Unstopable DSTNAT

SpongeB0B · August 21, 2019, 2:56pm

Hi everyone,

Few days ago I put in place a /ip firewall nat (dstnat) in order to reach a local hosted WP.

So that dstnat was working. but I encounter problem witrh the WP itself (or might be the router finally)
See: https://wordpress.org/support/topic/no-images-display-from-www/

Here my “dstnat” (numer 3 how is now disabled)

3 X chain=dstnat action=dst-nat to-addresses=192.168.x.y to-ports=xxx protocol=tcp in-interface-list=WAN dst-port=yyyyy log=yes log-prefix="thething"

But what I don’t understand now that this dstnat is disabled, www browser still are redirected to yyyyy port !!!

I have done the following to try to get ride of the problem

tried on several computer
restarted the router and computers
I tried in the browser https://192.168.x.y:xxx (so the correct final destination port) and I’m anyway redirected to YYYYY the income port ! WTF.. did yo think it could be the WP ?

That redirection is still effectif and she defeitenly should not ! She is desactived and it should be only apply from WAN connection .. any ideas ??

ingdaka · August 21, 2019, 3:00pm

Go to terminal type export and paste the result here!

SpongeB0B · August 21, 2019, 3:27pm

# aug/21/2019 17:07:40 by RouterOS 6.40.9

# software id = D4LD-IJ8C

#

# model = RB750Gr3

# serial number = xxxxxxxxxxxxx

/interface ethernet

set [ find default-name=ether2 ] name=ether2-master

set [ find default-name=ether3 ] master-port=ether2-master

set [ find default-name=ether4 ] master-port=ether2-master

set [ find default-name=ether5 ] master-port=ether2-master

/ip neighbor discovery

set ether1 discover=no

set ether2-master discover=no

set ether3 discover=no

set ether4 discover=no

set ether5 discover=no

/interface list

add comment=defconf name=WAN

add comment=defconf name=LAN

/interface wireless security-profiles

set [ find default=yes ] supplicant-identity=MikroTik

/ip dhcp-server option

add code=6 name=loop_DNS1 value="'127.0.0.1'"

/ip hotspot profile

set [ find default=yes ] html-directory=flash/hotspot

/ip pool

add name=dhcp ranges=192.168.XX.xx-192.168.xx.xx

/ip dhcp-server

add address-pool=dhcp disabled=no interface=ether2-master lease-time=23h59m59s name=defconf

/system logging action

add disk-file-count=5 disk-file-name="flash\\xxx" disk-lines-per-file=200 disk-stop-on-full=yes name=xxx target=disk

add disk-file-count=5 disk-file-name="flash\\xxx" disk-lines-per-file=250 disk-stop-on-full=yes name=xxx target=disk

add disk-file-count=5 disk-file-name="flash\\xxx" disk-lines-per-file=250 name=xxx target=disk

/interface list member

add comment=defconf interface=ether2-master list=LAN

add comment=defconf interface=ether1 list=WAN

/ip address

add address=192.168.xx.1/26 comment=defconf interface=ether2-master network=192.168.xx.0

add address=192.168.0.2/24 interface=ether1 network=192.168.0.0

/ip cloud

set update-time=no

/ip dhcp-client

add comment=defconf dhcp-options=hostname,clientid interface=ether1 use-peer-dns=no use-peer-ntp=no

/ip dhcp-server lease

add address=192.168.xx.2 always-broadcast=yes comment=xxx lease-time=12h mac-address=XXXXXXXXXX server=defconf

add address=192.168.xx.3 always-broadcast=yes comment=xxx lease-time=12h mac-address=XXXXXXXXXXX server=defconf

add address=192.168.xx.51 mac-address=XXXXXXXXXXXXXXX server=defconf

add address=192.168.xx.4 lease-time=23h59m59s mac-address=XXXXXXXXXXXXXX server=defconf

add address=192.168.xx.6 lease-time=23h59m59s mac-address=XXXXXXXXXXX server=defconf

add address=192.168.xx.5 mac-address=XXXXXXXXXXXXXXX server=defconf

add address=192.168.xx.30 mac-address=XXXXXXXXXXXXXXX server=defconf

add address=192.168.xx.31 mac-address=XXXXXXXXXXXXXXX server=defconf

add address=192.168.xx.52 dhcp-option=loop_DNS1 mac-address=XXXXXXXXXXXXXXX server=defconf

/ip dhcp-server network

add address=192.168.xx.0/26 comment=defconf dns-server=xxxxxxxxxxxxx gateway=192.168.xx.1 netmask=26

