Community discussions

MikroTik App
 
Floydian
just joined
Topic Author
Posts: 14
Joined: Tue Apr 13, 2021 2:18 pm

Port forwarding not working from Public IP ranges

Tue Apr 13, 2021 3:00 pm

Hello,

I'm trying to create a port forwarding set up, which currently is working when accessing from an IP in the 192.168.x.x range, but not working when trying to access from a public IP.
I'm issuing a curl command to fetch a website. This works from the local IP, but not when coming from a public IP.

The setup is:
Apple AirPort -> OldLAN (192.168.x.x) -> RB4011 (192.168.0.102) -> NewLan (10.2.x.x)

When I issue the curl command from a PC on the OldLAN, I can access the NewLAN and fetch data from the server.
When I issue the same curl command from outside, through the Apple AirPort, the connection comes through to the RB4011, however no data is returned from the NewLAN server.
To rule out the AirPort I have also tried connecting the RB4011 directly to the internet, which gives the same result - not possible to connect.

I see the following in the log file:
Access from Private IP in the 192.168.x.x range:
13:22:40 firewall,info [httpnat] dstnat: in:outside out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), 192.168.0.20:57585->192.168.0.102:80, len 64
13:22:40 firewall,info [http] forward: in:outside out:dmzbridge, src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), 192.168.0.20:57585->10.2.0.10:80, NAT 192.168.0.20:57585->(192.168.0.102:80->10.2.0.10:80), len 64
Access from a Public IP:
13:26:27 firewall,info [httpnat] dstnat: in:outside out:(unknown 0), src-mac 24:a0:74:73:a7:e8, proto TCP (SYN), 206.189.180.4:34026->192.168.0.102:80, len 60
13:26:27 firewall,info [http] forward: in:outside out:dmzbridge, src-mac 24:a0:74:73:a7:e8, proto TCP (SYN), 206.189.180.4:34026->10.2.0.10:80, NAT 206.189.180.4:34026->(192.168.0.102:80->10.2.0.10:80), len 60
Only apparent difference is the "len 64" when it's working and "len 60" when it's not working (?).

Have tried to enable logging on the different rules, but not been able to get a hit on what the difference is between the two connections.

