Hello All,
I have just bought MikroTik RB962UiGS-5HacT2HnT and trying to set it up.
I have done all basic configuration and router works well.
Now I am on fine settings.
I nee to setup port forwarding as I have webserver behind router and I want it be accessible from Internet.
Let say external router ip 32.32.32.32 and local webserver ip : 192.168.0.10 and port is 1111 (just an example)
I went to IP->Firewall->NAT and created new NAT Rule:
General:
Chain: dstnat
Protocol: 6 (tcp)
Dst. Port: 1111
In. Interface: ether1-WAN - input internet port
Action:
Action: netmap
To Address: 192.168.0.10
To Ports: 1111
Once the rule was created I am able to access my webserver from Internet : 32.32.32.32:1111
But I got another problem I can not access that webserver from my LAN, I can not access 32.32.32.32:1111 from local host 192.168.0.11.
192.168.0.10:1111 works well but external IP doesn't work.
Anyone able to help how to resolve the issue? I will be very grateful.
Thanks in advance.
Sergey
Re: Port forwarding - please help !
Hi, thats because you Are going Out with that External IP and coming backagain to It .Hello All,
I have just bought MikroTik RB962UiGS-5HacT2HnT and trying to set it up.
I have done all basic configuration and router works well.
Now I am on fine settings.
I nee to setup port forwarding as I have webserver behind router and I want it be accessible from Internet.
Let say external router ip 32.32.32.32 and local webserver ip : 192.168.0.10 and port is 1111 (just an example)
I went to IP->Firewall->NAT and created new NAT Rule:
General:
Chain: dstnat
Protocol: 6 (tcp)
Dst. Port: 1111
In. Interface: ether1-WAN - input internet port
Action:
Action: netmap
To Address: 192.168.0.10
To Ports: 1111
Once the rule was created I am able to access my webserver from Internet : 32.32.32.32:1111
But I got another problem I can not access that webserver from my LAN, I can not access 32.32.32.32:1111 from local host 192.168.0.11.
192.168.0.10:1111 works well but external IP doesn't work.
Anyone able to help how to resolve the issue? I will be very grateful.
Thanks in advance.
Sergey
Most ISP wont allow that .
Gesendet von iPhone mit Tapatalk
Re: Port forwarding - please help !
@Discmandj ... it is not problem of ISP's configuration or allow/disalow will. Look at above links.
Re: Port forwarding - please help !
as BartoszP suggested, your solution is srcnat. A little Googling goes long way.
viewtopic.php?t=102493
and
viewtopic.php?t=45602
viewtopic.php?t=102493
and
viewtopic.php?t=45602
-
-
sergeymikrotikov
just joined
- Posts: 13
- Joined:
Re: Port forwarding - please help !
Hello again!
Thanks everyone who replied. I went through lots of links and finally found this one usefull:
https://wiki.mikrotik.com/wiki/Hairpin_NAT
I have applied following 2 scripts:
/ip firewall nat
add chain=dstnat dst-address=32.32.32.32 protocol=tcp dst-port=1111 \
action=dst-nat to-address=192.168.0.10
add chain=srcnat out-interface=WAN action=masquerade
/ip firewall nat
add chain=srcnat src-address=192.168.0.0/24 \
dst-address=192.168.0.10 protocol=tcp dst-port=1111 \
out-interface=LAN action=masquerade
and now I manage to access webserver from outside and insude LAN.
But, as you can see I have to use fixed external router ip 32.32.32.32
But I have dynamic external ip , so the solution will not really work for me.
Anyone can advise how can I modify these 2 scripts for dynamic IP.
Thanks in advance
Sergey
Thanks everyone who replied. I went through lots of links and finally found this one usefull:
https://wiki.mikrotik.com/wiki/Hairpin_NAT
I have applied following 2 scripts:
/ip firewall nat
add chain=dstnat dst-address=32.32.32.32 protocol=tcp dst-port=1111 \
action=dst-nat to-address=192.168.0.10
add chain=srcnat out-interface=WAN action=masquerade
/ip firewall nat
add chain=srcnat src-address=192.168.0.0/24 \
dst-address=192.168.0.10 protocol=tcp dst-port=1111 \
out-interface=LAN action=masquerade
and now I manage to access webserver from outside and insude LAN.
But, as you can see I have to use fixed external router ip 32.32.32.32
But I have dynamic external ip , so the solution will not really work for me.
Anyone can advise how can I modify these 2 scripts for dynamic IP.
Thanks in advance
Sergey
Re: Port forwarding - please help !
In dstnat rule, you can use dst-address-type=local instead of dst-address=32.32.32.32. It does exactly what it says, it will match any address assigned to router.
In case you'd want to use the same port also to access some service on router (e.g. WebFig on 192.168.0.x:80, where x s what router has on LAN interface), add another condition to create exception, i.e. dst-address=!192.168.0.x.
In case you'd want to use the same port also to access some service on router (e.g. WebFig on 192.168.0.x:80, where x s what router has on LAN interface), add another condition to create exception, i.e. dst-address=!192.168.0.x.
