What am I doing wrong - Port Forwarding

Trying to set up a port forward and it isn’t working. Hoping someone can tell me what I am doing wrong.

OS version is 2.9.23 on Routerboard 532.

I need to forward two ports on outside wan port (public side) to the “hotspot” port (ether3). Ether2 is the private lan side.

The first rule would be for HTTP traffic on port 8080, and the second is Telnet traffic on port 2332. Both are TCP. Doing this in /ip/firewall/nat.

chain=dstnat in-interface=ether1 dst-address=000.000.000.000 protocol=tcp dst-port=8080 action=dst-nat to-addresses=10.20.40.254 to-ports=8080

chain=dstnat in-interface=ether1 dst-address=000.000.000.000 protocol=tcp dst-port=2332 action=dst-nat to-addresses=10.20.40.254 to-ports=2332

Can anyone clue me in on what I am doing wrong? It looks correct based on what I have seen on the forum but it isn’t working (no traffic is getting to the internal server).

Thank you

Lyle

I think that the dst-address needs to be the address of the router public interface. I think that you are trying to translate
:8080 to :8080 and so the destination address of the NAT has to be the address of the router.

Here’s something similar from my configuration..

chain=dstnat dst-address= protocol=tcp dst-port=17416
action=dst-nat to-addresses=192.168.2.16 to-ports=80

which allows an HTTP connection via port 17416 to an internal machine…

Same as what I have. I just put the 000.000.000.000 to mask the public IP.

It is strange because I have no problem getting to the router from the outside, just can’t get it to translate to the inside. Is it possible that the reason it is not working is because I am trying to go to the hotspot interface?

Ether1 = Outside (public)
Ether2 = Private Lan (192.168.1.x)
Ether3 = Hotspot (10.20.40.x)

I think the problem might be deeper though. If I am sitting inside the router, and try to ping the internal IP on the 10.20.40 network, it never returns an answer. Telnet to the 8080 port also returns nothing. So maybe I can not talk to that network from inside the router?

Here is the working configuration I have in place:

