Community discussions

 
teeemo
just joined
Topic Author
Posts: 2
Joined: Sat Dec 22, 2018 10:01 pm

Port forwarding: in-interface (not working) vs in-interface-list/dst-address (working)?

Sat May 04, 2019 4:01 pm

Hello,

I am trying to port forward port 80, towards an internal PC of mine (192.168.50.50). I am using a MikroTik hap ac2, using RouterOS 6.43.14

Now, I tried the nat way of doing it (not sure if others exist), however, only 2 out of 3 options I tried work (see last part of rule):
  • In-interface-list=wan:
    action=dst-nat chain=dstnat dst-port=80 log=yes protocol=tcp to-addresses=192.168.50.50 to-ports=80 in-interface-list=WAN
  • dst-address=mypublicip:
    action=dst-nat chain=dstnat dst-port=80 log=yes protocol=tcp to-addresses=192.168.50.50 to-ports=80 dst-address=mypublicip
  • in-interface=ether1
    action=dst-nat chain=dstnat dst-port=80 log=yes protocol=tcp to-addresses=192.168.50.50 to-ports=80 in-interface=ether1

Out of those, the last one doesn't work, but I've checked the list of services and WAN=ether1:
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN

This is my currently (working) configuration:
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=80 in-interface-list=WAN log=yes protocol=tcp to-addresses=192.168.50.50 to-ports=80
What am I missing that the in-interface variant doesn't work, but the other one(s) do?
 
anav
Forum Guru
Forum Guru
Posts: 3130
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Port forwarding: in-interface (not working) vs in-interface-list/dst-address (working)?

Mon May 06, 2019 7:57 pm

Hard to say since you didnt post your entire config and thus are missing relevant bits.
What interface is ppp0e-1 defined as???? Try that instead of eth1
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
Exiver
Member Candidate
Member Candidate
Posts: 114
Joined: Sat Jan 10, 2015 6:45 pm

Re: Port forwarding: in-interface (not working) vs in-interface-list/dst-address (working)?

Tue May 07, 2019 9:19 pm

It looks like you are using a pppoe-connection. That means the active pppoe-connection is an additional "interface" on your router. ether1 is only the physical link but not the interface where your router receives the traffic coming from the internet. Thats why your interface-list works (ether1 AND pppoe-out1). Rule two works because the firewall isnt matching the packet based on the incoming interface but on your ip. If your ip address changes you would need to reconfigure rule 2 since obviously the ip-address isnt matching anymore. Rule 1 (or rule 3 with pppoe-out1 as in-interface) would not require you to reconfigure anything if your ip changes.
 
teeemo
just joined
Topic Author
Posts: 2
Joined: Sat Dec 22, 2018 10:01 pm

Re: Port forwarding: in-interface (not working) vs in-interface-list/dst-address (working)?

Sat May 11, 2019 9:10 pm

Oh, I found it out later, but couldn't update my post. It seems indeed, that pppoe-out1 is doing/having the traffic instead of eth1, that's why the list works since it includes the pppoe-out1

Thanks!

Who is online

Users browsing this forum: Google [Bot] and 39 guests