Community discussions

 
RizONE
just joined
Topic Author
Posts: 2
Joined: Tue Nov 20, 2018 3:43 pm

need help to deal with simple port forwarding

Tue Nov 20, 2018 4:16 pm

Hi
the rule is configured on a target mikrotik
/ ip firewall nat
add action = netmap chain = dstnat comment = RDP dst-port = 4556 in-interface = WAN log = yes protocol = tcp to-addresses = 192.168.0.50 to-ports = 3389
and it works, but
When connecting through one provider in the log I see
08:52:35 firewall, info dstnat: in: WAN out: (none), src-mac 00: 04: 96: 52: 4c: e2, proto TCP (SYN), 91.205. *. *: 1077-> 10.82 . *. *: 4556, len 60
- no connection
and through another one
08:53:40 firewall, info dstnat: in: WAN out: (none), src-mac 00: 04: 96: 52: 4c: e2, proto TCP (SYN), 91.226. *. *: 50225-> 10.82 . *. *: 4556, len 52
- there is a connection
The only difference is in the len part, what is the len and how to fix it?
 
anav
Forum Guru
Forum Guru
Posts: 3106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: need help to deal with simple port forwarding

Tue Nov 20, 2018 6:55 pm

I am not familiar with netmap but your rule looks reasonable.
Any user coming in on the wan with traffic destined for port 4556 gets their request forwarded to IP .0.50, on port 3389.

(I am not sure this is the most secure use of RDP, I would rather vpn in to a server or router)
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1790
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: need help to deal with simple port forwarding

Tue Nov 20, 2018 9:10 pm

Do you have a filter rule that allows dnat-ed or that specific traffic through?

You need both: one to remap and other to allow. as these are located in different ip tables.
 
anav
Forum Guru
Forum Guru
Posts: 3106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: need help to deal with simple port forwarding

Tue Nov 20, 2018 9:36 pm

Correct, you need to have a firewall rule to allow your DST-NAT Traffic
I would assume he does as dstnat works in one case but not the other.
It may be that his allow dstnat rule is not generic but specific to a particular WANIP?

the usual rule looks like this ---->
/ip firewall filter
add chain=forward action=accept in-interface=wan_interface connection-nat-state=dstnat connection-state=established,related

If one has multiple ISP interfaces then
/ip firewall filter
add chain=forward action=accept in-interface-list=wan connection-nat-state=dstnat connection-state=established,related
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
2frogs
Long time Member
Long time Member
Posts: 540
Joined: Fri Dec 03, 2010 1:38 am

Re: need help to deal with simple port forwarding

Tue Nov 20, 2018 11:41 pm

Use action=dst-nat, netmap is intended to do a 1:1 nat between an ip or between sets of multiple ips. Between 2 ips it acts more like an DMZ where it would be port for port.
DST-nat is for forwarding either a single port or multiple ports to a device and can be used to forward different ports to different devices.

Len=length and in this case it refers to the size of the packet. The fact they are different has no real meaning.
 
anav
Forum Guru
Forum Guru
Posts: 3106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: need help to deal with simple port forwarding

Wed Nov 21, 2018 3:04 am

So two frogs, netmap is akin to 1:1 mappings between public IPs and private iPs? Like dedicated to a server?
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
2frogs
Long time Member
Long time Member
Posts: 540
Joined: Fri Dec 03, 2010 1:38 am

Re: need help to deal with simple port forwarding

Wed Nov 21, 2018 3:13 am

That’s correct!
* netmap - creates a static 1:1 mapping of one set of IP addresses to another one. Often used to distribute public IP addresses to hosts on private networks
https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT
 
RizONE
just joined
Topic Author
Posts: 2
Joined: Tue Nov 20, 2018 3:43 pm

Re: need help to deal with simple port forwarding

Wed Nov 21, 2018 9:58 am

Thanx a lot to all.
that helps me
/ip firewall filter
add chain=forward action=accept in-interface=wan_interface connection-nat-state=dstnat connection-state=established,related
but anyway I do not undestand why port worwarding (without this rule) works for one provider and do not for other one.
 
anav
Forum Guru
Forum Guru
Posts: 3106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: need help to deal with simple port forwarding

Wed Nov 21, 2018 9:38 pm

Thanx a lot to all.
that helps me
/ip firewall filter
add chain=forward action=accept in-interface=wan_interface connection-nat-state=dstnat connection-state=established,related
but anyway I do not undestand why port worwarding (without this rule) works for one provider and do not for other one.
If you have two providers the rule should look like this
/ip firewall filter
add chain=forward action=accept in-interface-list=wan connection-nat-state=dstnat connection-state=established,related
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)

Who is online

Users browsing this forum: No registered users and 40 guests