Community discussions

 
cgraham91
just joined
Topic Author
Posts: 3
Joined: Thu Aug 01, 2019 5:56 pm

Port Forward/Passthrough

Thu Aug 01, 2019 6:17 pm

Hey looking for help with an issue.

Looking for the best way to forward port 1433 tcp. Outside network is hosting a server and want to make sure anyone from my side can talk through that port to that server. Is there a simple way to just open that port to all traffic to a series of IP?

Got my static IP 173.219.x.x from ISP. Addresses are set to 173.219.x.x/25 and private network is 10.0.10.1/24? How do I set to make sure anyone from my private can talk through port 1433 to the outside company. I've tried port forwarding in every way I can think of but every time i use a port checker is says it's still close. Does it being masqueraded make a difference when forwarding?

Tried like this:
Chain Dstnat - Dst. Address 173.219.x.x - protocol 6 tcp - action dst-nat - to Ports 1433.

Note: I'm not hosting the server. People will just be talking to it from here to outside server through port 1433.

Thanks!
 
ros44
newbie
Posts: 37
Joined: Sun Feb 25, 2018 2:05 am
Location: Sofia, Bulgaria

Re: Port Forward/Passthrough

Sat Aug 03, 2019 9:49 am

I am relatively new in the forum but I deal with networking for a long time. Port forwarding should be very simple but your post has a lot of things that are not clear, at least to me. Try to be more specific and post part of your config, especially the lines from /ip firewall filter, /ip firewall nat and /ip address.
Every moment something magical is happening!
 
mkx
Forum Guru
Forum Guru
Posts: 2583
Joined: Thu Mar 03, 2016 10:23 pm

Re: Port Forward/Passthrough

Sat Aug 03, 2019 10:16 am

By default, connections from LAN to WAN are not restricted in any way. The only requirement us a working SRC-NAT configuration (which is there by default on SOHO models as well unless WAN connectivity type is a non-common one). You're mentioning a /25 WAN subnet which indicates a non-common setup (for a SOHO world). The "corporate" line of routers don't come with default setup and it's up to administrator to do things right (or hire a consultant).
So follow advice by @ros44 and pist current config (output of command /export hide-sensitive).
BR,
Metod
 
cgraham91
just joined
Topic Author
Posts: 3
Joined: Thu Aug 01, 2019 5:56 pm

Re: Port Forward/Passthrough

Mon Aug 05, 2019 7:42 pm

Thanks for the replies. Here is the export from the terminal to help give a better idea of the network.

