Portfowarding not working correctly

XenoMorpHx · Tue Mar 19, 2019 10:51 am

I recently received my MikroTik RB4011iGS+5HacQ2HnD-IN and have it setup with fiber.
I got routed-IPTV and internet going with VLAN's and the next thing was my NAS.

I have setup a NAT rule in my firewall:

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=80 in-interface=pppoe-client \
    protocol=tcp to-addresses=192.168.10.13

Problem is that when I visit my domain.com (which points towards my NAS on my IP at home) with my home IP address, I am directed towards my Mikrotik router 's login page.
But when I use a different IP outside of my network and home IP address I am routed towards my NAS as how it should....
I surely am no network guru, I was glad I got the router to work after all (took me quite some time though)

But I have no idea how to fix this, maybe someone else knows?

mkx · Tue Mar 19, 2019 12:45 pm

You have to read about hair-pin NAT. You'll have to change your current dst-nat rule and add a src-nat to make it work.

Currently it doesn't work because when you try to connect to your WAN IP address while being in LAN, your connection doesn't come through interface pppoe-client, hence the dst-nat rule doesn't pick it up. The next choice is router's Web interface which works because the connection came in through one of LAN interfaces.

XenoMorpHx · Tue Mar 19, 2019 1:49 pm

Yeah, I have read about the hairpin on the mikroTik wiki a couple of times. I am trying to get it working, but a no-go sofar.
This is my config, maybe some1 could have a look?

