Hello!
I run my LAN on 192.168.1.0/24 and a xDSL connection via a modem (192.168.0.2) which is connected to ether23-MODEM. The internet connections worksfine. The firewall is like this
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Kaputte Pakete DROP
chain=input action=drop connection-state=invalid log=no
1 ;;; Bestehende und initierte Verbindungen OK
chain=input action=accept connection-state=established,related log=no
2 ;;; Von 192.168.1.0/24 nach draussen
chain=input action=accept src-address=192.168.1.0/24
in-interface=ether23-MODEM log=no
3 ;;; von 192.168.1.0 -> 192.168.0.0 OK
chain=input action=accept src-address=192.168.1.0/24
dst-address=192.168.0.0/24 log=no
4 ;;; von 192.168.0.0 -> 192.168.1.0 OK
chain=input action=accept src-address=192.168.0.0/24
dst-address=192.168.1.0/24 log=no log-prefix=""
5 ;;; von 192.168.1.0 -> 192.168.1.0 OK
chain=input action=accept src-address=192.168.1.0/24
dst-address=192.168.1.0/24 log=no log-prefix=""
6 ;;; Der Rest geht in den Orkus....
chain=input action=drop log=no log-prefix="FW"
I run a small server on 192.168.1.252 and want to reach the WWW-Service from the Internet. For masqurading and port-forwarding I use the following NAT parameters:
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Maskierung LAN
chain=srcnat action=masquerade src-address=192.168.1.0/24 log=no
1 ;;; Port-forwarding HTTP zum Server
chain=dstnat action=dst-nat to-addresses=192.168.1.252 to-ports=80
protocol=tcp in-interface=ether23-MODEM dst-port=80 log=yes
log-prefix="FW80"
2 ;;; Port-forwarding HTTPS zum Server
chain=dstnat action=dst-nat to-addresses=192.168.1.252 to-ports=443
protocol=tcp in-interface=ether23-MODEM dst-port=443 log=yes
log-prefix="FW443"
The mikrotik-webinterface uses port 81 and 444:
# NAME PORT ADDRESS CERTIFICATE
0 telnet 23 192.168.1.0/24
1 XI ftp 21
2 www 81 192.168.1.0/24
3 ssh 22
4 www-ssl 444 mikrotik-https
5 api 8728
6 winbox 8291
7 api-ssl 8729 *FFFFFFFF
I can't connect from the outside to the WWW-Server and I can't see any log entries from the NAT-Rules (marked by FW80 and FW443). Some hints what is wrong?
BR Holger
Re: Port-forwarding does not work, but why?
Who has the Public IP?
You need to redirect on this device too.
Sent from my XT1225 using Tapatalk
You need to redirect on this device too.
Sent from my XT1225 using Tapatalk
Re: Port-forwarding does not work, but why?
Do you have any forward rules in your firewall? That is what is important, not the input rules.
Re: Port-forwarding does not work, but why?
The public IP is held by the PPP Interface on ether23-MODEM.
What kind of forward rule? U can see all my rules in the post.
What kind of forward rule? U can see all my rules in the post.
Re: Port-forwarding does not work, but why?
So the public IP address is assigned to a PPPoE connection on the Mikrotik?
Do you have firewall forward rules to accept the incoming connection? dst-nat only tells the system what you want the packets re-written to, it doesn't give it permission to actually forward the traffic. You likely need to add something like:
Just be sure to put that above your forward drop rule.
Do you have firewall forward rules to accept the incoming connection? dst-nat only tells the system what you want the packets re-written to, it doesn't give it permission to actually forward the traffic. You likely need to add something like:
Code: Select all
/ip firewall filter
add action=accept chain=forward comment=weathercat dst-address=192.168.1.252 dst-port=80,443 protocol=tcpRe: Port-forwarding does not work, but why?
I added this one, but still notworkingSo the public IP address is assigned to a PPPoE connection on the Mikrotik?
Do you have firewall forward rules to accept the incoming connection? dst-nat only tells the system what you want the packets re-written to, it doesn't give it permission to actually forward the traffic. You likely need to add something like:Just be sure to put that above your forward drop rule.Code: Select all/ip firewall filter add action=accept chain=forward comment=weathercat dst-address=192.168.1.252 dst-port=80,443 protocol=tcp
Is these ones correct:
2 ;;; Portforwarding HTTP zum Server
chain=dstnat action=dst-nat to-addresses=192.168.1.252 to-ports=80 protocol=tcp
in-interface=ether23-MODEM dst-port=80 log=yes log-prefix="FW80"
3 chain=dstnat action=dst-nat to-addresses=192.168.1.252 to-ports=443 protocol=tcp
in-interface=ether23-MODEM dst-port=443 log=no
Re: Port-forwarding does not work, but why?
