Community discussions

MikroTik App
 
etokadi
just joined
Topic Author
Posts: 7
Joined: Fri Dec 27, 2019 12:27 am

TCP port forward doesnt work

Fri Dec 27, 2019 12:42 am

I am using the rule:

/ip firewall nat add chain=dstnat dst-port=55555 action=dst-nat protocol=tcp to-address=192.168.88.251 to-port=55555

Then start my server on .251 such as

Code: Select all

nc -l 192.168.88.251 -p 55555
And the port is not reachable from the internet. What am I doing wrong?
 
User avatar
ingdaka
Trainer
Trainer
Posts: 452
Joined: Thu Aug 30, 2012 3:06 pm
Location: Albania
Contact:

Re: TCP port forward doesnt work

Fri Dec 27, 2019 3:03 pm

/ip firewall nat add chain=dstnat dst-address="your-public-IP" dst-port=55555 action=dst-nat protocol=tcp to-address=192.168.88.251 to-port=55555
 
User avatar
Anumrak
Forum Guru
Forum Guru
Posts: 1174
Joined: Fri Jul 28, 2017 2:53 pm

Re: TCP port forward doesnt work

Fri Dec 27, 2019 4:15 pm

Hey. First of all: do you really have an application that listening that port? Because port forwarding via nat doesn't mean port will be opened from Internet just out of nowhere.
And second - you need to assign destination address, explicitly public one or assign an input interface which has that address, or both with specific address if that interface has a subnet less than /30(<30).
 
etokadi
just joined
Topic Author
Posts: 7
Joined: Fri Dec 27, 2019 12:27 am

Re: TCP port forward doesnt work

Mon Dec 30, 2019 5:46 pm

/ip firewall nat add chain=dstnat dst-address="your-public-IP" dst-port=55555 action=dst-nat protocol=tcp to-address=192.168.88.251 to-port=55555
Thanks but I don't think I can add my public IP since my ISP assigns that dynamically so it is always different.
 
etokadi
just joined
Topic Author
Posts: 7
Joined: Fri Dec 27, 2019 12:27 am

Re: TCP port forward doesnt work

Mon Dec 30, 2019 5:49 pm

Hey. First of all: do you really have an application that listening that port? Because port forwarding via nat doesn't mean port will be opened from Internet just out of nowhere.
And second - you need to assign destination address, explicitly public one or assign an input interface which has that address, or both with specific address if that interface has a subnet less than /30(<30).
Yes I tried with an application and also with nc -l. My understanding is that if there's no application, the client would get connection refused, or a timeout if the rule doesn't work.

I can't assign an IP since it's dynamic but I'll try now with an interface.
 
etokadi
just joined
Topic Author
Posts: 7
Joined: Fri Dec 27, 2019 12:27 am

Re: TCP port forward doesnt work

Mon Dec 30, 2019 6:26 pm

It still doesn't work but I see the packet count increase when I try to connect to the port.
 
User avatar
Anumrak
Forum Guru
Forum Guru
Posts: 1174
Joined: Fri Jul 28, 2017 2:53 pm

Re: TCP port forward doesnt work

Tue Dec 31, 2019 9:41 am

/ip firewall nat add chain=dstnat dst-address="your-public-IP" dst-port=55555 action=dst-nat protocol=tcp to-address=192.168.88.251 to-port=55555
Thanks but I don't think I can add my public IP since my ISP assigns that dynamically so it is always different.
Use dyndns or write a script which will do this for you :)
 
User avatar
Anumrak
Forum Guru
Forum Guru
Posts: 1174
Joined: Fri Jul 28, 2017 2:53 pm

Re: TCP port forward doesnt work

Tue Dec 31, 2019 9:42 am

Hey. First of all: do you really have an application that listening that port? Because port forwarding via nat doesn't mean port will be opened from Internet just out of nowhere.
And second - you need to assign destination address, explicitly public one or assign an input interface which has that address, or both with specific address if that interface has a subnet less than /30(<30).
Yes I tried with an application and also with nc -l. My understanding is that if there's no application, the client would get connection refused, or a timeout if the rule doesn't work.

I can't assign an IP since it's dynamic but I'll try now with an interface.
There is has to be a live server which listening this port behind your router.
 