Re: Port forwarding - please help !
or just specify WAN interface as the in interface in the dst nat rule?
Re: Port forwarding - please help !
Not if you want it to work from LAN. Even though you're connecting to address on WAN, in-interface will still be LAN and such rule wouldn't match.
-
-
sergeymikrotikov
just joined
- Posts: 13
- Joined:
Re: Port forwarding - please help !
Sob!
Thanks a lot, your suggestion worked for me.
Thanks to everyone replied as well.
Sergey
Thanks a lot, your suggestion worked for me.
Thanks to everyone replied as well.
Sergey
Re: Port forwarding - please help !
good tip Sob, thanks!
I assume that this works for dynamic public IP as it's assigned to the router's WAN interface?
I assume that this works for dynamic public IP as it's assigned to the router's WAN interface?
Re: Port forwarding - please help !
Yes. It works for any IP address assigned to any interface. Which is sometimes too much and exception is needed.
-
-
sergeymikrotikov
just joined
- Posts: 13
- Joined:
Re: Port forwarding - please help !
Hello everyone again!
I have to come back to forum as I am facing another small (I hope) problem.
I have finished my port forwarding/hairping NAT setup.
Now I have my FTP server runnig on port 21 on LAN.
The next step is to make Mikrotik internal FTP working.
As port 21 is already taken I am moving it to port 8021.
IP -> Services -> IP Service List -> ftp : 8021
IP -> Firewall -> Service Poerts ->ftp : 8021
Netxt step is to setup NAT forwarding/hairpin:
/ip firewall nat
add chain=dstnat comment="Mikrotik FTP forward" dst-address-type=local protocol=tcp dst-port=8021 \
action=dst-nat to-address=192.168.0.1
/ip firewall nat
add chain=srcnat comment="Mikrotik FTP hairpin" src-address=192.168.0.0/24 \
dst-address=192.168.0.1 protocol=tcp dst-port=8021 \
out-interface-list=LAN action=masquerade
where 192.168.0.1 - Mikrotik internal IP.
So what I got now:
I can reach FTP from LAN using both internal/external IP:
ftp://192.168.0.1:8021/
ftp://32.32.32.32:8021/
where 32.32.32.32 - Mikrotik external IP.
BUT ! I can not reach FTP server from Internet. I can not figure out what is missing.
Please help.
Thanks in advance.
Sergey.
I have to come back to forum as I am facing another small (I hope) problem.
I have finished my port forwarding/hairping NAT setup.
Now I have my FTP server runnig on port 21 on LAN.
The next step is to make Mikrotik internal FTP working.
As port 21 is already taken I am moving it to port 8021.
IP -> Services -> IP Service List -> ftp : 8021
IP -> Firewall -> Service Poerts ->ftp : 8021
Netxt step is to setup NAT forwarding/hairpin:
/ip firewall nat
add chain=dstnat comment="Mikrotik FTP forward" dst-address-type=local protocol=tcp dst-port=8021 \
action=dst-nat to-address=192.168.0.1
/ip firewall nat
add chain=srcnat comment="Mikrotik FTP hairpin" src-address=192.168.0.0/24 \
dst-address=192.168.0.1 protocol=tcp dst-port=8021 \
out-interface-list=LAN action=masquerade
where 192.168.0.1 - Mikrotik internal IP.
So what I got now:
I can reach FTP from LAN using both internal/external IP:
ftp://192.168.0.1:8021/
ftp://32.32.32.32:8021/
where 32.32.32.32 - Mikrotik external IP.
BUT ! I can not reach FTP server from Internet. I can not figure out what is missing.
Please help.
Thanks in advance.
Sergey.
Re: Port forwarding - please help !
Important question first, do you need FTP server on router for anything? Because it's not very useful service. It's not required for normal operation at all. And if you'd want to use it for file sharing with USB disk, it works, but it's very simple, there's no good access control, encryptions or anything. And if you already have another FTP server (if I understand it correctly), I don't see a reason why to deal with this one.
If you really want it, then:
1) Changing port in IP->Services was correct.
2) In IP->Firewall->Service Ports->ftp, it's not clear if you changed the port, of if you added 8021 to existing 21. If you changed it, it's wrong, because it can affect all FTP connections. This tells router which ports it should inspect for FTP control connections and find related data connections, so that you can allow them in firewall.
3) If the service is on router itself, it doesn't need NAT at all, neither dstnat not hairpin. Just allow dst-port=8021 in /ip firewall filter, chain=input and that's it (assuming you also have standard rule to allow related connections).
If you really want it, then:
1) Changing port in IP->Services was correct.
2) In IP->Firewall->Service Ports->ftp, it's not clear if you changed the port, of if you added 8021 to existing 21. If you changed it, it's wrong, because it can affect all FTP connections. This tells router which ports it should inspect for FTP control connections and find related data connections, so that you can allow them in firewall.
3) If the service is on router itself, it doesn't need NAT at all, neither dstnat not hairpin. Just allow dst-port=8021 in /ip firewall filter, chain=input and that's it (assuming you also have standard rule to allow related connections).
