Community discussions

MUM Europe 2020
 
Stormwatch
just joined
Topic Author
Posts: 3
Joined: Fri Nov 29, 2019 8:59 pm

Port forwarding

Fri Nov 29, 2019 9:15 pm

Router OS 6.45.7
Trying to port forward to a basic web page for testing port forwarding.
ISP modem (192.168.2.1) connected to Router
Port 81 is forwarded to Router (192.168.2.15)
Internal network is 192.168.88.X with Mikrotik as 192.168.88.1

I am trying to connect to a web page on 192.168.88.50:81

IP Addresses
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 ;;; default configuration
192.168.88.1/24 192.168.88.0 ether2
1 D 192.168.2.15/24 192.168.2.0 ether1-gateway


Basic NAT Rule in place
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
chain=srcnat action=masquerade out-interface=sfp1-gateway log-prefix=""

1 ;;; default configuration
chain=srcnat action=masquerade to-addresses=0.0.0.0 out-interface=ether1-gateway log-prefix=""

2 chain=dstnat action=dst-nat to-addresses=192.168.88.50 to-ports=81 protocol=tcp dst-port=81 log=no log-prefix=""

Added a filter rule
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough

1 chain=forward action=fasttrack-connection connection-state=established,related log=no

2 chain=forward action=accept connection-state=established,related log=no

3 ;;; default configuration
chain=input action=accept protocol=icmp log-prefix=""

4 ;;; default configuration
chain=input action=accept connection-state=established log-prefix=""

5 ;;; default configuration
chain=input action=accept connection-state=related log-prefix=""

6 ;;; default configuration
chain=input action=drop in-interface=sfp1-gateway log-prefix=""

7 ;;; default configuration
chain=input action=drop in-interface=ether1-gateway log=no log-prefix=""

8 ;;; default configuration
chain=forward action=accept connection-state=established log-prefix=""

9 ;;; default configuration
chain=forward action=accept connection-state=related log-prefix=""

10 ;;; default configuration
chain=forward action=drop connection-state=invalid log=no log-prefix=""

11 chain=forward action=accept protocol=tcp dst-port=81 log=no log-prefix=""

When using
(Router Lan IP) 192.168.2.1:81
(Mirotik Router IP) 192.168.2.15:81
(Mikrotik Lan IP) 192.168.88.1:81
(External IP) 69.X.X.X:81

I see the counters increase on Nat and filter so it is using those rules in all cases but the page can not be reached.

I can browse to 192.168.88.50:81 so I know its working.

Appreciate any assistance.
 
Stormwatch
just joined
Topic Author
Posts: 3
Joined: Fri Nov 29, 2019 8:59 pm

Re: Port forwarding

Sat Nov 30, 2019 2:10 am

I changed to port 7878 to see if something was restricting 81.

Some logging:
Test dstnat: in:ether1-gateway out:(unknown 0), src-mac ac:84:c9:f9:80:60, proto TCP (SYN), 24.114.62.198:57701->192.168.2.15:7878, len 60
Filter forward: in:ether1-gateway out:bridge-local, src-mac ac:84:c9:f9:80:60, proto TCP (SYN), 24.114.62.198:57677->192.168.88.50:7878, NAT 24.114.62.198:57677->(192.168.2.15:7878->192.168.88.50:7878), len 60