Below is my current config:
# apr/13/2021 13:45:44 by RouterOS 6.48.1
# software id = IJJI-4YGG
#
# model = RB4011iGS+
# serial number = xxxxxx
/interface bridge
add comment="Admin bridge" name=admbridge
add comment=DMZ name=dmzbridge protocol-mode=none
add comment="IoT Bridge" name=iotbridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment=defconf name=lanbridge
/interface ethernet
set [ find default-name=ether10 ] comment="Admin port" name=admin poe-out=off
set [ find default-name=ether2 ] comment=DMZ name=dmz1
set [ find default-name=ether3 ] comment=DMZ name=dmz2
set [ find default-name=ether4 ] comment="IoT Interface" name=iot1
set [ find default-name=ether1 ] comment="Wan Interface" name=outside
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=DMZ
add name=IOT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=lan_dhcp_pool ranges=10.1.0.10-10.1.0.254
add name=dmz_dhcp_pool ranges=10.2.0.200-10.2.0.250
add name=iot_dhcp_pool ranges=10.3.0.200-10.3.0.250
/ip dhcp-server
add address-pool=lan_dhcp_pool disabled=no interface=lanbridge name=\
    lan_dhcp_server
add address-pool=lan_dhcp_pool disabled=no interface=admbridge name=\
    admin_dhcp_server
add address-pool=dmz_dhcp_pool disabled=no interface=dmzbridge name=\
    dmz_dhcp_server
add address-pool=iot_dhcp_pool disabled=no interface=iotbridge name=\
    iot_dhcp_server
/interface bridge port
add bridge=dmzbridge comment=dmz interface=dmz1
add bridge=dmzbridge comment=dmz interface=dmz2
add bridge=iotbridge comment=defconf interface=iot1
add bridge=lanbridge comment=defconf interface=ether5
add bridge=lanbridge comment=defconf interface=ether6
add bridge=lanbridge comment=defconf interface=ether7
add bridge=lanbridge comment=defconf interface=ether8
add bridge=lanbridge comment=defconf interface=ether9
add bridge=admbridge comment=defconf interface=admin
add bridge=lanbridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set tcp-syncookies=yes
/interface list member
add comment=defconf interface=lanbridge list=LAN
add comment=defconf interface=outside list=WAN
add interface=dmzbridge list=LAN
/ip address
add address=10.1.0.1/24 comment="LAN Bridge" interface=lanbridge network=\
    10.1.0.0
add address=10.2.0.1/24 comment="DMZ Bridge" interface=dmzbridge network=\
    10.2.0.0
add address=10.3.0.1/24 comment="IOT bridge" interface=iotbridge network=\
    10.3.0.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf disabled=no interface=outside
/ip dhcp-server network
add address=10.1.0.0/24 comment="LAN DHCP" dns-server=\
    192.168.0.y,192.168.0.x domain=example.com gateway=10.1.0.1 netmask=24
add address=10.2.0.0/24 comment="DMZ DHCP" domain=example.com gateway=10.2.0.1 \
    netmask=24
add address=10.3.0.0/24 comment="IOT DHCP" dns-server=\
    192.168.0.x,192.168.0.y domain=example.com gateway=10.3.0.1 netmask=24
/ip dns static
add address=10.4.0.1 comment=defconf name=router.lan
/ip firewall address-list
add address=10.1.0.10-10.1.0.254 list=allowed_to_router
add address=10.4.0.10-10.4.0.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 disabled=yes list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
add list=ddos-attackers
add list=ddos-target
/ip firewall filter
add action=accept chain=input comment="Accept Established, Related" \
    connection-state=established,related
add action=drop chain=input comment="Drop all invalid packets from WAN" \
    connection-state=invalid log=yes log-prefix="[drop invalid] "
add action=jump chain=forward comment="DDOS protection" connection-state=new \
    jump-target=detect-ddos log-prefix="[ddos jump] "
add action=fasttrack-connection chain=forward comment=FastTrack \
    connection-state=established,related log-prefix="[fasttrack] "
add action=accept chain=forward comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=forward comment=HTTP dst-port=80 in-interface=outside \
    log=yes log-prefix="[http] " protocol=tcp
add action=accept chain=forward comment=HTTPS dst-port=443 in-interface=\
    outside protocol=tcp
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=accept chain=input comment="allow admin access" src-address-list=\
    allowed_to_router
add action=drop chain=input comment="drop all not coming from admbridge"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=drop chain=forward comment="Drop Invalid Forward" \
    connection-state=invalid log=yes log-prefix="[invalid fwd]"
add action=accept chain=forward comment="Screen sharing from LAN to DMZ" \
    dst-port=5900 in-interface=lanbridge log-prefix=screen_sharing protocol=\
    tcp
add action=accept chain=forward in-interface=dmzbridge out-interface=\
    lanbridge protocol=tcp src-port=5900
add action=accept chain=forward comment="MariaDB Lan to DMZ" \
    connection-state=established,related,new,untracked dst-port=3306 \
    protocol=tcp
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN log=yes log-prefix=\
    "[drop inv wan]"
add action=drop chain=forward comment=\
    "Drop tries to reach not public addresses from LAN" disabled=yes \
    dst-address-list=not_in_internet in-interface=lanbridge log=yes \
    log-prefix="[!public_from_LAN]" out-interface=!lanbridge
add action=drop chain=forward comment=\
    "Drop tries to reach not public addresses from IOT" dst-address-list=\
    not_in_internet in-interface=iotbridge log=yes log-prefix=\
    "[!public_from_IOT] " out-interface=!iotbridge
add action=drop chain=forward comment=\
    "Drop tries to reach not public addresses from DMZ" disabled=yes \
    dst-address-list=not_in_internet in-interface=dmzbridge log=yes \
    log-prefix=!public_from_DMZ out-interface=!dmzbridge
add action=drop chain=forward comment=\
    "Drop tries to reach not public addresses from ADM" disabled=yes \
    dst-address-list=not_in_internet in-interface=admbridge log=yes \
    log-prefix=!public_from_ADM out-interface=!admbridge
add action=drop chain=forward comment=\
    "Drop incoming packets that are not NATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=outside log=yes log-prefix="[!NAT] "
add action=drop chain=forward comment=\
    "Drop incoming from internet which is not public IP" in-interface=outside \
    log=yes log-prefix="[!public]" src-address-list=not_in_internet
add action=drop chain=forward comment=\
    "Drop packets from LAN that do not have LAN IP" in-interface=lanbridge \
    log=yes log-prefix="[LAN_!LAN]" src-address=!10.1.0.0/24
add action=drop chain=forward comment=\
    "Drop packets from DMZ which does not have DMZ IP" in-interface=dmzbridge \
    log=yes log-prefix="[DMZ_!DMZ]" src-address=!10.2.0.0/24
add action=drop chain=forward comment=\
    "Drop packets from IOT which does not have IOT IP" in-interface=iotbridge \
    log=yes log-prefix="[IOT_!IOT]" src-address=!10.3.0.0/24
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddos-target \
    address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddos-attackers \
    address-list-timeout=10m chain=detect-ddos
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s \
    protocol=tcp tcp-flags=syn,ack
/ip firewall mangle
add action=log chain=prerouting connection-state=new disabled=yes dst-port=80 \
    log=yes log-prefix="[port80] " protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none log-prefix="[masq]" out-interface-list=WAN
add action=masquerade chain=srcnat disabled=yes dst-address=10.2.0.10 \
    out-interface=lanbridge protocol=tcp src-address=10.1.0.0/24
add action=dst-nat chain=dstnat dst-port=80 in-interface-list=WAN log=yes \
    log-prefix="[httpnat] " protocol=tcp to-addresses=10.2.0.10
add action=dst-nat chain=dstnat dst-port=443 in-interface=outside protocol=\
    tcp to-addresses=10.2.0.10 to-ports=443
add action=src-nat chain=srcnat out-interface=outside src-address=10.1.0.0/24 \
    to-addresses=84.x.y.z
add action=src-nat chain=srcnat log=yes log-prefix="[srcnat]" out-interface=\
    outside src-address=10.2.0.0/24 to-addresses=84.x.y.z
add action=src-nat chain=srcnat out-interface=outside src-address=10.3.0.0/24 \
    to-addresses=84.x.y.z
/ip firewall raw
add action=drop chain=prerouting dst-address-list=ddos-target log=yes \
    log-prefix="[ddos attacker] " src-address-list=ddos-attackers
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=10.1.0.0/24 port=8080
set ssh port=22
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Copenhagen
/system identity
set name=RB4011
/system ntp client
set enabled=yes server-dns-names=0.dk.pool.ntp.org
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
Thank you in advance for any assistance/pointers that can help me solve this.
 
Floydian
just joined
Topic Author
Posts: 14
Joined: Tue Apr 13, 2021 2:18 pm

Re: Port forwarding not working from Public IP ranges

Fri Apr 16, 2021 12:53 am

Now, this is driving me nuts.

Had a MT hEX (RB750Gr3) lying around, and tried to use this for testing.

After reading up on stuff, decided to use VLAN's instead of Bridges to segment the network.

Followed the guide discussed here: viewtopic.php?p=706999, more specific the Router-Switch-AP (all in one) part.

Now I got this working on the RB750Gr3 - I can access the server behind it both from the intermediate lan (IP: 192.168.0.x), as well as from outside through the Apple AirPort.
So far so good.
Dumped my config, and followed the guide + config on the RB4011iGS+ thinking that switching to VLAN's actually solved the issue, however, once done configuring, I'm at the exact same point as I was with the Bridges. I can access the server from the Intermediate network, but not when accessing through the Apple AirPort.

Below the config from the RB4011 which is not working. Attached is the config from th RB750Gr3, which is working.