Mistake found. I have to use the PPPoE Interface and not the port!
Next problem is the Hairpin NAT http://wiki.mikrotik.com/wiki/Hairpin_NAT
/ip firewall nat
add chain=srcnat src-address=192.168.1.0/24 \
dst-address=192.168.1.2 protocol=tcp dst-port=80 \
out-interface=LAN action=masquerade
what does LAN means here?
Next problem is the Hairpin NAT http://wiki.mikrotik.com/wiki/Hairpin_NAT
/ip firewall nat
add chain=srcnat src-address=192.168.1.0/24 \
dst-address=192.168.1.2 protocol=tcp dst-port=80 \
out-interface=LAN action=masquerade
what does LAN means here?
Re: Port-forwarding does not work, but why?
LAN means LAN, the internal network where both server and client are connected.
Re: Port-forwarding does not work, but why?
How do I define that? These are all ports accept 23 (where the Modem is connected to)LAN means LAN, the internal network where both server and client are connected.
Re: Port-forwarding does not work, but why?
Please show a complete /export of your config so it can be debugged.
Re: Port-forwarding does not work, but why?
[admin@Router-HH] > /exportPlease show a complete /export of your config so it can be debugged.
# feb/01/2017 10:45:22 by RouterOS 6.38.1
# software id = D5X7-MT4X
#
/interface ethernet
set [ find default-name=ether2 ] master-port=ether1
set [ find default-name=ether3 ] master-port=ether1
set [ find default-name=ether4 ] master-port=ether1
set [ find default-name=ether5 ] master-port=ether1
set [ find default-name=ether6 ] master-port=ether1
set [ find default-name=ether7 ] master-port=ether1
set [ find default-name=ether8 ] master-port=ether1
set [ find default-name=ether9 ] master-port=ether1
set [ find default-name=ether10 ] master-port=ether1
set [ find default-name=ether11 ] master-port=ether1
set [ find default-name=ether12 ] master-port=ether1
set [ find default-name=ether13 ] master-port=ether1
set [ find default-name=ether14 ] master-port=ether1
set [ find default-name=ether15 ] master-port=ether1
set [ find default-name=ether16 ] master-port=ether1
set [ find default-name=ether17 ] master-port=ether1
set [ find default-name=ether18 ] master-port=ether1
set [ find default-name=ether19 ] master-port=ether1
set [ find default-name=ether20 ] master-port=ether1
set [ find default-name=ether21 ] master-port=ether1
set [ find default-name=ether22 ] master-port=ether1
set [ find default-name=ether23 ] name=ether23-MODEM
set [ find default-name=ether24 ] master-port=ether1
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether23-MODEM keepalive-timeout=disabled name=PPPoE-ALICE use-peer-dns=yes user=04102981391
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=192.168.1.1-192.168.1.100
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=ether1 lease-time=2h name=dhcp1
/ip settings
set accept-source-route=yes
/ip address
add address=192.168.1.254/24 interface=ether1 network=192.168.1.0
add address=192.168.0.1/24 interface=ether23-MODEM network=192.168.0.0
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.254 gateway=192.168.1.254
/ip dns
set allow-remote-requests=yes servers=4.4.4.4
/ip firewall address-list
add address=192.168.1.1-192.168.1.200 list=LAN
/ip firewall filter
add action=drop chain=input comment="Kaputte Pakete DROP" connection-state=invalid
add action=drop chain=forward comment="Kaputte Pakete Drop\
\n" connection-state=invalid
add action=accept chain=input comment="Bestehende und initierte Verbindungen OK" connection-state=established,related
add action=accept chain=forward comment="Bestehende und initierte Verbindungen OK" connection-state=established,related protocol=tcp
add action=accept chain=forward comment="Forward auf Server" connection-state=established,related,new dst-address=192.168.1.252 dst-port=22,80,443 protocol=tcp
add action=accept chain=forward comment="Forward auf Router" connection-state=established,related,new dst-address=192.168.1.254 dst-port=444 protocol=tcp