/ip dns

set allow-remote-requests=yes servers=xxxxxxxxxxxxx

/ip dns static

add address=192.168.88.1 name=XXXXXX 

/ip firewall filter

add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related

add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid

add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp

add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN

add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec

add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related

add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked

add action=accept chain=forward dst-port=xxx in-interface-list=LAN log=yes log-prefix=xxx: protocol=tcp src-address=192.168.xx.52

add action=drop chain=forward in-interface-list=LAN log=yes log-prefix=xxx: src-address=192.168.xx.52

add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid

add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

add action=accept chain=input dst-port=80 in-interface-list=LAN protocol=tcp

add action=accept chain=input disabled=yes dst-port=53 in-interface-list=LAN protocol=udp

add action=drop chain=input in-interface-list=LAN

/ip firewall nat

add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

add action=masquerade chain=srcnat out-interface=ether1

add action=dst-nat chain=dstnat dst-port=xxxxxxxxxxxxx in-interface-list=WAN protocol=udp to-addresses=192.168.xx.2 to-ports=xxxxxxxxxxxxx

add action=dst-nat chain=dstnat comment="WP" disabled=yes dst-port=XXXXXXXXXXXXXXX in-interface-list=WAN log=yes log-prefix=WP protocol=tcp to-addresses=192.168.xx.30 to-ports=XXXXXXXXXXXXXXX

add action=dst-nat chain=dstnat disabled=yes dst-port=XXXXXXXXXXXXXXX in-interface-list=WAN log=yes protocol=tcp to-addresses=192.168.xx.31 to-ports=XXXXXXXXXXXXXXX

add action=dst-nat chain=dstnat disabled=yes dst-port=XXXXXXXXXXXXXXX in-interface-list=WAN log=yes log-prefix=xxx: protocol=tcp to-addresses=192.168.xx.xx

add action=dst-nat chain=dstnat disabled=yes dst-port=XXXXXXXXXXXXXXX in-interface-list=WAN log=yes log-prefix=xxxxxxxxxxxxx protocol=tcp to-addresses=XXXXXXXXXXXXXXX

/ip firewall service-port

set ftp disabled=yes

set tftp disabled=yes

set irc disabled=yes

set h323 disabled=yes

set sip disabled=yes

set pptp disabled=yes

set udplite disabled=yes

set dccp disabled=yes

set sctp disabled=yes

/ip route

add distance=1 gateway=192.168.0.1

/ip service

set telnet disabled=yes

set ftp disabled=yes

set ssh disabled=yes

set api disabled=yes

set winbox disabled=yes

set api-ssl disabled=yes

/system clock

set time-zone-name=XXXXXXXXXXXXXXX

/system identity

set name=XXXXXX

/system logging

XXXXXXXXXXXXXXX

/system ntp client

set enabled=yes server-dns-names=xxxxxxxxxxxxx

/tool bandwidth-server

set enabled=no

/tool graphing interface

add allow-address=192.168.xx.0/26

/tool graphing resource

add allow-address=192.168.xx.0/26

/tool mac-server

set [ find default=yes ] disabled=yes

add disabled=yes interface=ether2-master

/tool mac-server mac-winbox

set [ find default=yes ] disabled=yes

add disabled=yes interface=ether2-master

/tool mac-server ping

set enabled=no

SpongeB0B · August 21, 2019, 3:56pm

Damn ! it’s the router !
I just connected directly to the machine who host the WordPress. and it work , no redirection…

Any ideas ? before I trow that piece of #@#*! in the trash ?

msatter · August 21, 2019, 4:17pm

That router is perfectly fine.

In the NAT rule to wich ports do you translate. You need port 80 and 443 and I leave that empty and filter on the incoming side.

SpongeB0B · August 21, 2019, 4:42pm

@msatter,

The router is not ok,

Within the LAN side the router is not set to redirect anything (only if coming from WAN)
furthermore the dstnat rules is disabled →

and more the redirection point me the the outside port ! (dst-port and not the correct one ~“transfer to” ) so no I don’t think the router behave like it should,

Sob · August 21, 2019, 5:22pm

The router is fine, is doesn’t contain any kind of creative module that would do anything not told it to do by config. Disabled rules are not active, period.

Your linked post at WP suggests that it’s something with WP config. Check http requests in browser’s developer console (for example in Firefox it’s Ctrl+Shift+E), try to open your website, examine headers and I’m sure you’ll find some redirection there.