Am I missing something with regards to the differences in hardware that I should be aware of on the RB4011 (Having two switches compared to the 750's one)?
# apr/15/2021 23:08:14 by RouterOS 6.48
# software id = IJJI-4YGG
#
# model = RB4011iGS+
# serial number = 
/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment="Main Bridge" name=MainBridge \
    protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] name=admin
set [ find default-name=ether3 ] name=dmz1
set [ find default-name=ether4 ] name=dmz2
set [ find default-name=ether5 ] name=iot1
set [ find default-name=ether6 ] name=lan1
set [ find default-name=ether7 ] name=lan2
set [ find default-name=ether8 ] name=lan3
set [ find default-name=ether9 ] name=lan4
set [ find default-name=ether10 ] name=lan5
set [ find default-name=ether1 ] name=outside
/interface vlan
add interface=MainBridge name=ADM_VLAN vlan-id=99
add interface=MainBridge name=DMZ_VLAN vlan-id=20
add interface=MainBridge name=IOT_VLAN vlan-id=30
add interface=MainBridge name=LAN_VLAN vlan-id=10
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN
add name=ADMIN
add name=IOT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name="Bridge Pool" ranges=10.1.0.10-10.1.0.250
add name=LAN_POOL ranges=10.1.0.100-10.1.0.250
add name=DMZ_POOL ranges=10.2.0.100-10.2.0.250
add name=IOT_POOL ranges=10.3.0.100-10.3.0.250
add name=ADM_POOL ranges=10.4.0.100-10.4.0.250
/ip dhcp-server
add address-pool="Bridge Pool" disabled=no interface=MainBridge name=MB_DHCP
add address-pool=LAN_POOL disabled=no interface=LAN_VLAN name=LAN_DHCP
add address-pool=DMZ_POOL disabled=no interface=DMZ_VLAN name=DMZ_DHCP
add address-pool=IOT_POOL disabled=no interface=IOT_VLAN name=IOT_DHCP
add address-pool=ADM_POOL disabled=no interface=ADM_VLAN name=ADM_DHCP
/interface bridge port
add bridge=MainBridge comment=ADM frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    admin pvid=99
add bridge=MainBridge comment="DMZ 1" frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    dmz1 pvid=20
add bridge=MainBridge comment="DMZ 2" frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    dmz2 pvid=20
add bridge=MainBridge comment="IOT 1" frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    iot1 pvid=30
add bridge=MainBridge comment="LAN 1" frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    lan1 pvid=10
add bridge=MainBridge comment="LAN 2" frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    lan2 pvid=10
add bridge=MainBridge comment="LAN 3" frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    lan3 pvid=10
add bridge=MainBridge comment="LAN 4" frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    lan4 pvid=10
add bridge=MainBridge comment="LAN 5" frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    lan5 pvid=10
add bridge=MainBridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=ADMIN
/interface bridge vlan
add bridge=MainBridge tagged=MainBridge untagged=lan1,lan2,lan3,lan4,lan5 \
    vlan-ids=10
add bridge=MainBridge tagged=MainBridge untagged=dmz1,dmz2 vlan-ids=20
add bridge=MainBridge tagged=MainBridge untagged=iot1 vlan-ids=30
add bridge=MainBridge tagged=MainBridge untagged=admin vlan-ids=99
/interface list member
add comment=defconf interface=MainBridge list=LAN
add comment=defconf interface=outside list=WAN
add interface=ADM_VLAN list=ADMIN
add interface=DMZ_VLAN list=VLAN
add interface=IOT_VLAN list=VLAN
add interface=LAN_VLAN list=VLAN
add interface=ADM_VLAN list=VLAN
/ip address
add address=10.1.0.1/24 comment="Main bridge" interface=MainBridge network=\
    10.1.0.0
add address=10.4.0.1/24 interface=ADM_VLAN network=10.4.0.0
add address=10.1.0.1/24 interface=LAN_VLAN network=10.1.0.0
add address=10.2.0.1/24 interface=DMZ_VLAN network=10.2.0.0
add address=10.3.0.1/24 interface=IOT_VLAN network=10.3.0.0
/ip dhcp-client
add comment=defconf disabled=no interface=outside
/ip dhcp-server network
add address=10.2.0.0/24 comment="DMZ Network" dns-server=192.168.0.x \
    gateway=10.2.0.1
add address=10.3.0.0/24 comment="IOT Network" dns-server=192.168.0.x \
    gateway=10.3.0.1
add address=10.4.0.0/24 comment="ADM Network" dns-server=192.168.0.x \
    gateway=10.4.0.1
add address=10.1.0.0/24 comment="LAN Network" dns-server=192.168.0.x \
    gateway=10.1.0.1
/ip dns
set allow-remote-requests=yes servers=192.168.0.x,192.168.0.y
/ip dns static
add address=10.1.0.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "Accept established,related & untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=accept chain=input comment="Allow VLAN to router services" \
    in-interface-list=VLAN
add action=accept chain=input comment="Allow Admin_VLAN Full Access" \
    in-interface=ADM_VLAN
add action=accept chain=input comment="Accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "Accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="Drop everything else"
add action=accept chain=forward comment="HTTP 8081" dst-address=192.168.0.z \
    dst-port=8081 in-interface=outside log=yes log-prefix="[fw8081]" \
    protocol=tcp
add action=accept chain=forward comment="Accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="Accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="Fasttrack Forward" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "Accept established, related & untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="Allow Port Forwarding" \
    connection-nat-state=dstnat connection-state=new in-interface-list=WAN \
    log=yes log-prefix="[fw dstnat]"
add action=drop chain=forward comment="Drop invalid forward"
add action=drop chain=forward comment="Drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
add action=dst-nat chain=dstnat comment="NAT test" dst-address=192.168.0.z \
    dst-port=8081 log=yes log-prefix="[NAT8081]" protocol=tcp to-addresses=\
    10.2.0.x to-ports=80
/system clock
set time-zone-name=Europe/Copenhagen
/system identity
set name=fldMTRB4011
/tool mac-server
set allowed-interface-list=ADMIN
/tool mac-server mac-winbox
set allowed-interface-list=ADMIN
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19105
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port forwarding not working from Public IP ranges

Fri Apr 16, 2021 1:36 am

Not sure why you think port forwarding is going to work through an ISP modem/rouer, followed by an apple device, then some other router, and then the MT device.
Draw a network diagram to show what is reallly going on!

Port forwarding works just fine if the ISP modem is feeding the MT, or even aN ISP router modem is providing a private IP, as long as one has access to the ISP modem router to make any necessary changes on the router side of the device.
 
Floydian
just joined
Topic Author
Posts: 14
Joined: Tue Apr 13, 2021 2:18 pm

Re: Port forwarding not working from Public IP ranges

Fri Apr 16, 2021 10:24 pm

Attached a sketch of the current setup - green dotted lines indicates what is working, red dotted what is not.

There's no Modem in the mix. I get a direct public IP connection from my provider.

This is fed into the Apple AirPort, and from there I have my current LAN.
Intention is to replace the AirPort with the MT RB4011.