/ interface ethernet
set ether1 name=“ether1” mtu=1500 mac-address=00:0C:42:06:3D:FE arp=enabled
disable-running-check=yes auto-negotiation=yes full-duplex=yes
cable-settings=default mdix-enable=yes speed=100Mbps comment=“”
disabled=no
set ether2 name=“ether2” mtu=1500 mac-address=00:0C:42:06:3D:FF arp=enabled
disable-running-check=yes auto-negotiation=yes full-duplex=yes
cable-settings=default speed=100Mbps comment=“” disabled=no
set ether3 name=“ether3” mtu=1500 mac-address=00:0C:42:06:3E:00 arp=enabled
disable-running-check=yes auto-negotiation=yes full-duplex=yes
cable-settings=default speed=100Mbps comment=“” disabled=no
/ interface l2tp-server server
set enabled=no max-mtu=1460 max-mru=1460
authentication=pap,chap,mschap1,mschap2 default-profile=default-encryption
/ interface pptp-server server
set enabled=no max-mtu=1460 max-mru=1460 authentication=mschap1,mschap2
keepalive-timeout=30 default-profile=default-encryption
/ ip pool
add name=“dhcp_pool1” ranges=192.168.0.100-192.168.1.240
add name=“dhcp_pool2” ranges=10.20.40.50-10.20.40.200
/ ip accounting
set enabled=no account-local-traffic=no threshold=256
/ ip accounting web-access
set accessible-via-web=yes address=0.0.0.0/0
/ ip service
set telnet port=23 address=0.0.0.0/0 disabled=no
set ftp port=21 address=0.0.0.0/0 disabled=no
set www port=80 address=0.0.0.0/0 disabled=no
set ssh port=22 address=0.0.0.0/0 disabled=no
set www-ssl port=443 address=0.0.0.0/0 certificate=none disabled=no
/ ip socks
set enabled=no port=1080 connection-idle-timeout=2m max-connections=200
/ ip arp
/ ip upnp
set enabled=yes allow-disable-external-interface=no show-dummy-rule=yes
/ ip upnp interfaces
add interface=ether1 type=external disabled=no
add interface=ether2 type=internal disabled=no
add interface=ether3 type=internal disabled=no
/ ip traffic-flow
set enabled=no interfaces=all cache-entries=4k active-flow-timeout=30m
inactive-flow-timeout=15s
/ ip dns
set primary-dns=000.000.000.2 secondary-dns=000.000.000.3
allow-remote-requests=no cache-size=2048KiB cache-max-ttl=1w
/ ip address
add address=000.000.000.000/25 network=000.000.000.0 broadcast=000.000.000.127
interface=ether1 comment=“Outside” disabled=no
add address=192.168.1.1/24 network=192.168.1.0 broadcast=192.168.1.255
interface=ether2 comment=“Inside” disabled=no
add address=10.20.40.1/24 network=10.20.40.0 broadcast=10.20.40.255
interface=ether3 comment=“Hotspot” disabled=no
/ ip proxy
set enabled=no src-address=0.0.0.0 port=8080 parent-proxy=0.0.0.0:0
cache-administrator=“webmaster” max-disk-cache-size=none
max-ram-cache-size=8000KiB cache-only-on-disk=no
maximal-client-connections=1000 maximal-server-connections=1000
max-object-size=4000KiB max-fresh-time=3d
/ ip neighbor discovery
set ether1 discover=yes
set ether2 discover=yes
set ether3 discover=yes
/ ip route
add dst-address=0.0.0.0/0 gateway=000.000.000.1 distance=1 scope=255
target-scope=10 comment=“” disabled=no
/ ip firewall nat
add chain=srcnat out-interface=ether1 action=masquerade comment=“” disabled=no
add chain=srcnat src-address=10.20.40.0/24 action=masquerade
comment=“masquerade hotspot network” disabled=no
add chain=dstnat in-interface=ether1 dst-address=000.000.000.000 protocol=tcp
dst-port=8080 action=dst-nat to-addresses=10.20.40.254 to-ports=8080
comment=“” disabled=no
add chain=dstnat in-interface=ether1 dst-address=000.000.000.000 protocol=tcp
dst-port=3223 action=dst-nat to-addresses=10.20.40.254 to-ports=3223
comment=“” disabled=no
/ ip firewall connection tracking
set enabled=yes tcp-syn-sent-timeout=5s tcp-syn-received-timeout=5s
tcp-established-timeout=1d tcp-fin-wait-timeout=10s
tcp-close-wait-timeout=10s tcp-last-ack-timeout=10s
tcp-time-wait-timeout=10s tcp-close-timeout=10s udp-timeout=10s
udp-stream-timeout=3m icmp-timeout=10s generic-timeout=10m
tcp-syncookie=no
/ ip firewall filter
add chain=input connection-state=invalid action=drop comment=“Drop invalid
connections” disabled=yes
add chain=input connection-state=established action=accept comment=“Allow
esatblished connections” disabled=yes
add chain=input connection-state=related action=accept comment=“Allow related
connections” disabled=yes
add chain=input protocol=udp action=accept comment=“Allow UDP” disabled=yes
add chain=input protocol=icmp action=accept comment=“Allow ICMP” disabled=yes
add chain=input in-interface=!ether1 action=accept comment=“Allow connection
to router from local network” disabled=yes
add chain=input action=drop comment=“Drop everything else” disabled=yes
add chain=forward in-interface=ether1 action=jump jump-target=customer
comment=“” disabled=yes
add chain=customer connection-state=invalid action=drop comment=“Drop invalid
connection packets” disabled=yes
add chain=customer connection-state=established action=accept comment=“Allow
established connections” disabled=yes
add chain=customer connection-state=related action=accept comment=“Allow
related connections” disabled=yes
add chain=customer action=log log-prefix=“customer_drop” comment=“Log dropped
connections” disabled=yes
add chain=customer action=drop comment=“Drop and log everything else”
disabled=yes
/ ip firewall service-port
set ftp ports=21 disabled=no
set tftp ports=69 disabled=no
set irc ports=6667 disabled=no
set h323 disabled=no
set quake3 disabled=no
set mms disabled=no
set gre disabled=no
set pptp disabled=no
/ ip hotspot
add name=“hotspot1” interface=ether3 address-pool=dhcp_pool2 profile=default
idle-timeout=5m keepalive-timeout=none addresses-per-mac=2 disabled=no
/ ip hotspot service-port
set ftp ports=21 disabled=no
/ ip hotspot ip-binding
add mac-address=00:0A:80:00:07:A6 type=bypassed comment=“” disabled=no
/ ip hotspot profile
set default name=“default” hotspot-address=0.0.0.0 dns-name=“”
html-directory=hotspot rate-limit=“” http-proxy=0.0.0.0:0
smtp-server=0.0.0.0 login-by=cookie,http-chap http-cookie-lifetime=3d
split-user-domain=no use-radius=no
add name=“hosprof1” hotspot-address=10.20.40.1 dns-name=“something.com”
html-directory=hotspot rate-limit=“” http-proxy=0.0.0.0:0
smtp-server=216.110.195.7 login-by=cookie,http-chap