-
-
sergeymikrotikov
just joined
- Posts: 13
- Joined:
Re: Port forwarding - please help !
Hi Sob.
I need Mikrotik FTP server as light-weight service to backup main server which is not online 24/7.
I have resolved the problem by removing forwarding and hairpin nat rules as you recommended and disabled firewall rule which was blocking all request from non-LAN.
It all works now.
Thanks for help.
Sergey
I need Mikrotik FTP server as light-weight service to backup main server which is not online 24/7.
I have resolved the problem by removing forwarding and hairpin nat rules as you recommended and disabled firewall rule which was blocking all request from non-LAN.
It all works now.
Thanks for help.
Sergey
Re: Port forwarding - please help !
I would recommend adding an accept for input from address list before the default drop rule you disabled and re-enable it.
Re: Port forwarding - please help !
That's right, default drop rule is good thing. If you disable it, you open everything on router to whole world. Don't do that.
-
-
sergeymikrotikov
just joined
- Posts: 13
- Joined:
Re: Port forwarding - please help !
You are right, it is not good idea to disable default rule.
I have tried:
/ip firewall filter add chain=input protocol=tcp dst-port=8021 action=accept
but it did not work. Any idea what is the problem with that command ?
Sergey
I have tried:
/ip firewall filter add chain=input protocol=tcp dst-port=8021 action=accept
but it did not work. Any idea what is the problem with that command ?
Sergey
Re: Port forwarding - please help !
It depends on your other rules:
1) Order is important, this new accept rule must be before the last drop rule.
2) If clients use passive move (should be probably default for most of them), you also need rule to accept connections with connection-state=related. Default firewall has such rule (combined with established state).
3) You need to have your non-standard port in IP->Firewall->Service Ports->ftp (in addition to default 21), otherwise there would be no related connections.
1) Order is important, this new accept rule must be before the last drop rule.
2) If clients use passive move (should be probably default for most of them), you also need rule to accept connections with connection-state=related. Default firewall has such rule (combined with established state).
3) You need to have your non-standard port in IP->Firewall->Service Ports->ftp (in addition to default 21), otherwise there would be no related connections.
Re: Port forwarding - please help !
What I find weird is only creating the one rule.
On my current router one made a port forward rule (from incoming interface (specific WAN interface) for specific port(s)/service(s) to a specific LANIP.
Then a separate FW rule to allow same traffic but delineating the Source IP(s) allowed and destination IP for the services coming from the port forwarding rule.
On the Port Forward Rule one could flip ports (incoming on non-standard port for example and flip to standard port).
FW rule would be made for standard port to the specific LANIP.
In microtik its a one shot deal. Just an FYI for those coming from other devices.
PS Order always seems to count!!
On my current router one made a port forward rule (from incoming interface (specific WAN interface) for specific port(s)/service(s) to a specific LANIP.
Then a separate FW rule to allow same traffic but delineating the Source IP(s) allowed and destination IP for the services coming from the port forwarding rule.
On the Port Forward Rule one could flip ports (incoming on non-standard port for example and flip to standard port).
FW rule would be made for standard port to the specific LANIP.
In microtik its a one shot deal. Just an FYI for those coming from other devices.
PS Order always seems to count!!
Re: Port forwarding - please help !
If one rule is enough, why add more.
This last part is about making FTP server on router accessible from anywhere. So you need exactly one rule to allow connections to main control port. Connections to data ports can be allowed automatically using conntrack and related state.
For ports forwarded inside, you don't need too many rules either. Dstnat rule(s) are required, but everything in firewall filter can be simply solved with one universal rule allowing connections with connection-nat-state=dstnat. If you need filtering based on source IP, you can do it in dstnat, i.e. not forward the port(s) for given source at all.
This last part is about making FTP server on router accessible from anywhere. So you need exactly one rule to allow connections to main control port. Connections to data ports can be allowed automatically using conntrack and related state.
For ports forwarded inside, you don't need too many rules either. Dstnat rule(s) are required, but everything in firewall filter can be simply solved with one universal rule allowing connections with connection-nat-state=dstnat. If you need filtering based on source IP, you can do it in dstnat, i.e. not forward the port(s) for given source at all.
-
-
sergeymikrotikov
just joined
- Posts: 13
- Joined:
Re: Port forwarding - please help !
Yes, that was it!
I have moved my rule above the one I have disabled and it works now.
I have also re-enabled default rule.
Another good tip. Thanks, Sob!
I have moved my rule above the one I have disabled and it works now.
I have also re-enabled default rule.
Another good tip. Thanks, Sob!
Re: Port forwarding - please help !
Just to be clear then, (my current setup has two rules), I only need to do my Firewalling on the IP NAT menu.If one rule is enough, why add more.
This last part is about making FTP server on router accessible from anywhere. So you need exactly one rule to allow connections to main control port. Connections to data ports can be allowed automatically using conntrack and related state.