As mentioned in the original post, I have already tried to have the RB4011 connected to my ISP after having tested that I could get through from the 192.168.0.x LAN, but as soon as it got the public IP nothing was working - same as what is happening with the current double-NAT'ing.
If the double-NAT'ing was an issue, I would expect that I would see the same behaviour with the RB750Gr3, but that is behaving as expected, even with double NAT'ing (?).

Hope this help clarify the issue I'm having.

Again, thank you for any help.
Network - Test Setup.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19105
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port forwarding not working from Public IP ranges

Fri Apr 16, 2021 10:35 pm

Is the switch a managed switch or unmanaged (dumb).
I would put the the 4011 in place of the apple..........
Its like towing a 2020 land rover with a 2002 vw beetle.....
 
Floydian
just joined
Topic Author
Posts: 14
Joined: Tue Apr 13, 2021 2:18 pm

Re: Port forwarding not working from Public IP ranges

Fri Apr 16, 2021 11:53 pm

Is the switch a managed switch or unmanaged (dumb).
It's a managed switch, but currently used in "unmanaged" mode - no filtering implemented (yet).
I would put the the 4011 in place of the apple..........
Its like towing a 2020 land rover with a 2002 vw beetle.....
That is also the plan - just need to sort out this issue.
 
Floydian
just joined
Topic Author
Posts: 14
Joined: Tue Apr 13, 2021 2:18 pm

Re: Port forwarding not working from Public IP ranges

Sat Apr 17, 2021 12:11 pm

Did another test, removing both the Apple AirPort and switch out of the equation with the RB4011 connected directly to the Internet, with a public IP on the WAN, and same result.
Can see packets reach the NAT and Firewall rules, but there's no data being returned.

Found a few quirks in my configuration, which started causing issues as soon as there was no connection on the WAN port.
Noticed I had assigned same IP range to the MainBridge and the LAN_VLAN (10.1.0.x).
/ip address
add address=10.1.0.1/24 comment="Main bridge" interface=MainBridge network=10.1.0.0
add address=10.1.0.1/24 interface=LAN_VLAN network=10.1.0.0

/ip pool
add name=dhcp ranges=10.1.0.10-10.1.0.250
add name=LAN_POOL ranges=10.1.0.100-10.1.0.250

/ip dhcp-server network
add address=10.1.0.0/24 comment="LAN Network" dns-server=192.168.0.18 gateway=10.1.0.1
Thinking that could be the culprit I changed the VLAN range to 10.5.0.x which resolved some routing issues between the VLAN's when having a public IP (or with no connection on the WAN port).
/ip address
add address=10.1.0.1/24 comment="Main bridge" interface=MainBridge network=10.1.0.0
add address=10.5.0.1/24 interface=LAN_VLAN network=10.5.0.0

/ip pool
add name=LAN_POOL ranges=10.5.0.100-10.5.0.250

/ip dhcp-server network
add address=10.5.0.0/24 comment="LAN Network" dns-server=192.168.0.18 gateway=10.5.0.1
However even with this change, I still can't get through RB4011 when coming from a public IP.
It still works when coming from an IP in the 192.168.0.x range.

The above discovery made me think that I'm missing some understanding on what happens between the Bridge and VLAN's.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: Port forwarding not working from Public IP ranges

Sat Apr 17, 2021 12:22 pm

When vlan-filtering=yes on bridge, it's a bit debatable whether untagged frames are actually passing bridge (the switch-like entity). Which means you have to folow one of the following:
  1. set pvid on bridge interface and use bridge interface as untagged (or hybrid) interface. If you don't set pvid explicitly, it'll use VID=1 (implicit default in ROS)
  2. better option IMO is to use bridge interface explicitly as trunk (all tagged) interface. In this case you have to use appropriate vlan interfaces for all uses. Also set bridge interface as taged member of all vlans
Your latest configuration export (post from 2021-04-15) shows you're using bridge as hybrid interface but most member ports are using explicitly set pvids ...
 
Floydian
just joined
Topic Author
Posts: 14
Joined: Tue Apr 13, 2021 2:18 pm

Re: Port forwarding not working from Public IP ranges

Sat Apr 17, 2021 6:07 pm

@mkx Thank you for taking the time to look at this.

Think I'm getting closer to figuring out the culprit of my issues.
Watched the Mikrotik presentation on VLAN processing in New bridge implementation, and noticed their mention of the 4 bytes added to the IP Frame (https://youtu.be/ZMMpza-O7_w?t=684).

Those 4 bytes corresponds to what I've noticed in the log file.
When my setup works (that is when I'm using the intermediate lan 192.168.0.x) I get the following entry in my logs.
[NAT8081] dstnat: in:outside out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), 192.168.0.20:59304->192.168.0.102:8081, len 64
[fw8081] forward: in:outside out:DMZ_VLAN, src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), 192.168.0.20:59304->10.2.0.10:8081, NAT 192.168.0.20:59304->(192.168.0.102:8081->10.2.0.10:8081), len 64
When it's not working I see this (When connection comes directly from the Internet):
[NAT8081] dstnat: in:outside out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), 139.59.147.204:39312->192.168.0.102:8081, len 60
[fw8081] forward: in:outside out:DMZ_VLAN, src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), 139.59.147.204:39312->10.2.0.10:8081, NAT 139.59.147.204:39312->(192.168.0.102:8081->10.2.0.10:8081), len 60
Am aware that the packages that comes from the Internet connection will not contain a VLAN tag.

Then the question is how do I make it work when there's no VLAN tag.
Would your suggestions address this? Or am I'm staring myself blind looking at the wrong stuff?

I'm trying to wrap my mind around your suggestion b.
Could you provide some example of how to implement the "trunk (all tagged) interface" part.

As for the bridge being a tagged member of all VLANS, below is what I have in my current config.
/interface bridge vlan
add bridge=MainBridge tagged=MainBridge untagged=lan1,lan2,lan3,lan4,lan5 vlan-ids=10
add bridge=MainBridge tagged=MainBridge untagged=dmz1,dmz2 vlan-ids=20
add bridge=MainBridge tagged=MainBridge untagged=iot1 vlan-ids=30
add bridge=MainBridge tagged=MainBridge untagged=admin vlan-ids=99
Do I need to do something else to full fill the "set bridge interface as tagged member of all vlans" ?

Once again, thank you for taking your time to look at this.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: Port forwarding not working from Public IP ranges

Sat Apr 17, 2021 6:47 pm

Make sure this line is gone:
/ip address
add address=10.1.0.1/24 comment="Main bridge" interface=MainBridge network=10.1.0.0

Then
/interface list member
add comment=defconf interface=MainBridge list=LAN
Interface LAN_VLAN should be member of LAN interface list rather than MainBridge.