# aug/05/2019 11:33:46 by RouterOS 6.40.4
# software id = UMKR-
#
# model = 1100Hx2
# serial number =
/interface ethernet
set [ find default-name=ether1 ] comment="Business Cable Modem" name=eth1-WAN speed=1Gbps
set [ find default-name=ether2 ] arp=proxy-arp comment="Trusted LAN" name=eth2-Trusted speed=1Gbps
set [ find default-name=ether3 ] comment=US-16-XG master-port=eth2-Trusted name=eth3-XG speed=1Gbps
set [ find default-name=ether4 ] comment="C Site Link - Trusted LAN/route" name=eth4-CaliberSiteLink speed=1Gbps
set [ find default-name=ether13 ] comment="DHCP Client - Backup interface" name=eth13-backup speed=1Gbps
set [ find default-name=ether5 ] name="ether5 - PublicWiFi"
set [ find default-name=ether10 ] advertise=100M-full,1000M-full
/ip neighbor discovery
set eth1-WAN discover=no
/interface vlan
add comment="VLAN 2 Tagged data from Trusted LAN, used only for GPublic WiFi from UBNT gear" interface=eth2-Trusted name=vlan2-publicwifi vlan-id=2
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=rb1100
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=pool1 ranges=10.0.10.51-10.0.10.250
add name=pool2 ranges=10.128.10.10-10.128.10.254
add name=vpn-pool ranges=10.0.110.191-10.0.110.200
add name=public-wifi ranges=192.168.1.10-192.168.1.200
/ip dhcp-server
add add-arp=yes address-pool=pool1 authoritative=after-2sec-delay disabled=no interface=eth2-Trusted lease-time=1d name=trusted-DHCP
add add-arp=yes address-pool=pool2 authoritative=after-2sec-delay interface=eth3-XG lease-time=3d name=VoIP-DHCP
add address-pool=public-wifi authoritative=after-2sec-delay disabled=no interface=vlan2-publicwifi lease-time=1d10h10m name=publicwifi
/ppp profile
add dns-server=10.0.10.2,10.0.10.25 idle-timeout=2h local-address=10.0.110.1 name=pptp-profile remote-address=vpn-pool session-timeout=2h
set *FFFFFFFE idle-timeout=20h local-address=vpn-pool remote-address=vpn-pool session-timeout=20h
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/tool user-manager customer
set admin access=own-routers,own-users,own-profiles,own-limits,config-payment-gw
/interface l2tp-server server
set authentication=mschap1,mschap2
/interface pptp-server server
set default-profile=default mrru=1600
/ip address
add address=10.0.10.1/24 interface=eth2-Trusted network=10.0.10.0
add address=10.128.10.1/24 disabled=yes interface=eth3-XG network=10.128.10.0
add address=10.254.0.4/29 interface=eth4-CSiteLink network=10.254.0.0
add address=173.219.73.221/25 interface=eth1-WAN network=173.219.73.128
add address=192.168.1.1/24 interface=vlan2-publicwifi network=192.168.1.0
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no interface=eth13-backup
/ip dhcp-relay
add delay-threshold=1m dhcp-server=10.220.10.2 interface=eth3-XG name=voip-dhcp-relay
/ip dhcp-server lease
add address=10.0.10.191 lease-time=1d mac-address=00:08:5D:24:51:52 server=trusted-DHCP
add address=10.0.10.92 client-id=1:98:e0:d9:c3:bd:0 mac-address=98:E0:D9:C3:BD:00 server=trusted-DHCP
add address=10.0.10.163 always-broadcast=yes client-id=1:9c:b6:d0:12:bc:25 mac-address=9C:B6:D0:12:BC:25 server=trusted-DHCP
add address=10.0.10.132 always-broadcast=yes client-id=1:58:7f:57:ea:2d:b4 mac-address=58:7F:57:EA:2D:B4 server=trusted-DHCP
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=10.0.10.2,10.0.10.25 domain=G.com gateway=10.0.10.1 netmask=24
add address=10.128.10.0/24 dhcp-option=*1 dns-server=10.220.10.2,10.220.10.25 domain=G.com gateway=10.128.10.1 netmask=24
add address=192.168.1.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes servers=10.0.10.25,10.0.10.2
/ip dns static
add address=10.220.10.2 name=CDNS-DC1
add address=10.220.10.25 name=CDNS-DC2
add address=8.8.8.8 name=GoogleDNS
add address=10.0.10.2 name=GDNS1
add address=10.0.10.25 name=GDNS2
/ip firewall address-list
add address=10.220.0.0/19 list=CIPs
add address=10.254.0.0/29 list=CSiteLink
/ip firewall filter
add action=drop chain=forward content=chess.com in-interface=eth2-Trusted out-interface=eth2-Trusted
add action=accept chain=input disabled=yes log=yes protocol=gre
add action=accept chain=input disabled=yes dst-port=1723 log=yes protocol=tcp
add action=accept chain=input connection-state=established in-interface=eth1-WAN
add action=accept chain=input connection-state=related in-interface=eth1-WAN
add action=accept chain=input protocol=icmp
add action=accept chain=forward in-interface=eth4-CSiteLink out-interface=eth2-Trusted
add action=accept chain=forward in-interface=eth2-Trusted out-interface=eth4-CSiteLink
add action=accept chain=forward disabled=yes in-interface=eth4-CSiteLink out-interface=eth3-XG
add action=accept chain=forward disabled=yes in-interface=eth3-XG out-interface=eth4-CSiteLink
add action=accept chain=input disabled=yes in-interface=eth4-CSiteLink protocol=udp src-port=67
add action=drop chain=input in-interface=eth1-WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=eth1-WAN
add action=masquerade chain=srcnat disabled=yes out-interface="ether5 - PublicWiFi"
add action=masquerade chain=srcnat disabled=yes out-interface=eth3-XG
add action=dst-nat chain=dstnat dst-address=173.219.73.221 dst-port=1194 protocol=udp to-addresses=10.0.10.31 to-ports=1194
add action=accept chain=dstnat disabled=yes in-interface=eth4-CSiteLink
add action=masquerade chain=srcnat disabled=yes
add action=dst-nat chain=dstnat dst-address=173.219.73.221 dst-port=21 protocol=tcp to-addresses=10.0.10.27 to-ports=21
add action=dst-nat chain=dstnat dst-address=173.219.73.221 dst-port=21 protocol=udp to-addresses=10.0.10.27 to-ports=21
add action=dst-nat chain=dstnat dst-address=172.219.73.221 dst-port=1194 protocol=tcp to-addresses=10.0.10.31 to-ports=1194
add action=dst-nat chain=dstnat dst-address=173.219.73.211 dst-port=50000-51000 protocol=tcp to-addresses=173.219.73.211 to-ports=50000-51000
add action=dst-nat chain=dstnat dst-address=173.219.73.211 dst-port=50000-51000 protocol=udp src-port="" to-addresses=173.219.73.211 to-ports=50000-51000
add action=dst-nat chain=dstnat dst-address=173.219.73.221 dst-port=990 protocol=tcp to-addresses=10.0.10.27 to-ports=990
add action=dst-nat chain=dstnat dst-address=173.219.73.221 dst-port=990 protocol=udp to-addresses=10.0.10.27 to-ports=990
add action=dst-nat chain=dstnat comment="Unifi Server Inform Port" dst-port=8080 protocol=tcp to-addresses=10.0.10.28 to-ports=8080
add action=dst-nat chain=dstnat comment="Project tcp" dst-address=173.219.73.221 dst-port=5800 protocol=tcp to-ports=5800
add action=dst-nat chain=dstnat comment="Project UDP" dst-address=173.219.73.221 dst-port=5800 protocol=udp to-ports=5800
add action=dst-nat chain=dstnat comment="Studio" dst-address=173.219.73.128/25 dst-port=1433 protocol=tcp to-ports=1433
add action=dst-nat chain=dstnat dst-address=10.0.10.0/24 dst-port=1433 protocol=tcp to-ports=1433
/ip firewall service-port
set sip disabled=yes
/ip proxy
set cache-path=web-proxy1
/ip route
add distance=1 gateway=173.219.73.129
add disabled=yes distance=1 dst-address=10.220.0.0/19 gateway=10.254.0.1
/ip service
set api disabled=yes
/ppp secret
add name=white profile=pptp-profile
/system clock
set time-zone-autodetect=no time-zone-name=America/Chicago
/system identity
set name=rb1100
/system ntp client
set enabled=yes primary-ntp=71.19.145.222 secondary-ntp=24.56.178.140
/tool user-manager database
set db-path=web-proxy1