http-cookie-lifetime=12h split-user-domain=no use-radius=no
/ ip hotspot user
add name=“admin” password=“xxxx” profile=default comment=“” disabled=no
add server=hotspot1 name=“101” password=“” profile=default comment=“”
disabled=no
/ ip hotspot user profile
set default name=“default” address-pool=dhcp_pool2 idle-timeout=none
keepalive-timeout=2m status-autorefresh=1m shared-users=2
transparent-proxy=yes open-status-page=always advertise=no
add name=“lobby” address-pool=dhcp_pool2 session-timeout=1h idle-timeout=none
keepalive-timeout=2m status-autorefresh=1m shared-users=1
transparent-proxy=yes open-status-page=always advertise=no
/ ip dhcp-server
add name=“dhcp1” interface=ether2 lease-time=3d address-pool=dhcp_pool1
bootp-support=static authoritative=after-2sec-delay disabled=no
add name=“dhcp2” interface=ether3 lease-time=12h address-pool=dhcp_pool2
bootp-support=static authoritative=after-2sec-delay disabled=no
/ ip dhcp-server config
set store-leases-disk=5m
/ ip dhcp-server lease
/ ip dhcp-server network
add address=10.20.40.0/24 gateway=10.20.40.1
dns-server=216.110.195.2,216.110.195.3 comment=“”
add address=192.168.1.0/24 gateway=192.168.1.1
dns-server=216.110.195.2,216.110.195.3 comment=“”
/ ip ipsec proposal
add name=“default” auth-algorithms=sha1 enc-algorithms=3des lifetime=30m
lifebytes=0 pfs-group=modp1024 disabled=no
/ system logging
add topics=info prefix=“” action=memory disabled=no
add topics=error prefix=“” action=memory disabled=no
add topics=warning prefix=“” action=memory disabled=no
add topics=critical prefix=“” action=echo disabled=no
/ system logging action
set memory name=“memory” target=memory memory-lines=100 memory-stop-on-full=no
set disk name=“disk” target=disk disk-lines=100 disk-stop-on-full=no
set echo name=“echo” target=echo remember=yes
set remote name=“remote” target=remote remote=192.168.65.175:514
/ system upgrade mirror
set enabled=no primary-server=0.0.0.0 secondary-server=0.0.0.0
check-interval=1d user=“”
/ system clock dst
set dst-delta=+00:00 dst-start=“jan/01/1970 00:00:00” dst-end=“jan/01/1970
00:00:00”
/ system watchdog
set reboot-on-failure=yes watch-address=none watchdog-timer=yes
no-ping-delay=5m automatic-supout=yes auto-send-supout=no
/ system console
add port=serial0 term=“” disabled=no
/ system identity
set name=“SleepInn”
/ system note
set show-at-login=yes note=“”
/ system routerboard settings
set baud-rate=115200 boot-delay=1s boot-device=nand-if-fail-then-ethernet
enter-setup-on=any-key cpu-mode=power-save memory-test=no
cpu-frequency=264MHz boot-protocol=bootp enable-jumper-reset=yes
/ system ntp server
set enabled=no broadcast=no multicast=no manycast=yes
/ system ntp client
set enabled=yes mode=unicast primary-ntp=204.152.184.72 secondary-ntp=0.0.0.0
/ port
set serial0 name=“serial0” baud-rate=auto data-bits=8 parity=none stop-bits=1
flow-control=hardware
/ ppp profile
set default name=“default” use-compression=default use-vj-compression=default
use-encryption=default only-one=default change-tcp-mss=yes comment=“”
set default-encryption name=“default-encryption” use-compression=default
use-vj-compression=default use-encryption=yes only-one=default
change-tcp-mss=yes comment=“”
/ ppp aaa
set use-radius=no accounting=yes interim-update=0s
/ queue type
set default name=“default” kind=pfifo pfifo-limit=50
set ethernet-default name=“ethernet-default” kind=pfifo pfifo-limit=50
set wireless-default name=“wireless-default” kind=sfq sfq-perturb=5
sfq-allot=1514
set synchronous-default name=“synchronous-default” kind=red red-limit=60
red-min-threshold=10 red-max-threshold=50 red-burst=20 red-avg-packet=1000
set hotspot-default name=“hotspot-default” kind=sfq sfq-perturb=5
sfq-allot=1514
add name=“default-small” kind=pfifo pfifo-limit=10
/ queue simple
/ user
add name=“admin” group=full address=0.0.0.0/0 comment=“system default user”
disabled=no
/ user group
add name=“read” policy=local,telnet,ssh,reboot,read,test,winbox,password,web,!f
tp,!write,!policy
add name=“write” policy=local,telnet,ssh,reboot,read,write,test,winbox,password
,web,!ftp,!policy
add name=“full” policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbo
x,password,web
/ user aaa
set use-radius=no accounting=yes interim-update=0s default-group=read
/ radius incoming
set accept=no port=1700
/ snmp
set enabled=no contact=“” location=“”
/ snmp community
set public name=“public” address=0.0.0.0/0 read-access=yes
/ tool bandwidth-server
set enabled=yes authenticate=yes allocate-udp-ports-from=2000 max-sessions=10
/ tool mac-server ping
set enabled=yes
/ tool e-mail
set server=0.0.0.0 from=“<>”
/ tool sniffer
set interface=ether1 only-headers=no memory-limit=10 file-name=“”
file-limit=10 streaming-enabled=no streaming-server=0.0.0.0
filter-stream=yes filter-protocol=ip-only
filter-address1=216.110.199.114/32:8080 filter-address2=0.0.0.0/0:0-65535
/ tool traffic-monitor
add name=“tmon1” interface=ether1 traffic=received trigger=above threshold=0
on-event=“” comment=“” disabled=no
/ tool graphing
set store-every=5min
/ tool graphing interface
add interface=all allow-address=0.0.0.0/0 store-on-disk=yes disabled=no
/ routing ospf
set router-id=0.0.0.0 distribute-default=never redistribute-connected=no
redistribute-static=no redistribute-rip=no redistribute-bgp=no
metric-default=1 metric-connected=20 metric-static=20 metric-rip=20
metric-bgp=20
/ routing ospf area
set backbone area-id=0.0.0.0 type=default translator-role=translate-candidate
authentication=none disabled=no
/ routing bgp instance
set default name=“default” as=1 router-id=0.0.0.0 redistribute-static=no
redistribute-connected=no redistribute-rip=no redistribute-ospf=no
redistribute-other-bgp=no out-filter=“” client-to-client-reflection=yes
comment=“” disabled=no
/ routing rip
set redistribute-static=no redistribute-connected=no redistribute-ospf=no
redistribute-bgp=no metric-static=1 metric-connected=1 metric-ospf=1
metric-bgp=1 update-timer=30s timeout-timer=3m garbage-timer=2m
/ routing rip interface
add interface=all receive=v2 send=v2 authentication=none authentication-key=“”
key-chain=“” in-filter=“” out-filter=“” disabled=no