add action=accept chain=input comment="von 192.168.1.0 -> 192.168.0.0 OK" dst-address=192.168.0.0/24 src-address=192.168.1.0/24
add action=accept chain=input comment="von 192.168.0.0 -> 192.168.1.0 OK" dst-address=192.168.1.0/24 src-address=192.168.0.0/24
add action=accept chain=input comment="von 192.168.1.0 -> 192.168.1.0 OK" dst-address=192.168.1.0/24 src-address=192.168.1.0/24
add action=drop chain=input comment="Der Rest geht in den Orkus...." log-prefix=FW
/ip firewall nat
add action=masquerade chain=srcnat comment="Maskierung LAN" out-interface=PPPoE-ALICE src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment=Hairpin dst-address=192.168.1.252 dst-port=22,80,443 out-interface-list=all protocol=tcp src-address=192.168.1.0/24
add action=src-nat chain=srcnat comment=NTP protocol=udp src-port=123 to-addresses=192.168.1.254
add action=dst-nat chain=dstnat comment="Portforwarding HTTP zum Server" dst-port=80 in-interface=PPPoE-ALICE log-prefix=FW80 protocol=tcp to-addresses=192.168.1.252 to-ports=80
add action=dst-nat chain=dstnat comment="Portforwarding HTTPS zum Server" dst-port=443 in-interface=PPPoE-ALICE protocol=tcp to-addresses=192.168.1.252 to-ports=443
add action=dst-nat chain=dstnat comment="Port forwarding SSH auf Server" dst-port=22 in-interface=PPPoE-ALICE protocol=tcp to-addresses=192.168.1.252 to-ports=22
add action=dst-nat chain=dstnat comment="Forward HTTPS Router" dst-port=444 in-interface=PPPoE-ALICE protocol=tcp to-addresses=192.168.1.254 to-ports=444
/ip route
add distance=1 dst-address=192.168.0.0/24 gateway=ether23-MODEM pref-src=192.168.0.1
add distance=1 dst-address=192.168.1.0/24 gateway=ether1 pref-src=192.168.1.254
/ip service
set telnet address=192.168.1.0/24
set ftp disabled=yes
set www address=192.168.1.0/24 port=81
set www-ssl certificate=mikrotik-https disabled=no port=444
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=Router-HH
/system ntp client
set enabled=yes primary-ntp=192.53.103.104 secondary-ntp=192.53.103.103
/system ntp server
set enabled=yes multicast=yes
/system scheduler
add interval=1m name=DynDNS-Strato on-event=dynDNS policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=jan/30/2017 start-time=20:31:46
/system script
add name=dynDNS owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":global ddnsuser \"lange-online.net\"\
\n:global ddnspass \"blablabla\"\
\n:global theinterface \"PPPoE-ALICE\"\
\n:global ddnshost blablabla\
\n:global ddnsserver dyndns.strato.com\
\n:global protocol https\
\n:global ipddns [:resolve \$ddnshost];\
\n:global ipfresh [ /ip address get [/ip address find interface=\$theinterface ] address ]\
\n:if ([ :typeof \$ipfresh ] = nil ) do={\
\n :log info (\"DynDNS: No ip address on \$theinterface .\")\
\n} else={\
\n :for i from=( [:len \$ipfresh] - 1) to=0 do={ \
\n :if ( [:pick \$ipfresh \$i] = \"/\") do={ \
\n :set ipfresh [:pick \$ipfresh 0 \$i];\
\n } \
\n}\
\n \
\n:if (\$ipddns != \$ipfresh) do={\
\n :log info (\"DynDNS: IP-DynDNS = \$ipddns\")\
\n :log info (\"DynDNS: IP-Fresh = \$ipfresh\")\
\n :log info \"DynDNS: Update IP needed, Sending UPDATE...!\"\
\n :global str \"/nic/update\\\?hostname=\$ddnshost&myip=\$ipfresh&wildcard=NOCHG&mx=NOCHG&backmx=NOCHG\"\
\n /tool fetch address=\$ddnsserver src-path=\$str mode=\$protocol user=\$ddnsuser \\\
\n password=\$ddnspass dst-path=(\"/DynDNS.\".\$ddnshost)\
\n :delay 1\
\n :global str [/file find name=\"DynDNS.\$ddnshost\"];\
\n /file remove \$str\
\n :global ipddns \$ipfresh\
\n :log info \"DynDNS: IP updated to \$ipfresh!\"\
\n } else={\
\n# :log info \"DynDNS: dont need changes\";\
\n }\
\n} "
/tool graphing interface
add interface=PPPoE-ALICE
Re: Port-forwarding does not work, but why?
Ok in your case your LAN is "ether1", as all ethernet ports except your modem have master-port=ether1.
This means that they are hardware-switched together and the port ether1 is the one that the router sees.