Let me know if there is anything else needs explanation. You can see some of the other port forwards I've tried in the past. All help is appreciated!
 
Sob
Forum Guru
Forum Guru
Posts: 4385
Joined: Mon Apr 20, 2009 9:11 pm

Re: Port Forward/Passthrough

Mon Aug 05, 2019 9:43 pm

So the server is somewhere else, completely different network on the other end of internet. And you want your local 10.0.10.x devices to be able to connect to <remote address>:1433? If so, you don't need any special config for that on your side, it's just like any other outgoing connection to internet.

But since port 1433 is default port for MS SQL server and not something commonly used over internet (except by bots trying to break in), it's possible that it can be blocked by either your or remote ISP. It would be good idea to think about setting up VPN between your and remote site.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
cgraham91
just joined
Topic Author
Posts: 3
Joined: Thu Aug 01, 2019 5:56 pm

Re: Port Forward/Passthrough

Mon Aug 05, 2019 10:19 pm

So the server is somewhere else, completely different network on the other end of internet. And you want your local 10.0.10.x devices to be able to connect to <remote address>:1433? If so, you don't need any special config for that on your side, it's just like any other outgoing connection to internet.

But since port 1433 is default port for MS SQL server and not something commonly used over internet (except by bots trying to break in), it's possible that it can be blocked by either your or remote ISP. It would be good idea to think about setting up VPN between your and remote site.
Yes, exactly! Another company is hosting the MS SQL server. The other company recommends I forward my ports. Which I thought was weird, but I'm not great with networking, so I figured I'd humor it and just forward my side in case. I just couldn't figure out how to open it will all traffic instead of acting like we're the host and going to a static IP. I don't have any specific blocks that I am aware of, and we've never had issues connecting to anything in the past.

I will check with my ISP to be sure. But thank you for the help!

Who is online

Users browsing this forum: No registered users and 35 guests