Export of config:
# nov/29/2019 18:59:05 by RouterOS 6.45.7
# software id = I0Y9-ZE69
#
# model = 2011UiAS-2HnD
# serial number = 467404E11DAA
/interface bridge
add admin-mac=4C:5E:0C:32:B4:9E auto-mac=no fast-forward=no mtu=1500 name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ether6-master-local
set [ find default-name=ether7 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ether7-slave-local
set [ find default-name=ether8 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ether8-slave-local
set [ find default-name=ether9 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ether9-slave-local
set [ find default-name=ether10 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ether10-slave-local
set [ find default-name=sfp1 ] name=sfp1-gateway
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce distance=indoors mode=ap-bridge ssid=NSHome wireless-protocol=802.11
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk group-ciphers=tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik unicast-ciphers=tkip,aes-ccm wpa-pre-shared-key=Stormwatch342 wpa2-pre-shared-key=Stormwatch342
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=dhcp ranges=192.168.88.30-192.168.88.254
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=bridge-local name=default
/user group
add name=sniffer policy=ssh,read,!local,!telnet,!ftp,!reboot,!write,!policy,!test,!winbox,!password,!web,!sniff,!sensitive,!api,!romon,!dude,!tikapp
/interface bridge port
add bridge=bridge-local interface=ether2
add bridge=bridge-local interface=ether6-master-local
add bridge=bridge-local interface=wlan1
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=ether5
add bridge=bridge-local interface=ether7-slave-local
add bridge=bridge-local interface=ether8-slave-local
add bridge=bridge-local interface=ether9-slave-local
add bridge=bridge-local interface=ether10-slave-local
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add interface=ether2 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=ether6-master-local list=discover
add interface=ether7-slave-local list=discover
add interface=ether8-slave-local list=discover
add interface=ether9-slave-local list=discover
add interface=ether10-slave-local list=discover
add interface=wlan1 list=discover
add interface=bridge-local list=discover
add interface=ether2 list=mactel
add interface=ether3 list=mactel
add interface=ether2 list=mac-winbox
add interface=ether4 list=mactel
add interface=ether3 list=mac-winbox
add interface=ether5 list=mactel
add interface=ether4 list=mac-winbox
add interface=ether6-master-local list=mactel
add interface=ether5 list=mac-winbox
add interface=ether7-slave-local list=mactel
add interface=ether6-master-local list=mac-winbox
add interface=ether8-slave-local list=mactel
add interface=ether7-slave-local list=mac-winbox
add interface=ether9-slave-local list=mactel
add interface=ether8-slave-local list=mac-winbox
add interface=ether10-slave-local list=mactel
add interface=ether9-slave-local list=mac-winbox
add interface=wlan1 list=mactel
add interface=ether10-slave-local list=mac-winbox
add interface=bridge-local list=mactel
add interface=wlan1 list=mac-winbox
add interface=bridge-local list=mac-winbox
/interface pptp-server server
set default-profile=default
/ip accounting
set enabled=yes threshold=2560
/ip accounting web-access
set accessible-via-web=yes address=192.168.88.34/32
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=ether2 network=192.168.88.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=no interface=sfp1-gateway
add comment="default configuration" dhcp-options=hostname,clientid disabled=no interface=ether1-gateway
/ip dhcp-server lease
add address=192.168.88.23 client-id=1:0:f:ff:50:41:d9 mac-address=00:0F:FF:50:41:D9 server=default
add address=192.168.88.21 client-id=1:0:f:ff:12:9d:23 mac-address=00:0F:FF:12:9D:23 server=default
add address=192.168.88.24 client-id=1:0:f:ff:50:4a:d0 mac-address=00:0F:FF:50:4A:D0 server=default
add address=192.168.88.20 always-broadcast=yes client-id=1:0:f:ff:57:be:f7 mac-address=00:0F:FF:57:BE:F7 server=default
add address=192.168.88.10 comment="Netgear 24 Port Switch" mac-address=74:44:01:9B:34:34 server=default
add address=192.168.88.26 always-broadcast=yes client-id=1:0:f:ff:60:5:74 mac-address=00:0F:FF:60:05:74 server=default
add address=192.168.88.27 client-id=1:0:9:b0:cf:c7:15 comment=Receiver mac-address=00:09:B0:CF:C7:15 server=default
add address=192.168.88.22 mac-address=00:0F:FF:10:CA:04 server=default
add address=192.168.88.11 comment="Netgear POE Switch" mac-address=2C:B0:5D:7F:8A:51 server=default
add address=192.168.88.55 client-id=1:14:da:e9:4f:98:3d mac-address=14:DA:E9:4F:98:3D server=default
add address=192.168.88.51 always-broadcast=yes client-id=1:28:18:78:87:a0:85 disabled=yes mac-address=28:18:78:87:A0:85 server=default
add address=192.168.88.30 client-id=1:0:50:56:89:0:1 comment=DVR mac-address=00:50:56:89:00:01 server=default
add address=192.168.88.25 always-broadcast=yes mac-address=00:22:F4:17:BE:60
add address=192.168.88.50 client-id=1:2c:56:dc:97:84:da mac-address=2C:56:DC:97:84:DA server=default
add address=192.168.88.34 always-broadcast=yes client-id=1:c0:33:5e:15:a0:d9 mac-address=C0:33:5E:15:A0:D9 server=default
add address=192.168.88.33 always-broadcast=yes client-id=1:c0:ee:fb:5a:d1:e5 mac-address=C0:EE:FB:5A:D1:E5 server=default
add address=192.168.88.38 client-id=1:10:b:a9:56:b3:60 mac-address=10:0B:A9:56:B3:60 server=default
add address=192.168.88.36 always-broadcast=yes client-id=1:c0:ee:fb:5a:cf:b9 mac-address=C0:EE:FB:5A:CF:B9 server=default
add address=192.168.88.32 always-broadcast=yes client-id=1:78:4b:87:69:93:88 mac-address=78:4B:87:69:93:88 server=default
add address=192.168.88.31 always-broadcast=yes client-id=1:cc:95:d7:dc:94:ab comment="Vizio TV" mac-address=CC:95:D7:DC:94:AB server=default
add address=192.168.88.37 always-broadcast=yes client-id=1:ac:bc:32:8f:6f:51 mac-address=AC:BC:32:8F:6F:51 server=default
add address=192.168.88.12 comment=Unifi mac-address=80:2A:A8:D6:F1:3F server=default
add address=192.168.88.46 mac-address=F4:F5:D8:D7:C1:62 server=default
add address=192.168.88.45 always-broadcast=yes mac-address=F4:F5:D8:D7:C1:5A server=default
add address=192.168.88.28 client-id=1:0:9:b0:cf:e1:f9 mac-address=00:09:B0:CF:E1:F9 server=default
add address=192.168.88.56 always-broadcast=yes client-id=1:f0:6e:b:2d:3b:2b mac-address=F0:6E:0B:2D:3B:2B server=default
add address=192.168.88.29 always-broadcast=yes client-id=1:0:9:b0:e9:ca:a8 mac-address=00:09:B0:E9:CA:A8 server=default
/ip dhcp-server network
add address=192.168.88.0/24 comment="default configuration" dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related
add action=accept chain=input comment="default configuration" protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=established
add action=accept chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=sfp1-gateway
add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
add action=accept chain=forward comment="default configuration" connection-state=established
add action=accept chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" connection-state=invalid
add action=accept chain=forward connection-nat-state=dstnat dst-address=192.168.88.50 dst-port=7878 log=yes log-prefix=NavFilter protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=sfp1-gateway
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway to-addresses=0.0.0.0
add action=dst-nat chain=dstnat dst-address=192.168.2.15 dst-port=7878 in-interface=ether1-gateway log=yes log-prefix=NavTest protocol=tcp to-addresses=192.168.88.50
/ip proxy
set cache-path=web-proxy1
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether1-gateway type=external
/lcd interface pages
set 0 interfaces=sfp1-gateway,ether1-gateway,ether2,ether3,ether4,ether5,ether6-master-local,ether7-slave-local,ether8-slave-local,ether9-slave-local,ether10-slave-local
/system clock
set time-zone-autodetect=no time-zone-name=America/Toronto
/system ntp client
set enabled=yes primary-ntp=198.50.145.138 secondary-ntp=199.19.167.36
/system scheduler
add interval=1m name=station-check-schedule on-event="/system script run station-check ;" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=may/02/2014 start-time=00:00:01
/system script
add dont-require-permissions=no name=station-check owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive source="/interface wireless registration-table\r\
\n:foreach i in=[ /interface wireless registration-table find ap=no] do={\r\
\n :if ([get \$i tx-ccq] < \"70\" && [get \$i rx-ccq] < \"70\") do={\r\
\n :log warning ([get \$i radio-name] . \" was disconnected due to low CCQ - Tx: \" . [get \$i tx-ccq] . \"% / Rx: \" . [get \$i rx-ccq] . \"%\")\r\
\n /interface wireless registration-table remove \$i\r\
\n :delay 5s\r\
\n }\r\
\n}"
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
 