Under /ip route, this entry should not be required:
add distance=1 dst-address=192.168.1.0/24 gateway=ether1 pref-src=192.168.1.254
This is already covered by:
/ip address
add address=192.168.1.254/24 interface=ether1 network=192.168.1.0
Looking at this, I think the port forwarding should work from the outside. For your hairpin NAT you required the LAN name which is ether1.
Normally you would have some more forward firewall rules as well but it appears you deleted them.
Then it at least should work. And with single external IP address and no NAT it does not make that much of a difference.
This means that they are hardware-switched together and the port ether1 is the one that the router sees.
Under /ip route, this entry should not be required:
add distance=1 dst-address=192.168.1.0/24 gateway=ether1 pref-src=192.168.1.254
This is already covered by:
/ip address
add address=192.168.1.254/24 interface=ether1 network=192.168.1.0
Looking at this, I think the port forwarding should work from the outside. For your hairpin NAT you required the LAN name which is ether1.
Normally you would have some more forward firewall rules as well but it appears you deleted them.
Then it at least should work. And with single external IP address and no NAT it does not make that much of a difference.
Re: Port-forwarding does not work, but why?
Hello!
Thank u for ur answer. The routing from the outside works fine for HTTP, HTTPS and SSH. For the Harpin rule u mean:
/ip firewall nat add action=masquerade chain=srcnat comment=Hairpin dst-address=192.168.1.252 dst-port=22,80,443 out-interface-list=ether1 protocol=tcp src-address=192.168.1.0/24
...but that one does not work, but why!?
Beside that I changed the port for the Miktrotik HTTPS-Access to 444 (see config above) and tried to route that one to the outside:
/ip firewall nat add action=dst-nat chain=dstnat comment="Portforwarding HTTPS zum Router" dst-port=444 in-interface=PPPoE-ALICE protocol=tcp to-addresses=192.168.1.254 to-ports=444
That doen't work neither
...and what kind of forward rules do u miss? I like the firewall very strict and open ports if it is necassary.
Some hints for me?
Thanx, Holger
Thank u for ur answer. The routing from the outside works fine for HTTP, HTTPS and SSH. For the Harpin rule u mean:
/ip firewall nat add action=masquerade chain=srcnat comment=Hairpin dst-address=192.168.1.252 dst-port=22,80,443 out-interface-list=ether1 protocol=tcp src-address=192.168.1.0/24
...but that one does not work, but why!?
Beside that I changed the port for the Miktrotik HTTPS-Access to 444 (see config above) and tried to route that one to the outside:
/ip firewall nat add action=dst-nat chain=dstnat comment="Portforwarding HTTPS zum Router" dst-port=444 in-interface=PPPoE-ALICE protocol=tcp to-addresses=192.168.1.254 to-ports=444
That doen't work neither
...and what kind of forward rules do u miss? I like the firewall very strict and open ports if it is necassary.
Some hints for me?
Thanx, Holger
Re: Port-forwarding does not work, but why?
I overlooked some forward entries. However, it is not required to explicitly forward your dstnatted ports.
The default forward rules, which should be OK for you, are like this:
/ip firewall filter
filter add chain=forward action=fasttrack-connection connection-state=established,related
filter add chain=forward action=accept connection-state=established,related
filter add chain=forward action=drop connection-state=invalid
filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=PPPoE-ALICE
(delete all forward rules and then paste this in a terminal window)
The default forward rules, which should be OK for you, are like this:
/ip firewall filter
filter add chain=forward action=fasttrack-connection connection-state=established,related
filter add chain=forward action=accept connection-state=established,related
filter add chain=forward action=drop connection-state=invalid
filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=PPPoE-ALICE
(delete all forward rules and then paste this in a terminal window)
Re: Port-forwarding does not work, but why?
And what about the Hairpin? I need to get that working to get access to the addressbooks an calendars from smartphones while they are connected to the LAN via WLAN
Re: Port-forwarding does not work, but why?
Does it not work after you apply the above forward rules and you insert the hairpin rule with ether1 instead of LAN?
Re: Port-forwarding does not work, but why?
I implemented ur hints, and the Harpin still doesn't work
also the redirect of the Router HTTPS Interface doesn't work
also the redirect of the Router HTTPS Interface doesn't work
Re: Port-forwarding does not work, but why?
I have no experience with hairpin nat, but I think it should work. Maybe check again at the wiki.
Re: Port-forwarding does not work, but why?
If you want your forwarded ports to work also from LAN, you can't have dstnat rules with in-interface=PPPoE-ALICE. If you connect from LAN, in-interface will be ether1. So remove in-interface=PPPoE-ALICE and instead add dst-address-type=local. Then your hairpin NAT rule, I don't see any interface list defined in your config, so you probably meant out-interface=ether1 and not out-interface-list=ether1.