BTW,
/ip firewall filter
add action=accept chain=input comment="Allow VLAN to router services" in-interface-list=VLAN
add action=accept chain=input comment="Allow Admin_VLAN Full Access" in-interface=ADM_VLAN
I don't see how these two treat different VLANs differently. You'll have to work on rules allowing access to router from VLANs (other than ADM_VLAN) only for certain services, not for all of them.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: Port forwarding not working from Public IP ranges

Sat Apr 17, 2021 6:56 pm

Those 4 bytes corresponds to what I've noticed in the log file.
...
Am aware that the packages that comes from the Internet connection will not contain a VLAN tag.
For your router, packets coming from 192.168.0.20 or from random internet host are just the same. They enter router through interface outside which expects untagged frames. So either your CP (192.168.0.20) is using VLAN tags (but how would then it access internet if your current internet gateway works without VLAN tags) or the 4 bytes of difference are something else. And it's impossible to tell what is it without seeing traffic dump with full analysis of packets and headers.
 
Floydian
just joined
Topic Author
Posts: 14
Joined: Tue Apr 13, 2021 2:18 pm

Re: Port forwarding not working from Public IP ranges

Sat Apr 17, 2021 7:41 pm

Those 4 bytes corresponds to what I've noticed in the log file.
...
Am aware that the packages that comes from the Internet connection will not contain a VLAN tag.
For your router, packets coming from 192.168.0.20 or from random internet host are just the same. They enter router through interface outside which expects untagged frames. So either your CP (192.168.0.20) is using VLAN tags (but how would then it access internet if your current internet gateway works without VLAN tags) or the 4 bytes of difference are something else. And it's impossible to tell what is it without seeing traffic dump with full analysis of packets and headers.
It was just a guess as to what could be causing the problem.
I tried to create a "fake" internet with the following setup, which also appear to rule out that the 4 bytes difference should be the issue.
Network - Test Setup v2.png
Giving the network on the "outside" interface of my RB4011 a public IP, gave the same result as when connected to the real internet - not possible to get through to the the server behind the RB4011.
However giving the network a "private" IP, this case in the 192.168.10.x range, allowed data through.
In both scenarios I can see data hit both the firewall and nat rules on the RB4011.

So there's clearly some internal routing on the RB4011 being messed up as soon as the connection is not coming from a private IP range.

Have also just tried to follow your suggestions for "/IP address" and "/interface list member", though that still haven't made a change.
Removing the "MainBridge" from the "/IP address" gave me a new entry in the config:
/interface detect-internet
set detect-interface-list=static
Now when I look at the "Quick Set" page in the webadmin "IP address" for Local Network is shown in red with the ip 0.0.0.0.

Below the config as it looks at the moment. (Am aware of the double "firewall filters" you mentioned).
# apr/17/2021 17:16:10 by RouterOS 6.48
# software id = IJJI-4YGG
#
# model = RB4011iGS+
# serial number =
/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment="Main Bridge" name=\
    MainBridge protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] name=admin
set [ find default-name=ether3 ] name=dmz1
set [ find default-name=ether4 ] name=dmz2
set [ find default-name=ether5 ] name=iot1
set [ find default-name=ether6 ] name=lan1
set [ find default-name=ether7 ] name=lan2
set [ find default-name=ether8 ] name=lan3
set [ find default-name=ether9 ] name=lan4
set [ find default-name=ether10 ] name=lan5 poe-out=off
set [ find default-name=ether1 ] name=outside
/interface vlan
add interface=MainBridge name=ADM_VLAN vlan-id=99
add interface=MainBridge name=DMZ_VLAN vlan-id=20
add interface=MainBridge name=IOT_VLAN vlan-id=30
add interface=MainBridge name=LAN_VLAN vlan-id=10
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN
add name=ADMIN
add name=IOT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=10.1.0.10-10.1.0.250
add name=LAN_POOL ranges=10.5.0.100-10.5.0.250
add name=DMZ_POOL ranges=10.2.0.100-10.2.0.250
add name=IOT_POOL ranges=10.3.0.100-10.3.0.250
add name=ADM_POOL ranges=10.4.0.100-10.4.0.250
/ip dhcp-server
add address-pool=dhcp disabled=no interface=MainBridge name=MB_DHCP
add address-pool=LAN_POOL disabled=no interface=LAN_VLAN name=LAN_DHCP
add address-pool=DMZ_POOL disabled=no interface=DMZ_VLAN name=DMZ_DHCP
add address-pool=IOT_POOL disabled=no interface=IOT_VLAN name=IOT_DHCP
add address-pool=ADM_POOL disabled=no interface=ADM_VLAN name=ADM_DHCP
/interface bridge port
add bridge=MainBridge comment=ADM frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    admin pvid=99
add bridge=MainBridge comment="DMZ 1" frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    dmz1 pvid=20
add bridge=MainBridge comment="DMZ 2" frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    dmz2 pvid=20
add bridge=MainBridge comment="IOT 1" frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    iot1 pvid=30
add bridge=MainBridge comment="LAN 1" frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    lan1 pvid=10
add bridge=MainBridge comment="LAN 2" frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    lan2 pvid=10
add bridge=MainBridge comment="LAN 3" frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    lan3 pvid=10
add bridge=MainBridge comment="LAN 4" frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    lan4 pvid=10
add bridge=MainBridge comment="LAN 5" frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    lan5 pvid=10
add bridge=MainBridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=ADMIN
/interface bridge vlan
add bridge=MainBridge tagged=MainBridge untagged=lan1,lan2,lan3,lan4,lan5 \
    vlan-ids=10
add bridge=MainBridge tagged=MainBridge untagged=dmz1,dmz2 vlan-ids=20
add bridge=MainBridge tagged=MainBridge untagged=iot1 vlan-ids=30
add bridge=MainBridge tagged=MainBridge untagged=admin vlan-ids=99
/interface detect-internet
set detect-interface-list=static
/interface list member
add comment=defconf interface=outside list=WAN
add interface=ADM_VLAN list=ADMIN
add interface=DMZ_VLAN list=VLAN
add interface=IOT_VLAN list=VLAN
add interface=LAN_VLAN list=VLAN
add interface=ADM_VLAN list=VLAN
add interface=LAN_VLAN list=LAN
add interface=DMZ_VLAN list=LAN
/ip address
add address=10.4.0.1/24 interface=ADM_VLAN network=10.4.0.0
add address=10.5.0.1/24 interface=LAN_VLAN network=10.5.0.0
add address=10.2.0.1/24 interface=DMZ_VLAN network=10.2.0.0
add address=10.3.0.1/24 interface=IOT_VLAN network=10.3.0.0
/ip dhcp-client
add comment=defconf disabled=no interface=outside
/ip dhcp-server network
add address=10.2.0.0/24 comment="DMZ Network" dns-server=192.168.0.18 \
    gateway=10.2.0.1
add address=10.3.0.0/24 comment="IOT Network" dns-server=192.168.0.18 \
    gateway=10.3.0.1
add address=10.4.0.0/24 comment="ADM Network" dns-server=192.168.0.18 \
    gateway=10.4.0.1
add address=10.5.0.0/24 comment="LAN Network" dns-server=192.168.0.18 \
    gateway=10.5.0.1
/ip dns
set allow-remote-requests=yes servers=192.168.0.18,192.168.0.20
/ip dns static
add address=10.1.0.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "Accept established,related & untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=accept chain=input comment="Allow VLAN to router services" \
    in-interface-list=VLAN
add action=accept chain=input comment="Allow Admin_VLAN Full Access" \
    in-interface=ADM_VLAN
add action=accept chain=input comment="Accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "Accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="Drop everything else"
add action=accept chain=forward comment="HTTP 8081" dst-address=10.2.0.10 \
    dst-port=8081 in-interface-list=WAN log=yes log-prefix="[fw8081]" \
    protocol=tcp
add action=accept chain=forward dst-port=8081 in-interface-list=VLAN \
    protocol=tcp
add action=accept chain=forward comment="Accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="Accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="Fasttrack Forward" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "Accept established, related & untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="Allow Port Forwarding" \
    connection-nat-state=dstnat connection-state=new in-interface-list=WAN \
    log=yes log-prefix="[fw dstnat]"
add action=drop chain=forward comment="Drop invalid forward" log-prefix=\
    "[invfwd]"
add action=drop chain=forward comment="Drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
add action=dst-nat chain=dstnat comment="NAT test" dst-address=192.168.0.102 \
    dst-port=8081 log=yes log-prefix="[NAT8081]" protocol=tcp to-addresses=\
    10.2.0.10 to-ports=8081
add action=dst-nat chain=dstnat dst-address=84.x.x.x dst-port=8081 \
    protocol=tcp to-addresses=10.2.0.10
/system clock
set time-zone-name=Europe/Copenhagen
/system identity
set name=fldMTRB4011
/tool mac-server
set allowed-interface-list=ADMIN
/tool mac-server mac-winbox
set allowed-interface-list=ADMIN
You do not have the required permissions to view the files attached to this post.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: Port forwarding not working from Public IP ranges

