Hi
Please could someone point me in the right direction. I have a normal home router setup on a RB750. Everything is working fine, but I can't get the port mapping to work. Normal port forward works fine using dstnat, but if I want to forward e.g. port 8080 (WAN side) to port 80 (LAN side), this I can't get to work. I can see on the firewall that the initial contact from wan side translate fine to port 80 on LAN side, but then communication stops. I figure that the return traffic gets lost and I don't know what rule to apply for the return traffic.
Do I need to mangle the connection / Packet? is this the right way to make the port forward with port translation to work?
Thanks in advance.
Port mapping issue (Solved)
Last edited by Pilgrim on Sat Jan 30, 2016 8:54 pm, edited 1 time in total.
Re: Port mapping issue
There's no need to map the return path because the NAT engine creates a state table as packets flow through the router. This table is checked before any of your rules, and it will show the router how to un-map the reply packets automatically.
Probably the problem is in the filter rules. If you have a default deny policy in the forward chain, you have to allow the traffic of the port-map through. It can trick newbies because the forward rule is checked AFTER the dst-nat happens - so your test would need to match the internal IP of the web server and would need to match dst-port=80 (not 8080)
A slick way to do this, though, would be to use this rule:
/ip firewall filter add chain=forward connection-nat-state=dstnat
This rule allows any packet that has been the subject of a dstnat rule, regardless of the IP addresses and ports being used. It's convenient because now you can simply create any port maps you like and never have to remember to go add rules to allow them in the filter table. Plus - your firewall stays lean and mean and only has 1 rule to check against all of your port maps, and not some growing list of things it should allow.
Probably the problem is in the filter rules. If you have a default deny policy in the forward chain, you have to allow the traffic of the port-map through. It can trick newbies because the forward rule is checked AFTER the dst-nat happens - so your test would need to match the internal IP of the web server and would need to match dst-port=80 (not 8080)
A slick way to do this, though, would be to use this rule:
/ip firewall filter add chain=forward connection-nat-state=dstnat
This rule allows any packet that has been the subject of a dstnat rule, regardless of the IP addresses and ports being used. It's convenient because now you can simply create any port maps you like and never have to remember to go add rules to allow them in the filter table. Plus - your firewall stays lean and mean and only has 1 rule to check against all of your port maps, and not some growing list of things it should allow.
Re: Port mapping issue
@ Zero Byte
Thanks a million, you saved my day. I have been beating around with this issue for days.
The filter rules you recommended (/ip firewall filter add chain=forward connection-nat-state=dstnat) works like a charm.
I thought I opened everything from LAN side, as I have added a rule to allow all new connections from LAN. Also all related and established connections are accepted, so I couldn't figure out why the return traffic didn't pass.
I just added the rule suggested and problem solved
Thanks a million, you saved my day. I have been beating around with this issue for days.
The filter rules you recommended (/ip firewall filter add chain=forward connection-nat-state=dstnat) works like a charm.
I thought I opened everything from LAN side, as I have added a rule to allow all new connections from LAN. Also all related and established connections are accepted, so I couldn't figure out why the return traffic didn't pass.
I just added the rule suggested and problem solved
Who is online
Users browsing this forum: jh1 and 68 guests