My NAS is on IP: 192.168.10.13

# mar/19/2019 09:38:09 by RouterOS 6.44.1
# software id = HCL6-9J1X
#
# model = RB4011iGS+5HacQ2HnD
# serial number = 96890AC2EC81
/interface bridge
add admin-mac=74:4D:28:11:64:F0 auto-mac=no comment=defconf igmp-snooping=yes \
    name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp l2mtu=1598 loop-protect=off
set [ find default-name=ether2 ] l2mtu=1598
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=3 band=5ghz-a/n/ac \
    channel-width=20/40/80mhz-XXXX country=netherlands disabled=no distance=\
    indoors frequency=auto frequency-mode=regulatory-domain mode=ap-bridge \
    secondary-channel=auto ssid=MikroTik5 wireless-protocol=802.11
set [ find default-name=wlan2 ] antenna-gain=3 band=2ghz-b/g/n channel-width=\
    20/40mhz-XX country=netherlands disabled=no distance=indoors frequency=\
    auto frequency-mode=regulatory-domain mode=ap-bridge ssid=MikroTik2 \
    wireless-protocol=802.11
/interface vlan
add interface=ether1 name=vlan1.4 vlan-id=4
add interface=ether1 loop-protect=off name=vlan1.6 vlan-id=6
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan1.6 keepalive-timeout=20 \
    max-mru=1500 max-mtu=1500 name=pppoe-client password=1234 service-name=\
    XS4ALL use-peer-dns=yes user=1234@provider
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=xxxxxxxx \
    wpa2-pre-shared-key=xxxxxxxxxx
/ip dhcp-client option
add code=60 name=option60-vendorclass value="'IPTV_RG'"
/ip dhcp-server option
add code=60 name=option60-vendorclass value="'IPTV_RG'"
add code=28 name=option28-broadcast value="'192.168.10.255'"
/ip dhcp-server option sets
add name=IPTV options=option60-vendorclass,option28-broadcast
/ip pool
add name=dhcp ranges=192.168.10.10-192.168.10.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-local lease-time=1h30m \
    name=dhcp-thuis
/ppp profile
set *0 only-one=yes use-compression=yes use-ipv6=no use-upnp=no
add name=default-ipv6 only-one=yes use-compression=yes use-upnp=no
/routing bgp instance
set default disabled=yes
/tool user-manager customer
set admin access=\
    own-routers,own-users,own-profiles,own-limits,config-payment-gw
/interface bridge port
add bridge=bridge-local comment=defconf interface=ether2
add bridge=bridge-local comment=defconf interface=ether3
add bridge=bridge-local comment=defconf interface=ether4
add bridge=bridge-local comment=defconf interface=ether5
add bridge=bridge-local comment=defconf interface=ether6
add bridge=bridge-local comment=defconf interface=ether7
add bridge=bridge-local comment=defconf interface=ether8
add bridge=bridge-local comment=defconf interface=ether9
add bridge=bridge-local comment=defconf interface=ether10
add bridge=bridge-local comment=defconf interface=sfp-sfpplus1
add bridge=bridge-local comment=defconf interface=wlan1
add bridge=bridge-local comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge-local list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-client list=WAN
/ip address
add address=192.168.10.1/24 comment=defconf interface=ether2 network=\
    192.168.10.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    ether1
add default-route-distance=210 dhcp-options=\
    option60-vendorclass,hostname,clientid disabled=no interface=vlan1.4 \
    use-peer-dns=no use-peer-ntp=no
/ip dhcp-server config
set store-leases-disk=15m
/ip dhcp-server lease
add address=192.168.10.13 client-id=1:68:5:ca:2d:99:90 mac-address=\
    68:05:CA:2D:99:90 server=dhcp-thuis
/ip dhcp-server network
add address=192.168.10.0/24 comment=defconf dns-server=192.168.10.1 domain=\
    thuis.local gateway=192.168.10.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.10.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=input in-interface=pppoe-client protocol=icmp
add action=accept chain=input connection-state=related
add action=accept chain=input connection-state=established
add action=reject chain=input in-interface=pppoe-client protocol=tcp \
    reject-with=icmp-port-unreachable
add action=reject chain=input in-interface=pppoe-client protocol=udp \
    reject-with=icmp-port-unreachable
add action=accept chain=forward comment="IPTV multicast" dst-address=\
    224.0.0.0/8 in-interface=vlan1.4 protocol=udp
add action=accept chain=input comment="IPTV multicast" dst-address=\
    224.0.0.0/8 in-interface=vlan1.4 protocol=igmp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="Needed for internet" \
    out-interface=pppoe-client src-address=192.168.10.0/24
add action=dst-nat chain=dstnat dst-port=80 in-interface=pppoe-client \
    protocol=tcp to-addresses=192.168.10.13
add action=dst-nat chain=dstnat disabled=yes dst-port=80 in-interface=ether1 \
    protocol=tcp to-addresses=192.168.10.13
add action=masquerade chain=srcnat comment="Needed for IPTV" out-interface=\
    vlan1.4
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.10.13 \
    dst-port=80 out-interface=ether1 protocol=tcp src-address=192.168.10.0/24
add action=dst-nat chain=dstnat dst-port=32400 protocol=tcp to-addresses=\
    192.168.10.13 to-ports=32400
add action=dst-nat chain=dstnat dst-port=13210 protocol=tcp to-addresses=\
    192.168.10.13 to-ports=13210
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/routing igmp-proxy
set quick-leave=yes
/routing igmp-proxy interface
add alternative-subnets=0.0.0.0/0 interface=vlan1.4 upstream=yes
add interface=bridge-local
/system clock
set time-zone-name=Europe/Amsterdam
/system leds
add interface=wlan2 leds="wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-le\
    d,wlan2_signal4-led,wlan2_signal5-led" type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool user-manager database
set db-path=user-manager

Added a new NAT rule:

/ip firewall nat
add chain=srcnat src-address=192.168.10.0/24 \
  dst-address=192.168.10.13 protocol=tcp dst-port=80 \
  out-interface=pppoe-client action=masquerade

I tried all options on "out-interface" without any luck...

anav · Tue Mar 19, 2019 2:03 pm

There may be an easier solution, courtesy of sob..... (removes complexity of hairpin nat)
If you simply want to check that your server is working etc etc.
Just dont try to access the server (via the wanip) from the same subnet on the router.

For example if the server is in 192.168.10.0 network then go to a different subnet 192.168.2.0 for example and then attempt to reach your server by the following setup (remove previous rule and replace with this rule).

/ip firewall nat
add chain=dstnat dst-address=<public IP> protocol=tcp dst-port=80 action=dst-nat to-adresses=192.168.10.13

mkx · Tue Mar 19, 2019 2:22 pm

Your additional src-nat rule is all wrong ... again, read posts about hair-pin NAT.