For ports forwarded inside, you don't need too many rules either. Dstnat rule(s) are required, but everything in firewall filter can be simply solved with one universal rule allowing connections with connection-nat-state=dstnat. If you need filtering based on source IP, you can do it in dstnat, i.e. not forward the port(s) for given source at all.
The difference being not only do I use DSTNAT chain and configure destination address (on my LAN) and ports used, I also delineate any specific IP or IPs (by address list) as sources to narrow down allowed unsolicited inbound traffic???
Re: Port forwarding - please help !
ip firewall nat add chain=dstnat dst-address=32.32.32.32 protocol=tcp dst-port=1111 action=dst-nat to-addresses=192.168.0.
10 to-ports=1111
Just Apply And All is OK
10 to-ports=1111
Just Apply And All is OK
Re: Port forwarding - please help !
@anavds: I'm not completely sure what you're asking about, so lets try it like this:
1) Allowing forwarded ports through router.
First option, you can add dstnat rule(s) for given port(s) and then add matching rule(s) in forward filter to allow them to pass. It works, but imagine doing it for multiple ports. Each dstnat rule means another filter rule and you have to keep them in sync. It's annoying.
Second option, add dstnat rules as before, but use one common accept rule in filter (with connection-nat-state=dstnat) for all. Less work and lower chances for errors. And no problem for security, because connection doesn't just become dstnatted by itself, you have to do it.
2) Filtering in dstnat or filter.
Both will work, but why let packets even go to filter (just to be rejected/dropped), when you can exclude them from dstnat completely? But as always, it also depends on exact circumstances, e.g. when I have router that accepts incoming connections from both internet and sort-of-local network on WAN interface, doing common filtering in forward chain is better for me, because it's all in one place.
1) Allowing forwarded ports through router.
First option, you can add dstnat rule(s) for given port(s) and then add matching rule(s) in forward filter to allow them to pass. It works, but imagine doing it for multiple ports. Each dstnat rule means another filter rule and you have to keep them in sync. It's annoying.
Second option, add dstnat rules as before, but use one common accept rule in filter (with connection-nat-state=dstnat) for all. Less work and lower chances for errors. And no problem for security, because connection doesn't just become dstnatted by itself, you have to do it.
2) Filtering in dstnat or filter.
Both will work, but why let packets even go to filter (just to be rejected/dropped), when you can exclude them from dstnat completely? But as always, it also depends on exact circumstances, e.g. when I have router that accepts incoming connections from both internet and sort-of-local network on WAN interface, doing common filtering in forward chain is better for me, because it's all in one place.
Re: Port forwarding - please help !
Hi Sob, thanks for your patience on this one.
Multiple ports is only an issue due to not being able to place them on an address list like IP addresses.
A. I should be able to easily port forward to a single, or any combination of groups of services.
B. I should be able to filter external access by one or more external WANIPs to one or more port forwarded services.
In other words, I am not finding it clear how you will do the following?
FTP server, port 21 - restricted to external Address LIST - Group A, to LAN IP AA
Media server port 30000 restricted to external WANIP 1234, to LAN IP BB
Server Z, on port YYYY restricted to external WANIP 5678, to LAN IP CC
Server Database on ports 4500-4505, restricted to address LIST - Group B, to LAN IP DD
1. I can do this easily on my current router......
Port forward rules for stating coming in on WAN interface - heading for destination IP address for specific port(s)
Further in the port forward rules I can map external to internal ports, in other words I could do this if ISP blocked port 21
FTP server original port 8888, mapped to port 21 to specific LAN IP address
2. Then I apply FW rules which allow me to state which external WANIPs are allowed for those services and destination IP.
3. All objects are identified such that individual objects (IPs) can be changed without mucking with rules and all Groups objects, users/services can be subtracted or added to group objects such that rules do not have to be mucked with!
It is not clear to me how you are going to solve the above scenario in your approach?
How am I going to make one filter rule when the incoming allowed WANIPs are different for every case?
I hope my question demonstrates my thorough lack of understanding!!!
Don't get me wrong, I want to achieve what is simple and efficient and reducing Filter Rules is important in that regard.
If what you are saying is simply solving by adding a source address or source address list as part of each dstnat rule, then YES, okay we cover that off.
But it seems you are intimating we still need one Forward Filter rule to cover off one or more dstnat rules??
Multiple ports is only an issue due to not being able to place them on an address list like IP addresses.
A. I should be able to easily port forward to a single, or any combination of groups of services.
B. I should be able to filter external access by one or more external WANIPs to one or more port forwarded services.
In other words, I am not finding it clear how you will do the following?
FTP server, port 21 - restricted to external Address LIST - Group A, to LAN IP AA
Media server port 30000 restricted to external WANIP 1234, to LAN IP BB
Server Z, on port YYYY restricted to external WANIP 5678, to LAN IP CC
Server Database on ports 4500-4505, restricted to address LIST - Group B, to LAN IP DD
1. I can do this easily on my current router......
Port forward rules for stating coming in on WAN interface - heading for destination IP address for specific port(s)
Further in the port forward rules I can map external to internal ports, in other words I could do this if ISP blocked port 21
FTP server original port 8888, mapped to port 21 to specific LAN IP address
2. Then I apply FW rules which allow me to state which external WANIPs are allowed for those services and destination IP.
