t work without setting up a hairpin nat. Do a search. Also you have no ip destination or local dst-address filters on your dst nats so ALL traffic passing through the router with those dst ports will be redirected to 20.21. Such as outbound https.
I’m getting a new error now:
ERR_EMPTY_RESPONSE
my NAT firewall setup now:
# sep/12/2016 10:14:44 by RouterOS 6.37
# software id = BAHW-653L
#
/ip firewall filter
add action=accept chain=forward dst-port=943 in-interface=bridge protocol=tcp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=drop chain=input in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface=ether1
add action=masquerade chain=srcnat out-interface=bridge
add action=dst-nat chain=dstnat dst-address=85.1.2.3 dst-port=943 log=\
yes log-prefix="tcp 943:" protocol=tcp to-addresses=192.168.20.21
add action=dst-nat chain=dstnat dst-address=85.1.2.3 dst-port=1194 \
protocol=udp to-addresses=192.168.20.21
add action=dst-nat chain=dstnat dst-address=85.1.2.3 dst-port=443 \
protocol=tcp to-addresses=192.168.20.21
add action=accept chain=srcnat dst-address=192.168.20.0/24 src-address=\
192.168.21.0/24
Thanks for you help so far.
It’s actually working with the configuration I have now I realised.
I accessed it by https://public-ip:943 which gave me empy error page.
when I access it from https://public-ip I get to the right page now!
Thanks for the help I’m happy to finally be over with this