Re: Port-forwarding does not work, but why?
Hello!
the Hairpin and the forwarding for the Router still does not work. Here the actual export:
[admin@Router-HH] > /export
# feb/03/2017 00:42:43 by RouterOS 6.38.1
# software id = D5X7-MT4X
#
/interface ethernet
set [ find default-name=ether2 ] master-port=ether1
set [ find default-name=ether3 ] master-port=ether1
set [ find default-name=ether4 ] master-port=ether1
set [ find default-name=ether5 ] master-port=ether1
set [ find default-name=ether6 ] master-port=ether1
set [ find default-name=ether7 ] master-port=ether1
set [ find default-name=ether8 ] master-port=ether1
set [ find default-name=ether9 ] master-port=ether1
set [ find default-name=ether10 ] master-port=ether1
set [ find default-name=ether11 ] master-port=ether1
set [ find default-name=ether12 ] master-port=ether1
set [ find default-name=ether13 ] master-port=ether1
set [ find default-name=ether14 ] master-port=ether1
set [ find default-name=ether15 ] master-port=ether1
set [ find default-name=ether16 ] master-port=ether1
set [ find default-name=ether17 ] master-port=ether1
set [ find default-name=ether18 ] master-port=ether1
set [ find default-name=ether19 ] master-port=ether1
set [ find default-name=ether20 ] master-port=ether1
set [ find default-name=ether21 ] master-port=ether1
set [ find default-name=ether22 ] master-port=ether1
set [ find default-name=ether23 ] name=ether23-MODEM
set [ find default-name=ether24 ] master-port=ether1
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether23-MODEM \
keepalive-timeout=disabled name=PPPoE-ALICE use-peer-dns=yes user=\
04102981391
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=192.168.1.1-192.168.1.100
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=ether1 lease-time=2h name=\
dhcp1
/ip settings
set accept-source-route=yes
/ip address
add address=192.168.1.254/24 interface=ether1 network=192.168.1.0
add address=192.168.0.1/24 interface=ether23-MODEM network=192.168.0.0
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.254 gateway=192.168.1.254
/ip dns
set allow-remote-requests=yes servers=4.4.4.4
/ip firewall address-list
add address=192.168.1.1-192.168.1.200 list=LAN
/ip firewall filter
add action=drop chain=input comment="Kaputte Pakete DROP" connection-state=\
invalid
add action=drop chain=forward comment="Kaputte Pakete Drop\
\n" connection-state=invalid
add action=fasttrack-connection chain=forward connection-state=\
established,related
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=\
new in-interface=PPPoE-ALICE
add action=accept chain=input comment=\
"Bestehende und initierte Verbindungen OK" connection-state=\
established,related
add action=accept chain=forward comment=\
"Bestehende und initierte Verbindungen OK" connection-state=\
established,related protocol=tcp
add action=accept chain=forward comment="Forward auf Server" \
connection-state=established,related,new dst-address=192.168.1.252 \
dst-port=22,80,443 protocol=tcp
add action=accept chain=forward comment="Forward auf Router" \
connection-state=established,related,new dst-address=192.168.1.254 \
dst-port=444 protocol=tcp
add action=accept chain=input comment="von 192.168.1.0 -> 192.168.0.0 OK" \
dst-address=192.168.0.0/24 src-address=192.168.1.0/24
add action=accept chain=input comment="von 192.168.0.0 -> 192.168.1.0 OK" \
dst-address=192.168.1.0/24 src-address=192.168.0.0/24
add action=accept chain=input comment="von 192.168.1.0 -> 192.168.1.0 OK" \