3. All objects are identified such that individual objects (IPs) can be changed without mucking with rules and all Groups objects, users/services can be subtracted or added to group objects such that rules do not have to be mucked with!
It is not clear to me how you are going to solve the above scenario in your approach?
How am I going to make one filter rule when the incoming allowed WANIPs are different for every case?
I hope my question demonstrates my thorough lack of understanding!!!
Don't get me wrong, I want to achieve what is simple and efficient and reducing Filter Rules is important in that regard.
If what you are saying is simply solving by adding a source address or source address list as part of each dstnat rule, then YES, okay we cover that off.
But it seems you are intimating we still need one Forward Filter rule to cover off one or more dstnat rules??
Re: Port forwarding - please help !
It's possible that I confused you and it's my fault, because I'm thinking about non-default firewall. Default one, if I'm not mistaken, has standard allow established & related, drop invalid, drop anything from WAN not dstnatted, and implicitly allow everything else (there's no rule for that, because accept is chain's default action). At least it was like this not long ago. In this case, you don't need to worry about anything in forward filter. Any dstnatted connection will have dstnat state, so the drop rule will not match, packets won't be dropped and will be allowed by default.
I was thinking about default-deny type of firewall, where everything not specifically allowed is rejected/dropped by unconditional reject/drop rule at the end of chain. In older RouterOS, if you had this type of firewall and forwarded some ports using dstnat, you had to add extra accept rule for each dstnat rule (assuming you didn't have universal accept rule for connections from WAN, but that wouldn't be very safe firewall), to let the connection pass through router. Newer RouterOS versions made this much simpler by adding connection-nat-state matcher, so it's now possible to use that and one rule is enough to allow all forwarded ports.
For your example, I'd probably use something like this:
And filter rules can be according to previous paragraphs, i.e. no extra rule for default firewall, or just one rule to allow all forwarded ports for the other one. Whether the connection will be allowed is decided by dstnat rule.
If you want the rule to work with multiple WANs, use in-interface-list=<WANs> instead.
If you need to have different internal and external port, just change dstnat rule to use dst-port=<external> to-ports=<internal>. For same internal and external port, you don't need to add to-ports at all.
Edit: You can also optimize some things with jumps and other chain(s), e.g.:
It doesn't look like much, but imagine you have hundered rules instead of just two. Instead of checking in-interface=<WAN> hundered times, it's done only once.
I was thinking about default-deny type of firewall, where everything not specifically allowed is rejected/dropped by unconditional reject/drop rule at the end of chain. In older RouterOS, if you had this type of firewall and forwarded some ports using dstnat, you had to add extra accept rule for each dstnat rule (assuming you didn't have universal accept rule for connections from WAN, but that wouldn't be very safe firewall), to let the connection pass through router. Newer RouterOS versions made this much simpler by adding connection-nat-state matcher, so it's now possible to use that and one rule is enough to allow all forwarded ports.
For your example, I'd probably use something like this:
Code: Select all
/ip firewall nat
add action=dst-nat chain=dstnat in-interface=<WAN> dst-port=21 protocol=tcp src-address-list="LIST - Group A" to-addresses=AA
add action=dst-nat chain=dstnat dst-address=1234 dst-port=30000 protocol=tcp to-addresses=BB
add action=dst-nat chain=dstnat dst-address=5678 dst-port=YYYY protocol=tcp to-addresses=CC
add action=dst-nat chain=dstnat in-interface=<WAN> dst-port=4500-4505 protocol=tcp src-address-list="LIST - Group B" to-addresses=DDIf you want the rule to work with multiple WANs, use in-interface-list=<WANs> instead.
If you need to have different internal and external port, just change dstnat rule to use dst-port=<external> to-ports=<internal>. For same internal and external port, you don't need to add to-ports at all.
Edit: You can also optimize some things with jumps and other chain(s), e.g.:
Code: Select all
/ip firewall nat
add action=jump chain=dstnat in-interface=<WAN> jump-target=portforward
add action=dst-nat chain=portforward dst-port=21 protocol=tcp src-address-list="LIST - Group A" to-addresses=AA
add action=dst-nat chain=portforward dst-port=4500-4505 protocol=tcp src-address-list="LIST - Group B" to-addresses=DDRe: Port forwarding - please help !
Yes, I am easily confused but only due to my lack of knowledge.
Okay, what I dont get is why for the external group allowed WANIPs to access server, you identified them as source and also used in-interface WAN.
BUT you dropped the in-interface WAN for the two cases where the rule is to allow only ONE external WANIP user to access server ?????????????
The only difference is the number of allowed IPs to access the server.
Here is what I think it should be!!!
