Community discussions

MUM Europe 2020
 
tenasow
just joined
Topic Author
Posts: 4
Joined: Wed Oct 26, 2016 10:22 am

trouble forwarding ports to server

Wed Oct 26, 2016 10:45 am

Hi,

I've been trying to port forward OpenVPN AS. When I try to access my public ip 85.1.2.3:943 from the browser I want to go to my VPN page. But I only get refused connection error.

my setup is:
Mikrotik router - 192.168.20.1
Ubuntu Server - 192.168.20.21
public fake ip - 85.1.2.3


exported firewall settings
# sep/11/2016 11:34:26 by RouterOS 6.37
# software id = BAHW-653L
#
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" \
    in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface=ether1
add action=dst-nat chain=dstnat dst-port=943 protocol=tcp to-addresses=\
    192.168.20.21 to-ports=943
add action=dst-nat chain=dstnat dst-port=443 protocol=tcp to-addresses=\
    192.168.20.21 to-ports=443
add action=dst-nat chain=dstnat dst-port=1194 protocol=udp to-addresses=\
    192.168.20.21 to-ports=1194
I appreciate any help, cause I've spend too much time on this already!
 
User avatar
Splash
Member Candidate
Member Candidate
Posts: 151
Joined: Fri Oct 16, 2015 10:09 am
Location: Johannesburg, South Africa

Re: trouble forwarding ports to server

Wed Oct 26, 2016 11:29 am

Are you getting a "connection refused" or a "connection timeout" error. The connection refused error means the NAT is working, but the server is not listening on that port.

Try disable your Mikrotik Firewall and just run the NAT rules with logging enabled?

Can you telnet to the server on that port to check that it is listening?

Does the server have a firewall running on it that you need to also open that port on?
MTCNA, MTCRE, MTCINE, MTCTCE, MTCIPv6E, MTCUME
 
tenasow
just joined
Topic Author
Posts: 4
Joined: Wed Oct 26, 2016 10:22 am

Re: trouble forwarding ports to server

Wed Oct 26, 2016 2:52 pm

I think I messed it up even more, I get connection timed out error now instead.

my server doesn't have any firewall and it is indeed listening on port 943.
 
skuykend
Member Candidate
Member Candidate
Posts: 270
Joined: Tue Oct 06, 2015 7:28 am

Re: trouble forwarding ports to server

Thu Oct 27, 2016 12:20 am

If you're trying to test this from inside your network it won't work without setting up a hairpin nat. Do a search. Also you have no ip destination or local dst-address filters on your dst nats so ALL traffic passing through the router with those dst ports will be redirected to 20.21. Such as outbound https.
 
tenasow
just joined
Topic Author
Posts: 4
Joined: Wed Oct 26, 2016 10:22 am

Re: trouble forwarding ports to server

Thu Oct 27, 2016 9:27 am

I'm getting a new error now:

ERR_EMPTY_RESPONSE

my NAT firewall setup now:
# sep/12/2016 10:14:44 by RouterOS 6.37
# software id = BAHW-653L
#
/ip firewall filter
add action=accept chain=forward dst-port=943 in-interface=bridge protocol=tcp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=drop chain=input in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface=ether1
add action=masquerade chain=srcnat out-interface=bridge
add action=dst-nat chain=dstnat dst-address=85.1.2.3 dst-port=943 log=\
    yes log-prefix="tcp 943:" protocol=tcp to-addresses=192.168.20.21
add action=dst-nat chain=dstnat dst-address=85.1.2.3 dst-port=1194 \
    protocol=udp to-addresses=192.168.20.21
add action=dst-nat chain=dstnat dst-address=85.1.2.3 dst-port=443 \
    protocol=tcp to-addresses=192.168.20.21
add action=accept chain=srcnat dst-address=192.168.20.0/24 src-address=\
    192.168.21.0/24
Thanks for you help so far.
 
tenasow
just joined
Topic Author
Posts: 4
Joined: Wed Oct 26, 2016 10:22 am

Re: trouble forwarding ports to server

Thu Oct 27, 2016 9:46 am

It's actually working with the configuration I have now I realised.

I accessed it by https://public-ip:943 which gave me empy error page.

when I access it from https://public-ip I get to the right page now!

Thanks for the help I'm happy to finally be over with this :D

Who is online

Users browsing this forum: No registered users and 24 guests