Sat Apr 17, 2021 8:29 pm

Now when I look at the "Quick Set" page in the webadmin "IP address" for Local Network is shown in red with the ip 0.0.0.0.

After you start configuring things outside Quickset, never ever use it again. At best it'll display misleading information, at worst it'll mess with configuration in some random ways.
 
Floydian
just joined
Topic Author
Posts: 14
Joined: Tue Apr 13, 2021 2:18 pm

Re: Port forwarding not working from Public IP ranges

Sat Apr 17, 2021 8:49 pm

Now when I look at the "Quick Set" page in the webadmin "IP address" for Local Network is shown in red with the ip 0.0.0.0.

After you start configuring things outside Quickset, never ever use it again. At best it'll display misleading information, at worst it'll mess with configuration in some random ways.
Didn't intend to use the quick set, just observed this behaviour.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: Port forwarding not working from Public IP ranges

Sun Apr 18, 2021 11:05 am

I'm out of ideas as to what prevents your setup to perform correctly. There were cases where seemingly correct config did not work right and solution was factory reset, followed by application of very same config. It seems that sometimes there's some configuration burried somewhere and not shown in UI.
If I were in your place, I'd export current config (the text version), reset RB4011 with no config, use winbox MAC connection and set things up again, step by step. And verify proper operation as soon as possible without too much config in place just in case some settings actually break things.
 
Floydian
just joined
Topic Author
Posts: 14
Joined: Tue Apr 13, 2021 2:18 pm

Re: Port forwarding not working from Public IP ranges

Sun Apr 18, 2021 3:22 pm

I'm out of ideas as to what prevents your setup to perform correctly. There were cases where seemingly correct config did not work right and solution was factory reset, followed by application of very same config. It seems that sometimes there's some configuration burried somewhere and not shown in UI.
If I were in your place, I'd export current config (the text version), reset RB4011 with no config, use winbox MAC connection and set things up again, step by step. And verify proper operation as soon as possible without too much config in place just in case some settings actually break things.
On one hand I had hoped that I had missed something obvious in my config, on the other hand I'm happy that what I've made so far haven't made a complete fool of me.

Since my similar setup on the RB750 is working, I also have a feeling that something is stuck somewhere in the software, so I'll take your suggestion to start from scratch and maybe try with a much simpler setup, just to see that I can get data through from a public IP.

Once again, thank you very much for taking your time to have a look at this. It's highly appreciated.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19105
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port forwarding not working from Public IP ranges

Sun Apr 18, 2021 9:00 pm

Yup time to reload the firmware!
 
Floydian
just joined
Topic Author
Posts: 14
Joined: Tue Apr 13, 2021 2:18 pm

Re: Port forwarding not working from Public IP ranges

Tue Apr 20, 2021 8:45 pm

Just a short update from here.

A reset and a step-by-step implementation of my configuration via WinBox/terminal so far appears to be working.
Will need to to do some more testing, but so far I can get through from the Internet to my server behind the RB4011 so NAT and Routing is currently working as intended.

Once again, thank you @mkx & @anav for your assistance.
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Port forwarding not working from Public IP ranges

Tue Apr 20, 2021 9:47 pm

It seems that sometimes there's some configuration burried somewhere and not shown in UI.
Not shown on configuration export as well ?
How is that actually possible ?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: Port forwarding not working from Public IP ranges

Tue Apr 20, 2021 11:19 pm

It seems that sometimes there's some configuration burried somewhere and not shown in UI.
Not shown on configuration export as well ?
How is that actually possible ?
I've never experienced such case myself and I've no idea how configuration shown in UI (any of them) correlates to actual configuration. But there were cases (MT confirmed) that there were some exploits which couldn't be eradicated simply by clearing (apparent) configuration.

