Page 1 of 1

need help to deal with simple port forwarding

Posted: Tue Nov 20, 2018 4:16 pm
by RizONE
Hi
the rule is configured on a target mikrotik
/ ip firewall nat
add action = netmap chain = dstnat comment = RDP dst-port = 4556 in-interface = WAN log = yes protocol = tcp to-addresses = 192.168.0.50 to-ports = 3389
and it works, but
When connecting through one provider in the log I see
08:52:35 firewall, info dstnat: in: WAN out: (none), src-mac 00: 04: 96: 52: 4c: e2, proto TCP (SYN), 91.205. *. *: 1077-> 10.82 . *. *: 4556, len 60
- no connection
and through another one
08:53:40 firewall, info dstnat: in: WAN out: (none), src-mac 00: 04: 96: 52: 4c: e2, proto TCP (SYN), 91.226. *. *: 50225-> 10.82 . *. *: 4556, len 52
- there is a connection
The only difference is in the len part, what is the len and how to fix it?

Re: need help to deal with simple port forwarding

Posted: Tue Nov 20, 2018 6:55 pm
by anav
I am not familiar with netmap but your rule looks reasonable.
Any user coming in on the wan with traffic destined for port 4556 gets their request forwarded to IP .0.50, on port 3389.

(I am not sure this is the most secure use of RDP, I would rather vpn in to a server or router)

Re: need help to deal with simple port forwarding

Posted: Tue Nov 20, 2018 9:10 pm
by sebastia
Do you have a filter rule that allows dnat-ed or that specific traffic through?

You need both: one to remap and other to allow. as these are located in different ip tables.

Re: need help to deal with simple port forwarding

Posted: Tue Nov 20, 2018 9:36 pm
by anav
Correct, you need to have a firewall rule to allow your DST-NAT Traffic
I would assume he does as dstnat works in one case but not the other.
It may be that his allow dstnat rule is not generic but specific to a particular WANIP?

the usual rule looks like this ---->
/ip firewall filter
add chain=forward action=accept in-interface=wan_interface connection-nat-state=dstnat connection-state=established,related

If one has multiple ISP interfaces then
/ip firewall filter
add chain=forward action=accept in-interface-list=wan connection-nat-state=dstnat connection-state=established,related

Re: need help to deal with simple port forwarding

Posted: Tue Nov 20, 2018 11:41 pm
by 2frogs
Use action=dst-nat, netmap is intended to do a 1:1 nat between an ip or between sets of multiple ips. Between 2 ips it acts more like an DMZ where it would be port for port.
DST-nat is for forwarding either a single port or multiple ports to a device and can be used to forward different ports to different devices.

Len=length and in this case it refers to the size of the packet. The fact they are different has no real meaning.

Re: need help to deal with simple port forwarding

Posted: Wed Nov 21, 2018 3:04 am
by anav
So two frogs, netmap is akin to 1:1 mappings between public IPs and private iPs? Like dedicated to a server?

Re: need help to deal with simple port forwarding

Posted: Wed Nov 21, 2018 3:13 am
by 2frogs
That’s correct!
* netmap - creates a static 1:1 mapping of one set of IP addresses to another one. Often used to distribute public IP addresses to hosts on private networks
https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT

Re: need help to deal with simple port forwarding

Posted: Wed Nov 21, 2018 9:58 am
by RizONE
Thanx a lot to all.
that helps me
/ip firewall filter
add chain=forward action=accept in-interface=wan_interface connection-nat-state=dstnat connection-state=established,related
but anyway I do not undestand why port worwarding (without this rule) works for one provider and do not for other one.

Re: need help to deal with simple port forwarding

Posted: Wed Nov 21, 2018 9:38 pm
by anav
Thanx a lot to all.
that helps me
/ip firewall filter
add chain=forward action=accept in-interface=wan_interface connection-nat-state=dstnat connection-state=established,related
but anyway I do not undestand why port worwarding (without this rule) works for one provider and do not for other one.
If you have two providers the rule should look like this
/ip firewall filter
add chain=forward action=accept in-interface-list=wan connection-nat-state=dstnat connection-state=established,related