Community discussions

MUM Europe 2020
 
pggarland
just joined
Topic Author
Posts: 1
Joined: Tue Nov 08, 2016 2:57 pm

new NAT does nothing

Wed Nov 09, 2016 5:41 pm

Hi,
I am new to the MikroTik, having inherited it. We have a few machines behind the firewall that are accessed through remote desktop. I see the NAT records for those machines, using ports 3395 - 3399. I have been tasked with adding another machine, so I created another NAT record for the new machine using the documentation. However, no matter what I do, I can't connect to the machine from outside the firewall.

Also, if I edit one of the existing NAT records to point to the IP address of the new machine, I can't connect then either.

I have read many comments that say that you have to reboot the router if you change a NAT that has already had a connection, but what about newly added ones? Or is there a way to save the change other than just creating the NAT?

Also, how do you reboot the router from WinBox or the Webfig?

Thanks for any help.

Paul
 
andriys
Forum Guru
Forum Guru
Posts: 1193
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: new NAT does nothing

Wed Nov 09, 2016 6:48 pm

I have been tasked with adding another machine, so I created another NAT record for the new machine using the documentation. However, no matter what I do, I can't connect to the machine from outside the firewall.
Please check that you also allowed external access to this machine in the /ip firewall filter.
Also, how do you reboot the router from WinBox or the Webfig?
System -> Reboot
 
busla
just joined
Posts: 17
Joined: Tue Nov 08, 2016 12:35 pm
Location: Russia, Saint Petersburg

Re: new NAT does nothing

Wed Nov 09, 2016 7:02 pm

Documentation is wrong. You must add allow rule to the input chain of ip->firewall->filter.
 
janus20
Member Candidate
Member Candidate
Posts: 111
Joined: Thu Nov 03, 2016 10:31 am
Location: Pitesti, Romania

Re: new NAT does nothing

Wed Nov 09, 2016 10:47 pm

Hi,

I think you need 2 rules: first, a dst-nat in nat chain and second a forwarding rule in filter chain. Let's say that for new machine you wish to alocate port 4000, on mikrotik router, and fordwaring the remote desktop to your new machine 192.168.0.10 on which remote desktop is listening on 3389:

1. dst-nat rule for your destination machine inside your lan ( in our example 192.168.0.10/24)
/ip firewall nat
add action=dst-nat chain=dstnat comment="access remote desktop to machine XXXX" dst-port=4000 in-interface={your_wan_interface} log=yes protocol=tcp to-addresses=192.168.0.10 to-ports=3389
2. accept forward rule in filter chain
/ip firewall filter
add action=accept chain=forward comment="accept remote desktop for machine XXXX" dst-port=4000 in-interface={your_wan_interface} log=yes protocol=tcp
Do not forgive to replace {your_wan_interface} with your real wan interface { ether1, pppoe-out1 .. etc) as well as new machine real ip ( not 192.168.0.10) and move rule 2. above any "drop" rule into filter chain, if any.

This should be enough. Hope it helps.

kind regards,
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8346
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: new NAT does nothing

Thu Nov 10, 2016 2:15 am

However, no matter what I do, I can't connect to the machine from outside the firewall.
make sure that machine has Internet access via that router
Documentation is wrong. You must add allow rule to the input chain of ip->firewall->filter.
you are wrong. this is only needed for accessing router's services (like WinBox, Web Proxy, DNS Server, etc.). all traffic through the router (from the Internet to LAN machines and back) goes via 'forward' chain
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
jarda
Forum Guru
Forum Guru
Posts: 7602
Joined: Mon Oct 22, 2012 4:46 pm

Re: new NAT does nothing

Thu Nov 10, 2016 8:03 am

... And be sure the machine is accepting incoming connections from outer world.
 
busla
just joined
Posts: 17
Joined: Tue Nov 08, 2016 12:35 pm
Location: Russia, Saint Petersburg

Re: new NAT does nothing

Fri Nov 11, 2016 6:50 pm

you are wrong. this is only needed for accessing router's services
It work in hundreds installations. - Just check howtos from Google search and comments to them.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8346
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: new NAT does nothing

Sat Nov 12, 2016 3:05 am

Sure it works. Accepting nothing does not break anything :) I won't google for you
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.

Who is online

Users browsing this forum: Heatherckzn, maxmonroe2016 and 47 guests