Keys to understanding:

src-address is the address of client that initiates connection ... if your case it's an address from 192.168.10.x subnet
dst-address is the address where client initiated connection originally ... which in your case is public (WAN) IP address of the router. If it's changing, you'll have to get around it by using in-interface(-list)
to-addresses ... you se the new target IP address, which in this case is NAS' IP address

You'll have to use both dst-nat and src-nat rules:

purpose of dst-nat rule is to forward traffic from LAN client (originally destined at router's public IP address) towards NAS .. just the same way as done for accesses from internet
purpose of src-nat rule is to replace client's address (LAN device) with router's LAN IP address.

Rule #1 doesn't work without rule #2 ... if there's no rule #2, then NAS sees client's LAN address and send replies directly ... which disturbs client as it sent original connection requests towards different IP address. Rule #2 makes NAS to return traffic to router and router can un-do both NAT operations.
Rule #2 is not necessary for internet2LAN forwarding because NAS can only send return traffic towards router (it doesn't know any better route back to client).

Sob · Tue Mar 19, 2019 2:48 pm

(removes complexity of hairpin nat)

Why? Tell me, why do you say these things?

What's complex about:

/ip firewall nat
add chain=srcnat src-address=192.168.10.0/24 dst-address=192.168.10.0/24 action=masquerade

This is your whole complexity in all its glory.

Ok, if you want, you can play with it more. You can add out-interface=<LAN> if you want, even though packets to LAN subnet won't go elsewhere anyway. But maybe the rule could look more clear to you with it. Or if your heart can't take that you'll be trying to masquerade even router's own connections to LAN (if there are any), you can add src-address-type=!local. If you hate that in server's log, you'll see for all connections from LAN source address 192.168.10.1, which is wrong, because it's the router and router is not connecting to your server, it can be solved too. Ditch masquerade and use "action=src-nat to-addresses=<your public address>" and you'll see all LAN clients in log as if they are coming from <your public address>. You won't be able to tell one from another, but if they are connecting to any other remote server, they are hidden behind common <your public address> too, so that's kind of normal. If you don't have static address and still want this, just put any other address in to-addresses. Completely random, anything you like, and it will work too. But remember, all this is completely optional, even the rule shown above is enough.

The only other thing you need is correct dstnat rules. So no in-interface, but:

/ip firewall nat
add chain=dstnat dst-address=<static public address> protocol=tcp dst-port=80 action=dst-nat to-adresses=192.168.10.13

or if you have only dynamic address:

/ip firewall nat
add chain=dstnat dst-address-type=local dst-address=!192.168.10.1 protocol=tcp dst-port=80 action=dst-nat to-adresses=192.168.10.13

XenoMorpHx · Wed Mar 20, 2019 10:10 am

Tnx, that did the trick!

Next 2 NAT rules did it, added 2 additional ports to it:

/ip firewall nat
add chain=dstnat dst-address-type=local dst-address=!192.168.10.1 protocol=tcp dst-port=80,32400,13210 action=dst-nat to-adresses=192.168.10.13 comment="NAS"


add chain=srcnat src-address=192.168.10.0/24 \
  dst-address=192.168.10.13 protocol=tcp dst-port=80,32400,13210 \
  out-interface=bridge-local action=masquerade comment="NAS"

Tnx for the help all, learning more and more every day

.

XenoMorpHx · Sat Sep 21, 2019 2:51 pm

EDIT 17-02-2020; to post my solution:
I've read Sob's post a couple of times and watched Steveocee's tutorial: https://www.youtube.com/watch?v=_kw_bQyX-3U

So I added:

/ip firewall nat
add action=src-nat chain=srcnat comment=\
    "Hairpin NAT, internal ip's are now WAN ip's" dst-address=192.168.10.0/24 \
    src-address=192.168.10.0/24 to-addresses=<public IP>

And:

add action=dst-nat chain=dstnat comment="NAS 80" dst-address=\
    <public IP> dst-port=80,32400,13210 protocol=tcp to-addresses=\
    192.168.10.13

When I go to my webserver now, my WAN IP adress shows up and not my router IP.

Portfowarding not working correctly [SOLVED]

Portfowarding not working correctly

Re: Portfowarding not working correctly

Re: Portfowarding not working correctly

Re: Portfowarding not working correctly

Re: Portfowarding not working correctly

Re: Portfowarding not working correctly [SOLVED]

Re: Portfowarding not working correctly

Re: Portfowarding not working correctly

Who is online