dst-address=192.168.1.0/24 src-address=192.168.1.0/24
add action=drop chain=input comment="Der Rest geht in den Orkus...." \
log-prefix=FW
/ip firewall nat
add action=masquerade chain=srcnat comment="Maskierung LAN" out-interface=\
PPPoE-ALICE src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment=Hairpin dst-address=192.168.1.252 \
dst-port=22,80,443 out-interface=ether1 out-interface-list=all protocol=\
tcp src-address=192.168.1.0/24
add action=src-nat chain=srcnat comment=NTP protocol=udp src-port=123 \
to-addresses=192.168.1.254
add action=dst-nat chain=dstnat comment="Portforwarding HTTP zum Server" \
dst-port=80 in-interface=PPPoE-ALICE log-prefix=FW80 protocol=tcp \
to-addresses=192.168.1.252 to-ports=80
add action=dst-nat chain=dstnat comment="Portforwarding HTTPS zum Server" \
dst-port=443 in-interface=PPPoE-ALICE protocol=tcp to-addresses=\
192.168.1.252 to-ports=443
add action=dst-nat chain=dstnat comment="Port forwarding SSH auf Server" \
dst-port=22 in-interface=PPPoE-ALICE protocol=tcp to-addresses=\
192.168.1.252 to-ports=22
add action=dst-nat chain=dstnat comment="Forward HTTPS Router" dst-port=444 \
in-interface=PPPoE-ALICE port="" protocol=tcp to-addresses=192.168.1.254 \
to-ports=444
/ip route
add distance=1 dst-address=192.168.0.0/24 gateway=ether23-MODEM pref-src=\
192.168.0.1
add distance=1 dst-address=192.168.1.0/24 gateway=ether1 pref-src=\
192.168.1.254
/ip service
set telnet address=192.168.1.0/24
set ftp disabled=yes
set www address=192.168.1.0/24 port=81
set www-ssl certificate=mikrotik-https disabled=no port=444
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=Router-HH
/system ntp client
set enabled=yes primary-ntp=192.53.103.104 secondary-ntp=192.53.103.103
/system ntp server
set enabled=yes multicast=yes
/system scheduler
add interval=1m name=DynDNS-Strato on-event=dynDNS policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=jan/30/2017 start-time=20:31:46
/system script
add name=dynDNS owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
global ddnsuser \"blablabla\"\
\n:global ddnspass \"blablabla"\
\n:global theinterface \"PPPoE-ALICE\"\
\n:global ddnshost hh.lange-online.net\
\n:global ddnsserver dyndns.strato.com\
\n:global protocol https\
\n:global ipddns [:resolve \$ddnshost];\
\n:global ipfresh [ /ip address get [/ip address find interface=\$theinter\
face ] address ]\
\n:if ([ :typeof \$ipfresh ] = nil ) do={\
\n :log info (\"DynDNS: No ip address on \$theinterface .\")\
\n} else={\
\n :for i from=( [:len \$ipfresh] - 1) to=0 do={ \
\n :if ( [:pick \$ipfresh \$i] = \"/\") do={ \
\n :set ipfresh [:pick \$ipfresh 0 \$i];\
\n } \
\n}\
\n \
\n:if (\$ipddns != \$ipfresh) do={\
\n :log info (\"DynDNS: IP-DynDNS = \$ipddns\")\
\n :log info (\"DynDNS: IP-Fresh = \$ipfresh\")\
\n :log info \"DynDNS: Update IP needed, Sending UPDATE...!\"\
\n :global str \"/nic/update\\\?hostname=\$ddnshost&myip=\$ipfresh&wildc\
ard=NOCHG&mx=NOCHG&backmx=NOCHG\"\
\n /tool fetch address=\$ddnsserver src-path=\$str mode=\$protocol user=\
\$ddnsuser \\\
\n password=\$ddnspass dst-path=(\"/DynDNS.\".\$ddnshost)\
\n :delay 1\
\n :global str [/file find name=\"DynDNS.\$ddnshost\"];\
\n /file remove \$str\
\n :global ipddns \$ipfresh\
\n :log info \"DynDNS: IP updated to \$ipfresh!\"\
\n } else={\
\n# :log info \"DynDNS: dont need changes\";\
\n }\
\n} "
/tool graphing interface
add interface=PPPoE-ALICE
[admin@Router-HH] >
Some hints?