Sob
Forum Guru
Forum Guru
Posts: 4887
Joined: Mon Apr 20, 2009 9:11 pm

Re: Port forwarding  [SOLVED]

Sat Nov 30, 2019 3:33 am

Look elsewhere, it's not here. Your log shows that dstnat rule works, packets correctly pass through forward filter (*) and there's nothing to stop them later. Just because connecting to internal device works from LAN, doesn't mean that it has to work when connection comes from elsewhere. So check target device's firewall if it allows connections from any source to this port.

(*) Pretty much anything passes through your firewall, because the only thing you block are packets with connection-state=invalid. But firewall's default action is accept, just imagine it as invisible rule at the end of chain:
/ip firewall filter
add chain=forward action=accept
So you currently allow all new connections, no matter what the source or destination is. Another small thing is that connection-state=established,related covers both states, so following two rules, where you repeat them individually, are useless.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
Stormwatch
just joined
Topic Author
Posts: 3
Joined: Fri Nov 29, 2019 8:59 pm

Re: Port forwarding

Sat Nov 30, 2019 4:13 am

Look elsewhere, it's not here. Your log shows that dstnat rule works, packets correctly pass through forward filter (*) and there's nothing to stop them later. Just because connecting to internal device works from LAN, doesn't mean that it has to work when connection comes from elsewhere. So check target device's firewall if it allows connections from any source to this port.

(*) Pretty much anything passes through your firewall, because the only thing you block are packets with connection-state=invalid. But firewall's default action is accept, just imagine it as invisible rule at the end of chain:
/ip firewall filter
add chain=forward action=accept
So you currently allow all new connections, no matter what the source or destination is. Another small thing is that connection-state=established,related covers both states, so following two rules, where you repeat them individually, are useless.
Ok thank you. I will review the server its connecting to.

Who is online

Users browsing this forum: Google [Bot] and 34 guests