Community discussions

 
Inigma
just joined
Topic Author
Posts: 1
Joined: Mon May 13, 2019 1:44 am

Port still closed after forwarding

Mon May 13, 2019 2:01 am

Hi all

Yet another post about failed port forwarding :)
I've read a bunch of the other posts and none have helped so far.

Here is what I'm trying to do:
Open ports 9000-9002 for vlan 300 network 192.168.100.0/24 on our firewall.

Here is the rule I have in the web gui at the moment:
Filter Rules
ENABLED

Chain: forward
Dst. address: 192.168.100.0/24
protocol: 6(TCP)
dst. port: 9000-9002
Connection state: new
Action: accept

NAT:
ENABLED

Chain: DSTNAT
DST. Address: [Public IP]
Protocol: 6 (tcp)
Dst. Port: 9000-9002

Action: dst-nat
to addresses: 192.168.100.0/24
to ports: 9000-9002

When I check on www.canyouseeme.org it shows the port is still closed, reason: no route to host.
Though I see Bytes and packets increasing on the firewall, so I know it's coming in.
I've tried pointing this directly to a machine i.e. 192.168.100.111 and tried disabling firewall on the machine, but still no luck.

Any ideas what's causing this?
 
mkx
Forum Guru
Forum Guru
Posts: 2134
Joined: Thu Mar 03, 2016 10:23 pm

Re: Port still closed after forwarding

Mon May 13, 2019 3:15 pm

In NAT section, to-addresses should definitely be set to IP address of a single host (/32). I guess the only way of forwarding some port to whole subnet (/24 as you have it) would be that RB would send it to broadcast address and let somebody to pick it up ... and according to my experience that's not going to happen with vast majority of server software.

When forwarding ports to the DMZ host but not changing port number you can omit to-ports part of config. That's only needed, when you change port number on the fly (e.g. if forwarding port tcp/8080 on ext IP to tcp/80 on DMZ IP).


For the firewall filter rule ... if you don't have any special requirements for a particular forwarded port, it is best to have single filter rule which takes care of all dst-nat rules:
/ip firewall filter
add action=accept chain=forward comment="allow dst-nat connections from WAN" \
    connection-nat-state=dstnat connection-state=new in-interface-list=WAN
which should be placed after the fast-track rule but before any general rule which blocks random traffic from WAN. If you have some very specific accept rules which affect the dst-nat traffic, place this rule below those. And you should adjust the in-interface-list criterium (perhaps to src-address or to in-interface or whatever you generally use in your firewall filter rules).
You can then most probably remove all other (non-specific) accept rules which allow dst-nated traffic.

Instead of having specific firewall filter rules for individual dst-nated connections you can specify criteria at the firewall nat rules (i.e. use src-address or src-address-list to limit forwarded service to some particular WAN hosts) so you don't have to use firewall filters for that.
BR,
Metod
 
anav
Forum Guru
Forum Guru
Posts: 2633
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Port still closed after forwarding

Mon May 13, 2019 11:26 pm

My experience as to normal behaviour.
No ports forwarded: no port visible on scan
Port forwarded: port visible on scan but shown as closed
Port forwarded with an allowed firewall access list of wan ips on the dst nat rule: no port visible on scan.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
Sob
Forum Guru
Forum Guru
Posts: 4073
Joined: Mon Apr 20, 2009 9:11 pm

Re: Port still closed after forwarding

Mon May 13, 2019 11:38 pm

@anav: If port is not forwarded, result depends on router's firewall config. If you drop incoming connections, it will show as filtered (not visible). If you reject connections, it will show as closed. If you don't have any firewall, it will show as either closed or open, depending if any service is listening on it. If you forward port to internal device, it's exactly the same, except router is now transparent and result depends on that other device.
 
anav
Forum Guru
Forum Guru
Posts: 2633
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Port still closed after forwarding

Tue May 14, 2019 5:30 pm

Your are probably tentatively, said hesitantly, right. ;-P
My firewall rules have drop all at end of input and forward chains.
So I should caveat my response with those conditions.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)

Who is online

Users browsing this forum: No registered users and 23 guests