/BR
Holger
the Hairpin and the forwarding for the Router still does not work. Here the actual export:
[admin@Router-HH] > /export
# feb/03/2017 00:42:43 by RouterOS 6.38.1
# software id = D5X7-MT4X
#
/interface ethernet
set [ find default-name=ether2 ] master-port=ether1
set [ find default-name=ether3 ] master-port=ether1
set [ find default-name=ether4 ] master-port=ether1
set [ find default-name=ether5 ] master-port=ether1
set [ find default-name=ether6 ] master-port=ether1
set [ find default-name=ether7 ] master-port=ether1
set [ find default-name=ether8 ] master-port=ether1
set [ find default-name=ether9 ] master-port=ether1
set [ find default-name=ether10 ] master-port=ether1
set [ find default-name=ether11 ] master-port=ether1
set [ find default-name=ether12 ] master-port=ether1
set [ find default-name=ether13 ] master-port=ether1
set [ find default-name=ether14 ] master-port=ether1
set [ find default-name=ether15 ] master-port=ether1
set [ find default-name=ether16 ] master-port=ether1
set [ find default-name=ether17 ] master-port=ether1
set [ find default-name=ether18 ] master-port=ether1
set [ find default-name=ether19 ] master-port=ether1
set [ find default-name=ether20 ] master-port=ether1
set [ find default-name=ether21 ] master-port=ether1
set [ find default-name=ether22 ] master-port=ether1
set [ find default-name=ether23 ] name=ether23-MODEM
set [ find default-name=ether24 ] master-port=ether1
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether23-MODEM \
keepalive-timeout=disabled name=PPPoE-ALICE use-peer-dns=yes user=\
04102981391
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=192.168.1.1-192.168.1.100
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=ether1 lease-time=2h name=\
dhcp1
/ip settings
set accept-source-route=yes
/ip address
add address=192.168.1.254/24 interface=ether1 network=192.168.1.0
add address=192.168.0.1/24 interface=ether23-MODEM network=192.168.0.0
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.254 gateway=192.168.1.254
/ip dns
set allow-remote-requests=yes servers=4.4.4.4
/ip firewall address-list
add address=192.168.1.1-192.168.1.200 list=LAN
/ip firewall filter
add action=drop chain=input comment="Kaputte Pakete DROP" connection-state=\
invalid
add action=drop chain=forward comment="Kaputte Pakete Drop\
\n" connection-state=invalid
add action=fasttrack-connection chain=forward connection-state=\
established,related
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=\
new in-interface=PPPoE-ALICE
add action=accept chain=input comment=\
"Bestehende und initierte Verbindungen OK" connection-state=\
established,related
add action=accept chain=forward comment=\
"Bestehende und initierte Verbindungen OK" connection-state=\
established,related protocol=tcp
add action=accept chain=forward comment="Forward auf Server" \
connection-state=established,related,new dst-address=192.168.1.252 \
dst-port=22,80,443 protocol=tcp
add action=accept chain=forward comment="Forward auf Router" \
connection-state=established,related,new dst-address=192.168.1.254 \
dst-port=444 protocol=tcp
add action=accept chain=input comment="von 192.168.1.0 -> 192.168.0.0 OK" \
dst-address=192.168.0.0/24 src-address=192.168.1.0/24
add action=accept chain=input comment="von 192.168.0.0 -> 192.168.1.0 OK" \
dst-address=192.168.1.0/24 src-address=192.168.0.0/24
add action=accept chain=input comment="von 192.168.1.0 -> 192.168.1.0 OK" \
dst-address=192.168.1.0/24 src-address=192.168.1.0/24
add action=drop chain=input comment="Der Rest geht in den Orkus...." \
log-prefix=FW
/ip firewall nat
add action=masquerade chain=srcnat comment="Maskierung LAN" out-interface=\
PPPoE-ALICE src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment=Hairpin dst-address=192.168.1.252 \
dst-port=22,80,443 out-interface=ether1 out-interface-list=all protocol=\
tcp src-address=192.168.1.0/24
add action=src-nat chain=srcnat comment=NTP protocol=udp src-port=123 \
to-addresses=192.168.1.254
add action=dst-nat chain=dstnat comment="Portforwarding HTTP zum Server" \
dst-port=80 in-interface=PPPoE-ALICE log-prefix=FW80 protocol=tcp \
to-addresses=192.168.1.252 to-ports=80
add action=dst-nat chain=dstnat comment="Portforwarding HTTPS zum Server" \
dst-port=443 in-interface=PPPoE-ALICE protocol=tcp to-addresses=\
192.168.1.252 to-ports=443
add action=dst-nat chain=dstnat comment="Port forwarding SSH auf Server" \
dst-port=22 in-interface=PPPoE-ALICE protocol=tcp to-addresses=\
192.168.1.252 to-ports=22
add action=dst-nat chain=dstnat comment="Forward HTTPS Router" dst-port=444 \
in-interface=PPPoE-ALICE port="" protocol=tcp to-addresses=192.168.1.254 \
to-ports=444
/ip route