Btw, I understand being a little paranoid, hiding public addresses and other possibly sensitive stuff (that’s probably good idea). But hiding private addresses and ports doesn’t make sense. And don’t be fooled by the name “private”, it just means “non-public”, i.e. that the same 192.168.xx.30 is duplicated in million LANs all over the world.

SpongeB0B · August 21, 2019, 5:49pm

Thank @Sob,

So how can you explain when I plug my self (RJ45) directly to the host computer it’s work (same IP)
but when passing by the router not !

So I don’t think it is WordPress or Browser issue but router,

is doesn’t contain any kind of creative module that would do anything not told it to do by config

, damn that why I bought it, I was thinking it had a sort of A.I inside , beside the joke, what it does it’s related to my input ! because the browser get redirected to the WLAN incoming port , so it’s not random. but what I don’t get it’s that rules is disabled and anyway the redirections still occur event after rebooted everything ! (my self included )

Sob · August 21, 2019, 6:08pm

Http is more complex. If you enter https://192.168.1.77 in browser and then you try https://exemple.com:54321 (taken from your WP post), for web server it’s not the same, those are requests for two distinct virtual hosts. And what happens depends on server or web application. As I wrote, check in browser what exactly happens.

SpongeB0B · August 21, 2019, 9:20pm

Thank sob, but actually I try the opposite.

So first from outside (wan side) this redirection was working (almost as I had the bug with the image not showing) but still trying to figure where is the problem coming with that.

the redirection was outside :54321 to inside :443 so the port for the HTTPS, and for the server this is transparent.

From the inside it's was working also without changing the port, just like this https://192.168.0.X
but now when I disable the redirection, again within the Lan, when I enter https://192.168.0.X i'm redirected to https://192.168.0.X:54321 ! (not even 433 ! wtf)
So I don't think it's the Wordpress server how do that ( I didn't setup nothing for redirection there) nor the browser(s)..

and when I directly physically connect to the WP server (who keep is dhcp IP for while) I'm not redirected and it's working obviously.

So it's not the router the problem ???????

Sob · August 21, 2019, 9:59pm

After you’re redirected, do you actually see https://192.168.0.X:54321 in browser’s address bar, including the port? If you do, it’s definitely not done by router. And again, if you check server requests in browser developer console, you’d see the redirection sent by server on http level there.

SpongeB0B · August 25, 2019, 7:22am

Hi Sob, yes I do see https://192.168.0.X:54321 in browser’s address bar… damn so it’s the server ! damn why is doing this ? and why he is not doing it when connect directly to it.. so weird.

Sob · August 25, 2019, 4:15pm

You need to check and possibly adjust server config. As I wrote, server can see difference between direct connection in LAN and connection from internet, and can behave diferently for them.

If the webserver is some pre-made appliance and you didn’t install and configure it yourself, it’s probably some option where you set the address for website (the one that should be publicly visible), and server redirects other requests there. Try to look for something like that.

SpongeB0B · September 4, 2019, 6:04pm

Hi everyone,

Little update,

I’ve spend few hours to test everything’s, I tried also with different routers (DD-wrt, OpenWRT, Stock D-Link and Stock Asus)

So I don’t experience this Unstoppable DSTNAT anymore, it might be the WP server itself, for what I read and experienced changing the domain or IP of a WordPress server can sometime a pain in the *ss
For example on one of my iteration of this WP server, after successfully changed the IP the wordpress pages content are mix (meaning some element point to the new ip and other keep the old one.. so it’s a mess..)

To good thing is while I was testing different router I clearly notice how good is my little RB750Gr3 compare to the other router.
example who shocked me : D-link : cannot enter a NTP server but instead need to choose between 2 NTP server owned by D-Link, or worst impossible to disable IPv6 WTF.

martinclaro · September 4, 2019, 11:37pm

Good to hear you resolved the issue.

For future reference, the traffic between 2 IP addresses belonging to the same bridge and same subnet does NOT go through the firewall as it is a Layer-3 firewall (unless you have enabled the use-ip-firewall option under /interface bridge settings).

Sob · September 5, 2019, 12:15am

Oh yeah, RouterOS is great. Regular home routers support only few predefined scenarios, and when you need anything else, you’re out of luck. With RouterOS, you can configure almost anything. But it’s also easier to make mistakes. Great freedom, great responsibility. And IPv6 is cool, don’t disable that.

Steveocee · September 6, 2019, 9:15am

@OP ^^^ this. Which is likely why none of your routers were giving the desired outcome as well.

SpongeB0B · December 9, 2019, 12:50pm

Thank you very useful !