/ip firewall nat
1-add action=dst-nat chain=dstnat in-interface=<WAN> dst-port=21 protocol=tcp src-address-list="LIST - Group A" to-addresses=AA
2-add action=dst-nat chain=dstnat in-interface=<WAN> dst-port=30000 protocol=tcp src-address=1234 to-addresses=BB
3-add action=dst-nat chain=dstnat in-interface=<WAN> dst-port=YYYY protocol=tcp src-address=5678 to-addresses=CC
4-add action=dst-nat chain=dstnat in-interface=<WAN> dst-port=4500-4505 protocol=tcp src-address-list="LIST - Group B" to-addresses=DD
I understand the comments about multiple WANs and mapping ports external/internal.
So lets get to the Jumping Fun!! Where I am really lost!!
It doesn't look like much, but imagine you have hundred rules instead of just two. Instead of checking in-interface=<WAN> hundred times, it's done only once.
What is effectively accomplished?
If we have one firewall rule for allowing proper dstnat connections, when does this filter rule get applied?
If its before the NAT rule then there is no savings, so I will assume the NAT rule is a prerouting function prior to filtering process.
Somehow then, the Router Has the ability to check the traffic against the NAT rules to see if it matches a DST NAT RULE and if so says JUMP or GO TO PORT FORWARD process.
So regardless of how many dsntnat rules in place, once recognized they will all go to a specific location and process.
Hmmm, all this does is then go to a set of the same rules we had previously.
I am not seeing any advantage or savings but instead see creating more rules and processes than is required??????
I am missing something here........
Okay, what I dont get is why for the external group allowed WANIPs to access server, you identified them as source and also used in-interface WAN.
BUT you dropped the in-interface WAN for the two cases where the rule is to allow only ONE external WANIP user to access server ?????????????
The only difference is the number of allowed IPs to access the server.
Here is what I think it should be!!!
/ip firewall nat
1-add action=dst-nat chain=dstnat in-interface=<WAN> dst-port=21 protocol=tcp src-address-list="LIST - Group A" to-addresses=AA
2-add action=dst-nat chain=dstnat in-interface=<WAN> dst-port=30000 protocol=tcp src-address=1234 to-addresses=BB
3-add action=dst-nat chain=dstnat in-interface=<WAN> dst-port=YYYY protocol=tcp src-address=5678 to-addresses=CC
4-add action=dst-nat chain=dstnat in-interface=<WAN> dst-port=4500-4505 protocol=tcp src-address-list="LIST - Group B" to-addresses=DD
I understand the comments about multiple WANs and mapping ports external/internal.
So lets get to the Jumping Fun!! Where I am really lost!!
Code: Select all
Code: Select all
/ip firewall nat
add action=jump chain=dstnat in-interface=<WAN> jump-target=portforward
add action=dst-nat chain=portforward dst-port=21 protocol=tcp src-address-list="LIST - Group A" to-addresses=AA
add action=dst-nat chain=portforward dst-port=4500-4505 protocol=tcp src-address-list="LIST - Group B" to-addresses=DDWhat is effectively accomplished?
If we have one firewall rule for allowing proper dstnat connections, when does this filter rule get applied?
If its before the NAT rule then there is no savings, so I will assume the NAT rule is a prerouting function prior to filtering process.
Somehow then, the Router Has the ability to check the traffic against the NAT rules to see if it matches a DST NAT RULE and if so says JUMP or GO TO PORT FORWARD process.
So regardless of how many dsntnat rules in place, once recognized they will all go to a specific location and process.
Hmmm, all this does is then go to a set of the same rules we had previously.
I am not seeing any advantage or savings but instead see creating more rules and processes than is required??????
I am missing something here........
Re: Port forwarding - please help !
One little problem, we didn't define exact setup for the example, so there are multiple ways how to handle it. What I posted could be for one ISP connection with two public addresses. That's how I understood your "WANIP 1234/5678", as two public addresses assigned to router, and that rule #2 should work with one and rule #3 with the other. And in-interface=<WAN> (or in-interface-list=<WANs> if there would be more than one internet connection) in rules #1 and #4 is the basic port forwarding config, where you don't care about destination (and which is in many cases wrong; sorry, I took a shortcut)...
See, that's the thing, there are too many ways how to handle things. Even with clearly defined setup, there's usually more than one way how to reach target goal. And they are often not 100% right or wrong, you can use shortcuts that are perfectly fine for one situation and better solution would be just waste of resources, but they would not work well for seemingly similar setups, only because there's one tiny little difference that changes everything. And now when we don't have exact setup to work with, I can imagine all missing details any way I want and number of possible solutions is endless. And it can also be confusing, when you expect something else.
So, lets try it like this:
Port forwarding uses NAT (dstnat), and it's nothing special, it's just a very simple action that changes destination address and/or ports. It's just one processing step. Packets come to router, dstnat changes destination, router finds out where to send it based on destination address (in this case the changed one), then it goes through forward filter and if it's not stopped there, router will send it out, but there's still srcnat which could change source. And that's it. When I have conditional dstnat rule, then when the condition is not met, dstnat does not happen, packets keeps original destination address (public IP of router), which will send them to input chain and there they will be dropped by default firewall.