Think like this: it's known that firewall filter rules in ROS are a sort of UI for linux kernel iptables. Who knows what UI does when printing or exporting rules, could be that some rules actually configured in device's iptables are not shown (because de-compiler skips them for some reason)? Or that rules shown are not actual rules running but rather some list stored in device's file system which ideally would be in sync with running setup but could get out of sync for some reason? With ROS closed in a black-box it's impossible to tell ...
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Port forwarding not working from Public IP ranges

Tue Apr 20, 2021 11:35 pm

Ok @mkx.. i see...
 
Floydian
just joined
Topic Author
Posts: 14
Joined: Tue Apr 13, 2021 2:18 pm

Re: Port forwarding not working from Public IP ranges

Thu Apr 22, 2021 7:10 pm

Well I celebrated to soon.

Got everything working (or so I thought), but as soon as I connected directly to the Internet, everything started messing up again, and data simple won't get through.

Have been scratching my head, trying to figure out what is actually going on.
Have reverted to the test setup below, where I'm creating a "public IP" on the outside of the RB4011, which cause my configuration to fail.
Network - Test Setup v2.png
As soon as the IP on the outside of the RB4011 is changed to an IP in the the private range, everything works.

Have tried to read up on documentation, but not been able to find something which address what I'm trying to do.

The basic purpose of my setup is to create a DMZ for my mail & web servers, by placing them in a separate network (VLAN), and then direct traffic from the outside, through nat & firewall to the servers.
Again this works when the outside IP is a "private" IP, but not when it's public, which simply doesn't make sense to me, since all my IP's on the inside are in the 10.x.x.x ranges, while the IP's I use on the outside are in the 192.168.x.x (private) or 84.x.x.x (public), with the latter not working.

Have tried to reset several times, downgraded firmware, upgraded firmware and recreate the setup using WinBox and using SSH, in various combinations.

My latest attempt was to add ether10 to the WAN to try another physical port, but same result.

Still see both my nat rule and firewall rule being hit, but data is simply not returned to the client, when I use a public IP on the outside.
Is there a way to track the data going through the router, to see where it's getting stuck when it's not working?
Have enabled logging on all the "drop" rules in the firewall, but they are not being hit when I test the connection.

Could this be a hardware fault?
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19105
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port forwarding not working from Public IP ranges

Thu Apr 22, 2021 10:17 pm

Please post your latest config on router and on RB4011.
 
Floydian
just joined
Topic Author
Posts: 14
Joined: Tue Apr 13, 2021 2:18 pm

Re: Port forwarding not working from Public IP ranges

Fri Apr 23, 2021 12:47 am

Here's the latest config files from the RB4011 and the RB750.

Currently RB4011 is configured with ether1 and ether10 being part of the "WAN" group, which was done just for testing if another physical port would solve the issue.

Doing the testing of "private" vs. "public" IP's, the setup is as follows.
ether3 ("dmz2") on RB750 is connected to ether1 ("outside") (or ether10) on the RB4011
ether2 ("dmz1") on RB750 is connected to the PC I use for testing access, doing a "curl http://[ip of RB4011]:80" to fetch a simple HTML page on the PC with the private IP 10.2.0.10 in the DMZ_VLAN on the RB4011.

To make the switch between "public" and "private" IP's on the RB750 I have created the following
Two DHCP pools:
/ip pool
add name=DMZ_POOL ranges=84.238.109.10-84.238.109.250
add name=DMZ1_pool ranges=192.168.10.10-192.168.10.250
two IP addresses:
/ip address
add address=84.238.109.1/24 disabled=no interface=DMZ_VLAN network=84.238.109.0
add address=192.168.10.1/24 disabled=yes interface=DMZ_VLAN network=192.168.10.0
and two DHCP networks:
/ip dhcp-server network
add address=84.238.109.0/24 comment="DMZ Network" dns-server=8.8.8.8 gateway=84.238.109.1
add address=192.168.10.0/24 comment="DMZ Network1" dns-server=8.8.8.8 gateway=192.168.10.1
So I simply switch between the two setups on the DHCP server on the RB750, and renew IP addresses on the RB4011 and the PC, to get either the public IP or private IP, before running the curl command to try to fetch the data.