add distance=1 dst-address=192.168.0.0/24 gateway=ether23-MODEM pref-src=\
192.168.0.1
add distance=1 dst-address=192.168.1.0/24 gateway=ether1 pref-src=\
192.168.1.254
/ip service
set telnet address=192.168.1.0/24
set ftp disabled=yes
set www address=192.168.1.0/24 port=81
set www-ssl certificate=mikrotik-https disabled=no port=444
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=Router-HH
/system ntp client
set enabled=yes primary-ntp=192.53.103.104 secondary-ntp=192.53.103.103
/system ntp server
set enabled=yes multicast=yes
/system scheduler
add interval=1m name=DynDNS-Strato on-event=dynDNS policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=jan/30/2017 start-time=20:31:46
/system script
add name=dynDNS owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
global ddnsuser \"blablabla\"\
\n:global ddnspass \"blablabla"\
\n:global theinterface \"PPPoE-ALICE\"\
\n:global ddnshost hh.lange-online.net\
\n:global ddnsserver dyndns.strato.com\
\n:global protocol https\
\n:global ipddns [:resolve \$ddnshost];\
\n:global ipfresh [ /ip address get [/ip address find interface=\$theinter\
face ] address ]\
\n:if ([ :typeof \$ipfresh ] = nil ) do={\
\n :log info (\"DynDNS: No ip address on \$theinterface .\")\
\n} else={\
\n :for i from=( [:len \$ipfresh] - 1) to=0 do={ \
\n :if ( [:pick \$ipfresh \$i] = \"/\") do={ \
\n :set ipfresh [:pick \$ipfresh 0 \$i];\
\n } \
\n}\
\n \
\n:if (\$ipddns != \$ipfresh) do={\
\n :log info (\"DynDNS: IP-DynDNS = \$ipddns\")\
\n :log info (\"DynDNS: IP-Fresh = \$ipfresh\")\
\n :log info \"DynDNS: Update IP needed, Sending UPDATE...!\"\
\n :global str \"/nic/update\\\?hostname=\$ddnshost&myip=\$ipfresh&wildc\
ard=NOCHG&mx=NOCHG&backmx=NOCHG\"\
\n /tool fetch address=\$ddnsserver src-path=\$str mode=\$protocol user=\
\$ddnsuser \\\
\n password=\$ddnspass dst-path=(\"/DynDNS.\".\$ddnshost)\
\n :delay 1\
\n :global str [/file find name=\"DynDNS.\$ddnshost\"];\
\n /file remove \$str\
\n :global ipddns \$ipfresh\
\n :log info \"DynDNS: IP updated to \$ipfresh!\"\
\n } else={\
\n# :log info \"DynDNS: dont need changes\";\
\n }\
\n} "
/tool graphing interface
add interface=PPPoE-ALICE
[admin@Router-HH] >
Some hints?
/BR
Holger
Re: Port-forwarding does not work, but why?
Yep, two hints:
1)
1)
Code: Select all
tag is very useful thing.
2) Read my previous post again and this time pay a little more attention (extra subhint: you did not touch your dstnat rules).Re: Port-forwarding does not work, but why?
Yep, two hints:
1)Code: Select alltag is very useful thing. what do u mean by that? 2) Read my previous post again and this time pay a little more attention (extra subhint: you did not touch your dstnat rules).[/quote] As fare as I understod, the Hairpin works by masquerading. The internal call from LAN to the external address is redirected to the LAN address of the server by /ip firewall nat add action=masquerade chain=srcnat comment=Hairpin dst-address=192.168.1.252 \ dst-port=22,80,443 out-interface=ether1 out-interface-list=all protocol=\ tcp src-address=192.168.1.0/24
Re: Port-forwarding does not work, but why?
That's just a half of it. You still need proper dstnat rules. And your current ones only work for connections coming from internet (via PPPoE-ALICE interface).
Re: Port-forwarding does not work, but why?
Hm. As far as I understood: We are coming from the inside (e.g. 192,168.1.100) and want to connect to the WAN addresss. Therefore we catch all traffic on port 22,80,443 going to the server (192.168.1.252) from the LAN (192.168.1.0/24) masqurade it and send it to the internal interfaces (ether1).That's just a half of it. You still need proper dstnat rules. And your current ones only work for connections coming from internet (via PPPoE-ALICE interface).
I follwed that Tutorial: http://wiki.mikrotik.com/wiki/Hairpin_NAT
Re: Port-forwarding does not work, but why?
But there will be no traffic going to server, because dstnat is what redirects it there. Take this rule:
It tells router to catch tcp/80 packets coming via PPPoE-ALICE interface. When you connect to your public address from LAN, in-interface will be your LAN interface and this rule will not catch (and redirect) anything. Instead, the connection attempt will go to router itself and will fail (because you don't have anything running on port 80 on router; if you didn't move web administration to port 81, you'd get that).
Code: Select all
/ip firewall nat
add action=dst-nat chain=dstnat comment="Portforwarding HTTP zum Server" \
dst-port=80 in-interface=PPPoE-ALICE log-prefix=FW80 protocol=tcp \
to-addresses=192.168.1.252 to-ports=80Who is online
Users browsing this forum: almdandi, Bing [Bot] and 86 guests