Trouble with Port Forwarding rb951ui

Macaronic · September 10, 2016, 9:57pm

I have a trouble setting port forwarding on MicroTIk rb951ui-2hnd firmware 6.36.3

I have Ethernet 1 set up as WAN port (10.x.x.x).
Via wifi i’ve connected PC with ftp service running (192.168.88.2). - IP address is statically asigned on pc. DHCP pool on mikrotik is 192.168.88.10-192.168.88.250
In Mikrotik web interface i’ve disabled in “IP” → “Services” ftp service. As i was getting into routers ftp.

After that i’ve set up Nat rules to forward port 21 to local pc.
Here;s my configuration

[admin@MikroTik] > ip address print 
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                              
 0   ;;; defconf
     192.168.88.1/24    192.168.88.0    bridge                                 
 1 D 10.x.x.x/24  10.x.x.0    ether1-wan                             
 
[admin@MikroTik] > /ip firewall nat print 
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface=ether1-wan 

 1    chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=21 
      protocol=tcp dst-address=10.x.x.x in-interface=ether1-wan 
      dst-port=21 log=no 

 2    chain=srcnat action=src-nat to-addresses=10.x.x.x to-ports=21 
      protocol=tcp src-address=192.168.88.2 src-port=21 log=no 

 3  D ;;; upnp 192.168.88.2: Teredo
      chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=55088 
      protocol=udp dst-address=10.x.x.x in-interface=ether1-wan 
      dst-port=55088 

 4  D ;;; upnp 192.168.88.2: Skype UDP at 192.168.88.2:41168 (3540)
      chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=41168 
      protocol=udp dst-address=10.x.x.x in-interface=ether1-wan 
      dst-port=41168 

 5  D ;;; upnp 192.168.88.2: Skype TCP at 192.168.88.2:41168 (3540)
      chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=41168 
      protocol=tcp dst-address=10.x.x.x in-interface=ether1-wan 

[admin@MikroTik] > /ip firewall filter print 
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward 

 1    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp 

 2    ;;; defconf: accept established,related
      chain=input action=accept connection-state=established,related 

 3    ;;; defconf: drop all from WAN
      chain=input action=drop in-interface=ether1-wan 

 4    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection 
      connection-state=established,related 

 5    ;;; defconf: accept established,related
      chain=forward action=accept connection-state=established,related 

 6    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid

I’ve also tried disabling drop-filter rules, but i still can’t rich my local ftp. Any help will be greatly appreciated.
I also tried to create accept-filter rule for input chain with in. interface set as ethernet 1 and dst port as 21 and put it on top of the list. still no luck

2frogs · September 10, 2016, 11:17pm

You need an accept rule in the Forward chain. Input is for traffic going to the the router itself, forward is for traffic passing through it.

/ip firewall filter
    add action=accept chain=forward comment="Accept DST-NATed to Clients" \
    connection-nat-state=dstnat in-interface=ether1-wan

This will accept any dst-nat rule you add instead of adding individual rules.

Also you do not need the src-nat you have from your ftp server as that is handled by you masquerade rule.

Macaronic · September 10, 2016, 11:23pm

Thanks for the reply. I’ve just come across similar advice, but was recommended to choose !ether1-wan (not). Anyway, it doesn’t help. But if i set NOT ether1-wan the counter of packets on that rule runs.
The funny part is that UPnP rules are created, look identical to mine and work =/

2frogs · September 11, 2016, 12:45am

Are you testing this from an external source? Or are you using another device in the same network just trying connect to the external IP? If you are trying the later you will also need a Hairpin NAT.

/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=192.168.88.2 out-interface="bridge" src-address=192.168.88.0/24

Macaronic · September 11, 2016, 1:42am

Your tip + changing “In. Interface” to blank and setting “Dst. Address Type” to “local” helped to solve the iisue! Thanks A lot for fast response! Now i can go to sleep)))
But why could it not work when i set up in. interface as ether1-wan or dest ip as 10.x.x.x? =/