Below the current RB4011 config (also attached):
# apr/22/2021 17:54:01 by RouterOS 6.48.2
# software id = IJJI-4YGG
#
# model = RB4011iGS+
# serial number = 
/interface bridge
add name=MainBridge protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] name=admin
set [ find default-name=ether3 ] name=dmz1
set [ find default-name=ether4 ] name=dmz2
set [ find default-name=ether5 ] name=iot1
set [ find default-name=ether6 ] name=lan1
set [ find default-name=ether7 ] name=lan2
set [ find default-name=ether8 ] name=lan3
set [ find default-name=ether9 ] name=lan4
set [ find default-name=ether1 ] mac-address=xx:xx:xx:xx:xx:xx name=outside
set [ find default-name=ether10 ] name=wan2 poe-out=off
/interface vlan
add interface=MainBridge name=ADM_VLAN vlan-id=99
add interface=MainBridge name=DMZ_VLAN vlan-id=20
add interface=MainBridge name=IOT_VLAN vlan-id=30
add interface=MainBridge name=LAN_VLAN vlan-id=50
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add name=WAN
add name=LAN
add name=VLAN
add name=ADMIN
add name=IOT
add name=DMZ
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=LAN_POOL ranges=10.5.0.100-10.5.0.250
add name=DMZ_POOL ranges=10.2.0.100-10.2.0.250
add name=IOT_POOL ranges=10.3.0.100-10.3.0.250
add name=ADM_POOL ranges=10.4.0.100-10.4.0.250
/ip dhcp-server
add address-pool=LAN_POOL disabled=no interface=LAN_VLAN name=LAN_DHCP
add address-pool=DMZ_POOL disabled=no interface=DMZ_VLAN name=DMZ_DHCP
add address-pool=IOT_POOL disabled=no interface=IOT_VLAN name=IOT_DHCP
add address-pool=ADM_POOL disabled=no interface=admin name=ADM_DHCP
/interface bridge port
add bridge=MainBridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=dmz1 pvid=20
add bridge=MainBridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=dmz2 pvid=20
add bridge=MainBridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=iot1 pvid=30
add bridge=MainBridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=lan1 pvid=50
add bridge=MainBridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=lan2 pvid=50
add bridge=MainBridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=lan3 pvid=50
add bridge=MainBridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=lan4 pvid=50
/ip neighbor discovery-settings
set discover-interface-list=ADMIN
/interface bridge vlan
add bridge=MainBridge tagged=MainBridge untagged=dmz1,dmz2 vlan-ids=20
add bridge=MainBridge tagged=MainBridge untagged=iot1 vlan-ids=30
add bridge=MainBridge tagged=MainBridge untagged=lan1,lan2,lan3,lan4 \
    vlan-ids=50
/interface detect-internet
set internet-interface-list=WAN lan-interface-list=LAN wan-interface-list=WAN
/interface list member
add interface=outside list=WAN
add interface=ADM_VLAN list=ADMIN
add interface=DMZ_VLAN list=VLAN
add interface=IOT_VLAN list=VLAN
add interface=LAN_VLAN list=VLAN
add interface=LAN_VLAN list=LAN
add interface=DMZ_VLAN list=LAN
add interface=IOT_VLAN list=LAN
add interface=ADM_VLAN list=LAN
add interface=wan2 list=WAN
/ip address
add address=10.5.0.1/24 interface=LAN_VLAN network=10.5.0.0
add address=10.4.0.1/24 interface=ADM_VLAN network=10.4.0.0
add address=10.3.0.1/24 interface=IOT_VLAN network=10.3.0.0
add address=10.2.0.1/24 interface=DMZ_VLAN network=10.2.0.0
/ip dhcp-client
add disabled=no interface=outside
add disabled=no interface=wan2
/ip dhcp-server network
add address=10.2.0.0/24 comment="DMZ Network" dns-server=192.168.0.18 \
    gateway=10.2.0.1
add address=10.3.0.0/24 comment="IOT Network" dns-server=192.168.0.18 \
    gateway=10.3.0.1
add address=10.4.0.0/24 comment="ADM Network" dns-server=192.168.0.18 \
    gateway=10.4.0.1
add address=10.5.0.0/24 comment="LAN Network" dns-server=192.168.0.18 \
    gateway=10.5.0.1
/ip firewall filter
add action=accept chain=input comment=\
    "Accept established, related & untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="Drop invalid input" connection-state=\
    invalid
add action=accept chain=input comment="Allow Admin_VLAN full access" \
    in-interface=ADM_VLAN
add action=accept chain=input comment="Allow access on admin port" \
    in-interface=admin
add action=accept chain=input comment="Accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "Accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="Drop everything else"
add action=fasttrack-connection chain=forward comment="Fasttrack Forward" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "Accept established, related & untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="Drop invalid forward" \
    connection-state=invalid
add action=accept chain=forward comment="DNS to DMZ (udp)" dst-port=53 \
    in-interface-list=VLAN out-interface=DMZ_VLAN protocol=udp
add action=accept chain=forward comment="DNS to DMZ (tcp)" dst-port=53 \
    in-interface-list=VLAN out-interface=DMZ_VLAN protocol=tcp
add action=accept chain=forward comment="HTTP 80" dst-address=10.2.0.10 \
    dst-port=80 in-interface-list=WAN log=yes log-prefix="(fw80)" protocol=\
    tcp
add action=accept chain=forward comment="HTTPS 443" dst-address=10.2.0.10 \
    dst-port=443 in-interface-list=WAN protocol=tcp
add action=accept chain=forward comment="Accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="Accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=drop chain=forward comment="Drop invalid forward" log-prefix=\
    "(invfwd)"
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
add action=dst-nat chain=dstnat comment="HTTP 80" dst-port=80 \
    in-interface-list=WAN log=yes log-prefix="(nat80)" protocol=tcp \
    to-addresses=10.2.0.10
add action=dst-nat chain=dstnat comment="HTTPS 443" dst-port=443 \
    in-interface-list=WAN protocol=tcp to-addresses=10.2.0.10
/system clock
set time-zone-autodetect=no time-zone-name=UTC
/system identity
set name=fldMTRB4011
/tool bandwidth-server
set enabled=no
/tool sniffer
set file-name=20210422_port80_3.pcap filter-port=http
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19105
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port forwarding not working from Public IP ranges

Fri Apr 23, 2021 1:05 am

Well thats your problem you have to decide which router is doing the routing?
Why not just dump the RB750 and run everything from the RB4011.

If for some reason you need a switch at any spot in the setup then setup the RB750 as a Switch using ROS.
Basically just run a bridge on the switch, identify the vlans and setup the bridge port and bridge vlans and thats basically it.
 
Floydian
just joined
Topic Author
Posts: 14
Joined: Tue Apr 13, 2021 2:18 pm

Re: Port forwarding not working from Public IP ranges

Fri Apr 23, 2021 1:17 am

Well thats your problem you have to decide which router is doing the routing?
Why not just dump the RB750 and run everything from the RB4011.

If for some reason you need a switch at any spot in the setup then setup the RB750 as a Switch using ROS.
Basically just run a bridge on the switch, identify the vlans and setup the bridge port and bridge vlans and thats basically it.
This is only to test the setup.
The RB750 will be nowhere near the setup once I've confirmed everything is working, but as long as everything fails on the RB4011 as soon as it sees a public IP on the outside, I need a way to test and confirm, before replacing my existing setup.
This setup recreate the issue I see when connecting the RB4011 directly to my Internet provider.
 
2frogs
Forum Veteran
Forum Veteran
Posts: 713
Joined: Fri Dec 03, 2010 1:38 am

Re: Port forwarding not working from Public IP ranges  [SOLVED]

Fri Apr 23, 2021 1:28 am

You should do a netinstall instead of just a reset. There sometimes is weirdness that can't be fixed with a reset or upgrade/downgrade.
 
Floydian
just joined
Topic Author
Posts: 14
Joined: Tue Apr 13, 2021 2:18 pm

Re: Port forwarding not working from Public IP ranges

Fri Apr 23, 2021 10:47 pm

You should do a netinstall instead of just a reset. There sometimes is weirdness that can't be fixed with a reset or upgrade/downgrade.
Have done a netinstall as suggested, and for now all appears to be working as intended.

Once again thanks for all your inputs on this.

Who is online

Users browsing this forum: Batterio and 45 guests