User avatar
Anumrak
Forum Guru
Forum Guru
Posts: 1174
Joined: Fri Jul 28, 2017 2:53 pm

Re: TCP port forward doesnt work

Tue Dec 31, 2019 9:43 am

It still doesn't work but I see the packet count increase when I try to connect to the port.
Then your NAT rule works correctly. Troubleshoot the server side.
 
mrtrca
just joined
Posts: 9
Joined: Wed Dec 05, 2012 2:22 pm
Location: Turkey
Contact:

Re: TCP port forward doesnt work

Thu Jan 02, 2020 2:37 pm

Hello,
if there is a bridge
/interface bridge settings set use-ip-firewall=yes
Could work :)
I wish conveniences.
 
etokadi
just joined
Topic Author
Posts: 7
Joined: Fri Dec 27, 2019 12:27 am

Re: TCP port forward doesnt work

Sun Jan 12, 2020 9:26 pm

Thanks for the replies but it doesn't work. I installed nginx on my computer, the welcome page is available at http://localhost, and http://192.168.88.251/ . I entered this rule:
/ip firewall nat add chain=dstnat dst-address="your-public-IP" dst-port=55555 action=dst-nat protocol=tcp to-address=192.168.88.251 to-port=80
Then I enter my public-IP:55555 in my browser, and I get a connection timeout, in the meanwhile in the router NAT page I see the packet count increase for the rule I just created! What now? I tried so far with 2 servers on different ports, and netcat.
 
mikruser
Long time Member
Long time Member
Posts: 578
Joined: Wed Jan 16, 2013 6:28 pm

Re: TCP port forward doesnt work

Sun Jan 12, 2020 10:52 pm

don't listen to noobs, you no need add public ip to nat rule.

you need add firewall rule:
accept
forward
dst.address=your internal ip
protocol=tcp
dst.port=your internal port
 
User avatar
Anumrak
Forum Guru
Forum Guru
Posts: 1174
Joined: Fri Jul 28, 2017 2:53 pm

Re: TCP port forward doesnt work

Mon Jan 13, 2020 2:21 pm

Thanks for the replies but it doesn't work. I installed nginx on my computer, the welcome page is available at http://localhost, and http://192.168.88.251/ . I entered this rule:
/ip firewall nat add chain=dstnat dst-address="your-public-IP" dst-port=55555 action=dst-nat protocol=tcp to-address=192.168.88.251 to-port=80
Then I enter my public-IP:55555 in my browser, and I get a connection timeout, in the meanwhile in the router NAT page I see the packet count increase for the rule I just created! What now? I tried so far with 2 servers on different ports, and netcat.
Hey, again :) What you need now is hairpin nat config. Google it :) Your current dstnat rule in not for you, it is for external requests.
 
User avatar
Anumrak
Forum Guru
Forum Guru
Posts: 1174
Joined: Fri Jul 28, 2017 2:53 pm

Re: TCP port forward doesnt work

Mon Jan 13, 2020 2:22 pm

don't listen to noobs, you no need add public ip to nat rule.

you need add firewall rule:
accept
forward
dst.address=your internal ip
protocol=tcp
dst.port=your internal port
Well, I think every ISP well know private networks of their users, don't they? :))
 
etokadi
just joined
Topic Author
Posts: 7
Joined: Fri Dec 27, 2019 12:27 am

Re: TCP port forward doesnt work

Sun Feb 02, 2020 12:30 pm

don't listen to noobs, you no need add public ip to nat rule.

you need add firewall rule:
accept
forward
dst.address=your internal ip
protocol=tcp
dst.port=your internal port
Are you saying I also have to set up this as a firewall filter rule, in addition to the NAT configuration? Tried and still doesn't work.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: TCP port forward doesnt work

Sun Feb 02, 2020 2:13 pm

There are two steps. First is dstnat, to change destination to internal address and port. That's probably already ok, if counter increases. Second is firewall filter, which can stop forwarded packets, so you must make sure it doesn't. This rule, strategically placed (i.e. before anything that could block those packets), will do it:
/ip firewall filter
add chain=forward connection-nat-state=dstnat action=accept
If not, look closer what happens. You can use Tools->Torch on incoming and outgoing interface and check if packets are arriving and passing through router correctly. Or you can add logging rules to prerouting and postrouting, and you'll see where it's going wrong.
 
etokadi
just joined
Topic Author
Posts: 7
Joined: Fri Dec 27, 2019 12:27 am

Re: TCP port forward doesnt work

Thu Aug 05, 2021 10:40 pm

The issue is likely that my ISP is NATting my connection, so my IP is not directly reachable from the internet.

Who is online

Users browsing this forum: GoogleOther [Bot] and 54 guests