You need to add the IP address of the internal device you are dst-natting to to the walled garden. Not sure if you can define both the IP and port, as I’ve run into problems with specifying a port (although this was on some older versions). The problem is, your traffic is redirecting properly from the outside in, but the response from the internal device isn’t getting back out because of the hotspot. Add the IP to the walled garden (under the IP List) and you should be set. Not sure if the dst-address=0.0.0.0/0 is causing any issues, but if you still have problems, set it to the WAN IP of the router or leave it blank.

Note: In the future, posting this type of problem to the General Networking forum will get you better responses as this doesn’t really have anything to do with scripting

Yeah after I posted it, I realized I was probably in the wrong forum.

I added this to the walled garden on the hotspot:

src-address=10.20.40.254 dst-address=000.000.000.123 action=allow

Do I have that correct or is it backward? Tried it both ways and it didn’t work either way.

Also, is the “dst-address=0.0.0.0/0” that you are talking about the one under the routes? If so, that is what it configured when I set up the interface.

No, the dst-address you are using in your firewall rules. Try both your dst-nat and walled garden rules without a dst-address of all zeros. I believe if you leave the dst-address blank, it implies all zeros (0.0.0.0/0).

Just try the walled garden with only a source address=your internal one and the action=accept, without a dst-address or port or anything else.

I must be really dense today. I set up the walled garden with only the src:

src-address=10.20.40.254 action=allow

Still nothing traverses from the outside to the inside. I can see the packets coming in as the counters go up, but it never completes the action.

Something I am missing. Also I guess I don’t understand where I am needing to change the dst-nat to be the Public IP. I have tried the walled garden to have the src-address and dst-address defined.

Sorry for the hassle

add chain=dstnat in-interface=ether1 > dst-address=000.000.000.000 > protocol=tcp
dst-port=8080 action=dst-nat to-addresses=10.20.40.254 to-ports=8080
comment=“” disabled=no
add chain=dstnat in-interface=ether1 > dst-address=000.000.000.000 > protocol=tcp
dst-port=3223 action=dst-nat to-addresses=10.20.40.254 to-ports=3223
comment=“” disabled=no

The dst-addresses in bold above are what I’m referring to. You might need to add some log rules in your firewall or just play around with some rules to find out where the connection is getting hung up.