About dstnat rules and possible ways to match packets, probably the most correct is to use dst-address. When you're connecting to e.g. http://yourserverbehindnat.domain.tld, the hostname resolves to one specific address, so you should be looking for that. But the address is often not static, so you can't do that, without updating the rule all the time. That's why people often use in-interface, with reasoning (if they have any) that it must be for the right address, when it came to router from internet. Which is not exactly correct, it might be also fake packet from evil hacker or something (and it's whole different story). It's also bad habit, because even though it's mostly fine when you have only one address, people get used to it and then they wonder why it makes problems when they get more addresses.
Another possible problem is that sometimes you want to be able to access same hostname also from LAN (the same one where's the target server). For that, you need another thing called hairpin NAT, but it can't work when your dstnat rules don't work for connections from LAN. And with in-interface=WAN they won't.
Yet another approach it to use dst-address-type=local, and it will match when destination address is assigned to router. No matter how often your WAN address changes, it will still work. But it will match any of them. So when you do this for e.g port 80, it will work great for connections from outside and inside (if you add hairpin NAT rule), but you'll block yourself from accessing WebFig on <router's LAN IP>:80, because it also matches dst-address-type=local and dstnat will redirect the request to webserver machine. So you'll have to add extra dst-address=!<router's LAN IP> and it will finally work. At least for most simple cases, I can still imagine some more complex ones, where it could be wrong.
About jumps example, imagine you have several WANs, you want different sets of dstnat rules for each, and you have a lot of them:
If you do it like this and a new incoming connection comes to WAN4, router will have to check all 3000 rules, before realizing that none is applicable. But if you do:
Then for the same connection, only three rules will be checked.
Ok, there is some "magic" involved, a connection tracking, which understands the traffic flow, recognizes packets that belong to same connection, etc. It's the thing that makes stuff like connection-nat-state work. But don't worry about that, just know it's there and it "just works".
See, that's the thing, there are too many ways how to handle things. Even with clearly defined setup, there's usually more than one way how to reach target goal. And they are often not 100% right or wrong, you can use shortcuts that are perfectly fine for one situation and better solution would be just waste of resources, but they would not work well for seemingly similar setups, only because there's one tiny little difference that changes everything. And now when we don't have exact setup to work with, I can imagine all missing details any way I want and number of possible solutions is endless. And it can also be confusing, when you expect something else.
So, lets try it like this:
Port forwarding uses NAT (dstnat), and it's nothing special, it's just a very simple action that changes destination address and/or ports. It's just one processing step. Packets come to router, dstnat changes destination, router finds out where to send it based on destination address (in this case the changed one), then it goes through forward filter and if it's not stopped there, router will send it out, but there's still srcnat which could change source. And that's it. When I have conditional dstnat rule, then when the condition is not met, dstnat does not happen, packets keeps original destination address (public IP of router), which will send them to input chain and there they will be dropped by default firewall.
About dstnat rules and possible ways to match packets, probably the most correct is to use dst-address. When you're connecting to e.g. http://yourserverbehindnat.domain.tld, the hostname resolves to one specific address, so you should be looking for that. But the address is often not static, so you can't do that, without updating the rule all the time. That's why people often use in-interface, with reasoning (if they have any) that it must be for the right address, when it came to router from internet. Which is not exactly correct, it might be also fake packet from evil hacker or something (and it's whole different story). It's also bad habit, because even though it's mostly fine when you have only one address, people get used to it and then they wonder why it makes problems when they get more addresses.
Another possible problem is that sometimes you want to be able to access same hostname also from LAN (the same one where's the target server). For that, you need another thing called hairpin NAT, but it can't work when your dstnat rules don't work for connections from LAN. And with in-interface=WAN they won't.
Yet another approach it to use dst-address-type=local, and it will match when destination address is assigned to router. No matter how often your WAN address changes, it will still work. But it will match any of them. So when you do this for e.g port 80, it will work great for connections from outside and inside (if you add hairpin NAT rule), but you'll block yourself from accessing WebFig on <router's LAN IP>:80, because it also matches dst-address-type=local and dstnat will redirect the request to webserver machine. So you'll have to add extra dst-address=!<router's LAN IP> and it will finally work. At least for most simple cases, I can still imagine some more complex ones, where it could be wrong.
About jumps example, imagine you have several WANs, you want different sets of dstnat rules for each, and you have a lot of them:
Code: Select all
/ip firewall nat
add action=dst-nat chain=dstnat in-interface=WAN1 <other conditions>
<other 998 rules for WAN1>
add action=dst-nat chain=dstnat in-interface=WAN1 <other conditions>
add action=dst-nat chain=dstnat in-interface=WAN2 <other conditions>
<other 998 rules for WAN2>
add action=dst-nat chain=dstnat in-interface=WAN2 <other conditions>
add action=dst-nat chain=dstnat in-interface=WAN3 <other conditions>
<other 998 rules for WAN3>
add action=dst-nat chain=dstnat in-interface=WAN3 <other conditions>Code: Select all
/ip firewall nat
add action=jump chain=dstnat in-interface=WAN1 jump-target=<dedicated chain for WAN1>
add action=jump chain=dstnat in-interface=WAN2 jump-target=<dedicated chain for WAN2>
add action=jump chain=dstnat in-interface=WAN3 jump-target=<dedicated chain for WAN3>
add action=dst-nat chain=<dedicated chain for WAN1> <other conditions>
...There's really no "port forward process", it's just a simple change of destination address, as described above. And similar to this, all conditions you can use for any rule are just simple checks, if current packet has given property or not. Don't look for anything complicated, it's not there.Somehow then, the Router Has the ability to check the traffic against the NAT rules to see if it matches a DST NAT RULE and if so says JUMP or GO TO PORT FORWARD process.
