Trouble with DNAT rules

chinatsudori · September 3, 2024, 1:09am

Hello,

I have a L009 running V7.12.1 that I configured DNAT rules to pass about ~20 different open ports to a server (on an internal 192.168.88.xx address). The L009 was WAN uplinked to a NID provided by my fiber ISP, which was initially set in it;s own dhcp routing mode. This configuration worked fine for about 6 months. I had an issue with my internet that was ultimately fixed by placing my NID into transparent bridging mode. on my L009, this changes how my eth1 detects internet, now it is not on the 192.168.0.1 network that the NID had, and is receiving (public IP) directly. Ports are no longer being forwarded to my server at 192.168.88.xx, and are instead only reaching my router. e.g. using my public IP in a web browser opens the router’s homepage instead of my web server, etc. I’ve tried a few different confiruation changes, as well as completely reset my router’s confiugraiton and did nothing but re-enable my DNAT rules as shown below.

Here’s some various printouts to show my current configuration:
/ip/firewall/nat print

 /ip/firewall/nat print
Flags: X - disabled, I - invalid; D - dynamic
 0    chain=srcnat action=masquerade out-interface-list=WAN

 1    ;;; masq. vpn traffic
      chain=srcnat action=masquerade src-address=192.168.89.0/24

 2    ;;; http
      chain=dstnat action=dst-nat to-addresses=192.168.88.52 to-ports=80 protocol=tcp in-interface-list=WAN dst-port=80

 3    ;;; ssh
      chain=dstnat action=dst-nat to-addresses=192.168.88.52 to-ports=22 protocol=tcp in-interface-list=WAN dst-port=22

 4    ;;; Palworld UDP 8211
      chain=dstnat action=dst-nat to-addresses=192.168.88.52 protocol=udp in-interface=ether1 dst-port=8211

 5    ;;; Palworld TCP 8212
      chain=dstnat action=dst-nat to-addresses=192.168.88.52 protocol=tcp in-interface=ether1 dst-port=8212

 6    ;;; Palworld TCP 25575
      chain=dstnat action=dst-nat to-addresses=192.168.88.52 protocol=tcp in-interface=ether1 dst-port=25575

 7    ;;; Git TCP 3000
      chain=dstnat action=dst-nat to-addresses=192.168.88.52 protocol=tcp in-interface=ether1 dst-port=3000

 8    ;;; DNS TCP 53
      chain=dstnat action=dst-nat to-addresses=192.168.88.52 protocol=tcp in-interface=ether1 dst-port=53

 9    ;;; DNS UDP 53
      chain=dstnat action=dst-nat to-addresses=192.168.88.52 protocol=udp in-interface=ether1 dst-port=53

10    ;;; DNS TCP 853
      chain=dstnat action=dst-nat to-addresses=192.168.88.52 protocol=tcp in-interface=ether1 dst-port=853

11    ;;; DNS UDP 853
      chain=dstnat action=dst-nat to-addresses=192.168.88.52 protocol=udp in-interface=ether1 dst-port=853

12    ;;; SFTP TCP 222
      chain=dstnat action=dst-nat to-addresses=192.168.88.52 protocol=tcp in-interface=ether1 dst-port=222

13    ;;; SSH TCP 22
      chain=dstnat action=dst-nat to-addresses=192.168.88.52 protocol=tcp in-interface=ether1 dst-port=22

14    ;;; HTTP TCP 80
      chain=dstnat action=dst-nat to-addresses=192.168.88.52 protocol=tcp in-interface=ether1 dst-port=80

15    ;;; Alternative HTTP TCP 81
      chain=dstnat action=dst-nat to-addresses=192.168.88.52 protocol=tcp in-interface=ether1 dst-port=81

16    ;;; HTTPS TCP 443
      chain=dstnat action=dst-nat to-addresses=192.168.88.52 protocol=tcp in-interface=ether1 dst-port=443

/ip/firewall/filter print

 /ip/firewall/filter print
Flags: X - disabled, I - invalid; D - dynamic
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough

 1    chain=input action=accept protocol=icmp

 2    chain=input action=accept connection-state=established

 3    chain=input action=accept connection-state=related

 4    ;;; allow l2tp
      chain=input action=accept protocol=udp dst-port=1701

 5    chain=input action=drop in-interface-list=!LAN

/ip/route print

 /ip/route print
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, d - DHCP
Columns: DST-ADDRESS, GATEWAY, DISTANCE
    DST-ADDRESS      GATEWAY     DISTANCE
DAd 0.0.0.0/0        [PUBLIC IP]        1
DAc [PUBLIC IP]/19    ether1             0
DAc 192.168.88.0/24  bridge             0

/interface/list print

> /interface/list print
Flags: * - BUILTIN
Columns: NAME
#   NAME
;;; contains all interfaces
0 * all
;;; contains no interfaces
1 * none
;;; contains dynamic interfaces
2 * dynamic
;;; contains static interfaces
3 * static
;;; defconf
4   WAN
;;; defconf
5   LAN

TheCat12 · September 10, 2024, 1:02pm

/ip/firewall/filter print

 /ip/firewall/filter print
Flags: X - disabled, I - invalid; D - dynamic
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough

 1    chain=input action=accept protocol=icmp

 2    chain=input action=accept connection-state=established

 3    chain=input action=accept connection-state=related

 4    ;;; allow l2tp
      chain=input action=accept protocol=udp dst-port=1701

 5    chain=input action=drop in-interface-list=!LAN

If this is your whole firewall filter, you better unplug your router from the internet, add all missing rules from the forward chain and pray nobody has hacked anything on your network because at this state you’re an open door. After you have done that, you can resume searching the issue in your dst-nat rules which frankly I don’t see

Sob · September 10, 2024, 3:35pm

It seems that you’re testing this from LAN and that can’t work, because all your dstnat rules are limited to WAN (in-interface-list=WAN, in-interface=ether1). You need to replace these conditions with either “dst-address=[PUBLIC IP]” (if it’s static) or “dst-address-type=local dst-address=!192.168.88.1” (if it’s dynamic). Then you’ll also need another srcnat rule:

https://help.mikrotik.com/docs/display/ROS/NAT#NAT-HairpinNAT