Community discussions

MikroTik App
 
netgus
just joined
Topic Author
Posts: 7
Joined: Fri Jan 27, 2012 2:01 pm

DSTNAT doesn't opening port

Thu Apr 22, 2021 11:49 pm

Hello to all

Newbie in Mikrotik, to make me a little bit the hand, I setup a quick lab where I want to make a LAN base conf (no problem),
a source nat (masquerade) to go out on Internet, and publish a service from Internet to internal.
And now, I'm stuck on destination NAT, probably for a problem of understanding on my part. I made a simple NAT rule:
chain = dstnat
In.Interface.list = WAN (DHCP/ether1)
protocol = 6
Dst.port = 443
action = dstnat
to address = x.x.x.x (IP in the same subnet as the Mikrotik router)
to port = 443

Where I'm a bit confused, and mostly because it doesn't work, is if you should make a FW (forward) rule or not.
# apr/22/2021 16:40:38 by RouterOS 6.47.8
# software id = S171-9SQD
#
# model = 2011UAS-2HnD
# serial number = 3F0702E51D4B
/interface wireless
set [ find default-name=wlan1 ] disabled=no mode=ap-bridge ssid=Margotte wireless-protocol=802.11
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
/ip address
add address=192.168.60.2/30 interface=ether2 network=192.168.60.0
/ip dhcp-client
add disabled=no interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=443 in-interface-list=WAN log=yes protocol=tcp to-addresses=192.168.60.1 \
    to-ports=443
I guess this point has already been discussed in this forum, but my research gave me a lot of feedback and I didn't find anything clear for me.

Thanks for your help.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6927
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DSTNAT doesn't opening port

Fri Apr 23, 2021 1:01 am

If you had the default set of firewall rules, A MUST for any internet facing device, one of the forward chain rules contains the means to allow port forwarding traffic.
A clearer rule to use in the lab environment would be

/ip firewall filter
add chain=forward action=accept comment="allow port forwarding" in-interface-list=WAN \
connection-state=new connection-nat-state=dstnat
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
netgus
just joined
Topic Author
Posts: 7
Joined: Fri Jan 27, 2012 2:01 pm

Re: DSTNAT doesn't opening port

Fri Apr 23, 2021 2:16 am

Thank you for your feedback

I followed your instructions, but unfortunately it still doesn't work. I have tried several scenarios. Without success.
# apr/22/2021 19:01:35 by RouterOS 6.47.8
# software id = S171-9SQD
#
# model = 2011UAS-2HnD
# serial number = 3F0702E51D4B
/interface wireless
set [ find default-name=wlan1 ] disabled=no mode=ap-bridge ssid=Margotte wireless-protocol=802.11
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
/ip address
add address=192.168.60.2/30 interface=ether2 network=192.168.60.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add disabled=no interface=ether1
/ip firewall filter
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=accept chain=forward comment="Allow port forwarding" connection-nat-state=dstnat connection-state=new \
    in-interface-list=WAN
add action=drop chain=input comment="Drop everything that is not LAN" in-interface-list=!LAN
/ip firewall nat
add action=dst-nat chain=dstnat comment="Allow DSTNAT for 192.168.60.1 on the port 443" dst-port=443 \
    in-interface-list=WAN log=yes protocol=tcp to-addresses=192.168.60.1 to-ports=443
add action=dst-nat chain=dstnat comment="Allow DSTNAT for 192.168.100.70 on the port 80" dst-port=80 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.100.70 to-ports=80
add action=masquerade chain=srcnat comment="Allow SRCNAT traffic to Internet" out-interface-list=WAN
/ip route
add disabled=yes distance=1 gateway=192.168.111.1
add distance=1 dst-address=192.168.100.0/24 gateway=192.168.60.1
/lcd interface pages
set 0 interfaces=sfp1,ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10
I'm able to ping the interfaces.
I use the Curl to validate that the port openings are functional. The result is the same with port 443.

I have rebooted the router. I did a "/system reset-configuration".
Everything seems to work except the DSTNAT.
curl -vk http://192.168.111.114
* Rebuilt URL to: http://192.168.111.114/
*   Trying 192.168.111.114...
* TCP_NODELAY set
* Connection failed
* connect to 192.168.111.114 port 80 failed: Operation timed out
* Failed to connect to 192.168.111.114 port 80: Operation timed out
* Closing connection 0
curl: (7) Failed to connect to 192.168.111.114 port 80: Operation timed out
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6927
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DSTNAT doesn't opening port

Fri Apr 23, 2021 3:41 am

(1) This seems non-standard
/ip address
add address=192.168.60.2/30 interface=ether2 network=192.168.60.0

TO
/ip address
add address=192.168.60.1/24 interface=ether2 network=192.168.60.0

(2) where is dhcp server, ip pool, dhcp-server-network ???
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
netgus
just joined
Topic Author
Posts: 7
Joined: Fri Jan 27, 2012 2:01 pm

Re: DSTNAT doesn't opening port

Fri Apr 23, 2021 5:16 am

The interface is just in /30 (subnetting). I put it in /24, but it doesn't change anything.

In my lab, I don't need a DHCP server.
I put the RouterOS v6.48.2 (stable) version too
/ip address
add address=192.168.60.2/24 interface=ether2 network=192.168.60.0
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6927
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DSTNAT doesn't opening port

Fri Apr 23, 2021 3:42 pm

lab network diagram??
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
2frogs
Long time Member
Long time Member
Posts: 652
Joined: Fri Dec 03, 2010 1:38 am

Re: DSTNAT doesn't opening port

Fri Apr 23, 2021 4:22 pm

When testing for the ports to be open, are you testing from a device on the WAN side or the server on LAN? Your NAT rule only allows from the WAN. I see no error with your NAT rules. As far Filter rules, the default state (without rules) is to accept. Your original configuration was not block the NAT.

If you was testing from WAN, I would suggest the issue is with the configuration of the server. A firewall on the server or an IP configuration error. You should move that ether to a bridge and add a second port to connect a device to test to it's LAN IP.
 
netgus
just joined
Topic Author
Posts: 7
Joined: Fri Jan 27, 2012 2:01 pm

Re: DSTNAT doesn't opening port

Fri Apr 23, 2021 4:29 pm

Here it is, I hope it will be clearer
test (1).png
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6927
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DSTNAT doesn't opening port

Fri Apr 23, 2021 4:39 pm

Well you have the cisco router in between so does that forward the port to the WANIP of the MIkrotik ROuter (the LANIP on the cisco private subnet).
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
User avatar
karlisi
Member
Member
Posts: 360
Joined: Mon May 31, 2004 8:09 am
Location: Latvia

Re: DSTNAT doesn't opening port

Mon Apr 26, 2021 11:28 am

curl test from 192.168.60.0/24 or /30 network works?
---
Karlis

Who is online

Users browsing this forum: Bing [Bot], jvzg545cr and 42 guests