Ok, there is some "magic" involved, a connection tracking, which understands the traffic flow, recognizes packets that belong to same connection, etc. It's the thing that makes stuff like connection-nat-state work. But don't worry about that, just know it's there and it "just works".
Again, it doesn't do much, when you have only few rules and it might not be worth it to do something like this. Some things only start to make sense when you're dealing with large amount of stuff.I am not seeing any advantage or savings but instead see creating more rules and processes than is required??????
Re: Port forwarding - please help !
Okay I think I am grasping the Chain rule logic. I will try to see if it makes sense to use any on my configuration down the line.One little problem, we didn't define exact setup for the example, so there are multiple ways how to handle it. What I posted could be for one ISP connection with two public addresses. That's how I understood your "WANIP 1234/5678", as two public addresses assigned to router, and that rule #2 should work with one and rule #3 with the other. And in-interface=<WAN> (or in-interface-list=<WANs> if there would be more than one internet connection) in rules #1 and #4 is the basic port forwarding config, where you don't care about destination (and which is in many cases wrong; sorry, I took a shortcut)...
EDIT: Yes, I meant them to be outside users public WANIPS and the miscommunication created issues in of itself.
So, lets try it like this:
When I have conditional dstnat rule, then when the condition is not met, dstnat does not happen, packets keeps original destination address (public IP of router), which will send them to input chain and there they will be dropped by default firewall.
EDIT: Okay so I can identify a source address or source address list in my dstnat rule, it makes it conditional and if its not matched then gets dropped on the input chain and hence already covered in Filter rules(and making another is not required.
Another possible problem is that sometimes you want to be able to access same hostname also from LAN (the same one where's the target server). For that, you need another thing called hairpin NAT, but it can't work when your dstnat rules don't work for connections from LAN. And with in-interface=WAN they won't.
EDIT: Yes I see where using in-interface WAN would stop hairpin NAT from working.
About jumps example, imagine you have several WANs, you want different sets of dstnat rules for each, and you have a lot of them:If you do it like this and a new incoming connection comes to WAN4, router will have to check all 3000 rules, before realizing that none is applicable. But if you do:Code: Select all/ip firewall nat add action=dst-nat chain=dstnat in-interface=WAN1 <other conditions> <other 998 rules for WAN1> add action=dst-nat chain=dstnat in-interface=WAN1 <other conditions> add action=dst-nat chain=dstnat in-interface=WAN2 <other conditions> <other 998 rules for WAN2> add action=dst-nat chain=dstnat in-interface=WAN2 <other conditions> add action=dst-nat chain=dstnat in-interface=WAN3 <other conditions> <other 998 rules for WAN3> add action=dst-nat chain=dstnat in-interface=WAN3 <other conditions>Then for the same connection, only three rules will be checked.Code: Select all/ip firewall nat add action=jump chain=dstnat in-interface=WAN1 jump-target=<dedicated chain for WAN1> add action=jump chain=dstnat in-interface=WAN2 jump-target=<dedicated chain for WAN2> add action=jump chain=dstnat in-interface=WAN3 jump-target=<dedicated chain for WAN3> add action=dst-nat chain=<dedicated chain for WAN1> <other conditions> ...
There's really no "port forward process", it's just a simple change of destination address, as described above. And similar to this, all conditions you can use for any rule are just simple checks, if current packet has given property or not. Don't look for anything complicated, it's not there.Somehow then, the Router Has the ability to check the traffic against the NAT rules to see if it matches a DST NAT RULE and if so says JUMP or GO TO PORT FORWARD process.
Ok, there is some "magic" involved, a connection tracking, which understands the traffic flow, recognizes packets that belong to same connection, etc. It's the thing that makes stuff like connection-nat-state work. But don't worry about that, just know it's there and it "just works".
Again, it doesn't do much, when you have only few rules and it might not be worth it to do something like this. Some things only start to make sense when you're dealing with large amount of stuff.I am not seeing any advantage or savings but instead see creating more rules and processes than is required??????
See Edits above.
Also I can now delete my FW filter rules as I added sources addresses to IPNAT dsntnat rules.
YOu will laugh I had made the rules as INPUT rules, they should have been forward rules anyway!!
(Also, unrelated - how does one identify which LAN, the VLAN will piggyback on? It has to have a host LAN/Base Host/Port, where/how is this identified?)
Who is online
Users browsing this forum: netmas, und3rd06012 and 116 guests