Virtual Server (port mapping)

idoubtmyexistence · June 23, 2020, 1:02pm

Hello! This is actually the first time I need help as I was not able to Google this problem up…
On our prev. router (USG40W) there was an internal IP-address: 192.168.1.254 which was not real, it was only used for mapping 192.168.1.254:3389 to 192.168.1.202:43231. In this router that feature was called “Virtual Server”.
Right now I am trying to accomplish the same thing on our new Mikrotik.
Things I tried:
1.
Chain: dstnat
Dst. addr.: 192.168.1.254
Protocol: tcp
Dst. port: 3389
Action: netmap
To addr.: 192.168.1.202
To ports: 43231

Chain: dstnat
Dst. addr.: 192.168.1.202
Protocol: tcp
Dst. port: 3389
Action: netmap
To addr.: 192.168.1.202
Dst. port: 43231
(in second case I am trying to connect to 192.168.1.202:3389 directly)

How can I solve this?..
Sorry for taking your time and thank you very much!

k6ccc · June 23, 2020, 4:24pm

Your action should be DST-NAT - not Netmap.

idoubtmyexistence · June 23, 2020, 4:49pm

k6ccc, thank you for your reply! I’ve changed action to dst-nat but still no success.
My current settings are:

sutrus · June 23, 2020, 6:11pm

action redirect - replaces destination port of an IP packet to one specified by to-ports parameter and destination address to one of the router’s local addresses
that’s what you’re looking for

k6ccc · June 23, 2020, 6:27pm

Originally you were trying to forward to a different address in addition to a different port. DST-NAT would be appropriate for that. However as sutrus said, it’s different if you are only changing ports.

Sob · June 23, 2020, 10:11pm

Where exactly is client device you’re connecting from? Is it perhaps in same 192.168.1.x network or somewhere else?

idoubtmyexistence · June 24, 2020, 9:49am

Yes, it is.
Sorry there was no answer from me in a long time.
sutrus, thank you, I will try it right now and tell you if there’s any difference

idoubtmyexistence · June 24, 2020, 2:01pm

That is really strange… I don’t see any reason why shouldn’t it work.
Perhaps, a little explanation may help to understand this…
I have RRAS connection between my office server and cloud server.
The office server is 192.168.1.201 and the cloud server is 192.168.1.202.
You can connect (RDP) to cloud using it’s public IP, but the port is 43231.
Therefore 192.168.1.202’s port is 43231 too.
The idea was that I add an entry into my DNS server (“serv”, for example) so people don’t have to type in 192.168.1.202:43231 or serv:43231, just the plain “serv” when using mstsc.exe.

Update: just tried to accomplish the same thing on my home Mikrotik, still the same result. It just does not redirect.
Update 2: The weird thing is… I even can’t see my RDP connection in Firewall->Connections when connecting directly to port 43231. I just don’t think I get it anymore, it is so strange…
Update 3: I’ve changed Dst. addr. to 192.168.2.202 for experimenting reasons and now the packet counter increases by one (it didn’t increase before), but still no data is given back from the RDP server to the client, so the client thinks there’s no such server. I also tried disabling all the drop rules from Filter Rules section.

Sob · June 24, 2020, 4:15pm

It’s starting to get a little complicated. Some diagram (how is everything connected) and explanation what you really want (whole thing, not just one step) could help.

If it was simple case with LAN subnet 192.168.1.0/24, then there would be few problems:

First case with 192.168.1.254: I’m not sure how much “not real” you ment the 192.168.1.254 was. But if you’re connecting to it from 192.168.1.X, which is in same subnet, it needs to be real enough to answer ARP queries, otherwise client will see it as unavailable. Simplest way is to add it to router as another address on LAN interface. Additionally, you’d need hairpin NAT.

Second case with 192.168.1.202: Can’t work at all, because if you’re trying to connect from 192.168.1.X to 192.168.1.202, which again is in same subnet, packets will go directly there, not to router.

idoubtmyexistence · June 24, 2020, 5:03pm

Yeah, it seems that I underestimated the complexity of networking stuff. I start to see what I want to accomplish more clearly. The deal is, there was a thing called “Virtual Server” on old router. There’s it’s settings: (had to edit some values because they were shown as text, so-called “Objects” (aliases) of USG40W)

anav · June 24, 2020, 6:35pm

That is just normal port forwarding on a zyxel router.
External IP is the routers WANIP
Internal IP is the IP of the server
External port is where it comes in on
Internal port is what its translated to

The main difference is that on a zyxel router one needs to define a firewall rule for every port forwarding rule.
The bottom jpeg shows the basic view, the top jpeg uses defined objects for some of the entries.

What is cool is that NAT loopback (hairpin nat) is a simple checkbox LOL. Easier yes, but in Mikrotik one gets to know why and how its done.

idoubtmyexistence · June 24, 2020, 7:20pm

I’ve read some docs about Hairpin NAT and it seems that it is actually what I need, Sob & anav, thank you! I will try to make something out of it and post my final configuration for those who will stumble upon the same sort of problem

idoubtmyexistence · June 25, 2020, 12:46pm

My autistic solution which consists of amalgamated answers from StackOverflow:

/ip address add address=11.20.30.40 interface=bridge network=11.20.30.40
/ip firewall nat add action=dst-nat chain=dstnat dst-address=11.20.30.40 dst-port=3389 protocol=tcp to-addresses=192.168.1.202 to-ports=43231
/ip firewall nat add action=masquerade chain=srcnat connection-mark=work-mark
/ip firewall mangle add action=mark-connection chain=prerouting dst-address=11.20.30.40 dst-port=3389 new-connection-mark=work-mark passthrough=no protocol=tcp src-address=192.168.1.0/24

Kinda hard to look at, but it works
I definetely must learn networking someday… This is so much painful not to know what you are doing.
Guys, thank you so much! You told me what to search for, I really appreciate that. Thanks!