Community discussions

MikroTik App
 
FBachofner
newbie
Topic Author
Posts: 28
Joined: Wed Jan 29, 2020 11:40 am

Can't access hosts via certain ports from a computer connected to an hEX-S

Fri Oct 09, 2020 9:55 am

I am working on a computer connected to an hEX-S and trying to connect to other (remote) machines by SSH, HTTP and RDP

The hEX-S seems to be blocking certain (outbound) ports.

Connecting by RDP to a computer at an address like foo-rdp.my_dyndns.tld:3389 works great.
I can also access a website on the remote host when a port is not specified, i.e. https://foo-website.mydyndns.tld . . . or if I redundantly specify the HTTPS port, i.e. https://foo-website.mydyndns.tld:443

HOWEVER, connecting by SSH and/or HTTPS does not work
for example these do not work
  • foo-ssh.mydyndns.tld:2200
  • foo-webmin.mydyndns.tld:10000
The remote host in question is accessible from various machines (at different locations) not connected to a MikroTik router. Moreover (thinking that the ISP might be blocking some ports) I took the hEX-S out of the loop and connected directly to the modem. When the hEX-S is eliminated, I can connect on any ports . . .

Where do I start looking? Is this a firewall issue on the hEX-S (nothing is obvious there)? Something else?

After years' basic networking experience with other routers and then DD-WRT, I am new to RouterOS and configured this (my first RouterOS setup) for my Mom's home in January . . . with some (no longer available) help. BTW, from other locations I can successfully connect to the hEX-S and machines behind it, just not the other way around.

Thanks in advance!
Last edited by FBachofner on Fri Oct 09, 2020 12:55 pm, edited 1 time in total.
 
solar77
Long time Member
Long time Member
Posts: 586
Joined: Thu Feb 04, 2016 11:42 am
Location: Scotland

Re: Can't access hosts via certain ports from a computer connected to an hEX-S

Fri Oct 09, 2020 10:56 am

the problem is certainly the hEX-s. without looking at your config. it's very difficult to guess what might have gone wrong.
as soon as you mentioned "I can successfully connect to the hEX-S and machines behind it, just not the other way around.", it started sound like a dst-nat issue.
if you setup port forwarding using dst-nat, without specify the in-interface, then you are applying dst-nat to all your outgoing traffic.
example, if you have something like
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=22 protocol=tcp to-addresses=192.168.1.10 to-ports=22
then your hEX-s will also change the destination IP address of any outgoing SSH traffic, to 192.168.1.10, then oviously it won't work.

the correct implementation is
add action=dst-nat chain=dstnat dst-port=22 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.10 to-ports=22
which would only apply to incoming traffic
 
FBachofner
newbie
Topic Author
Posts: 28
Joined: Wed Jan 29, 2020 11:40 am

Re: Can't access hosts via certain ports from a computer connected to an hEX-S

Fri Oct 09, 2020 1:29 pm

Thank you solar77 for your quick response.

Your assessment makes a lot of sense.

Some follow up questions:
1. If I use webfig (all Linux machines here, so no WinBox), do I simply switch to the webfig terminal to paste the code you have proposed? (obviously taking a backup of the router configuration first)

2. Is uploading detailed configuration information to the forum actually encouraged? Your response seems to indicate this would be OK.

2a. Is there a good way to post a RouterOS configuration to the forum which does not expose sensitive information? For example, does a supout.rif file expose a MikroTik VPN address (i.e. foo-ID.sn.mynetname.net)? Or, worse, does it expose passwords and/or other sensitive stuff? Is there a better / preferred way?

3. I have attached a screenshot of the hEX-S' firewall (it's very basic to start). This would almost certainly give a more complete picture of my problem. Looking at the "chain" column, I don't see any entry with dstnat, so this is likely the problem.

4. Per my original post, I need to connect to a number of remote services, not just SSH. Is there a reasonably secure way to create a "catch-all" rule that would allow SSH, HTTP(S), VNC and other traffic through without specifying each port? This may be important as (for example) I have different SSH ports open on other routers in the case where multiple machines are "exposed" to SSH connections.

5. Any idea (from the screenshot, maybe) why RDP and basic HTTP (with no specified port) is working?

Thanks so much for any further possible help. RouterOS seems really powerful, but as many others have pointed out, the initial learning curve is quite steep.
You do not have the required permissions to view the files attached to this post.
 
FBachofner
newbie
Topic Author
Posts: 28
Joined: Wed Jan 29, 2020 11:40 am

Re: Can't access hosts via certain ports from a computer connected to an hEX-S

Fri Oct 09, 2020 1:45 pm

I had two minor "AHA"s

1. I was able to add your code to the terminal window (updating with port numbers specific to my implementation). Unfortunately, the terminal window does not seem to allow pasting in any way. What a pain. (Am I missing something re: pasting into the terminal window?!)

2. This did not result in the firewall rules visibly changing, then I found the "NAT" tab in firewall. Screenshot attached (including an edited version of your suggestion).
hEX-S firewall.NAT.initial config.2020-10-09.png


Alas, I still can not SSH to another remote host on port 2200.

Thanks in advance for any further insights.
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Can't access hosts via certain ports from a computer connected to an hEX-S

Fri Oct 09, 2020 3:05 pm

post the complete config
/export file=sensitive file=anynameyouwish
 
DarkNate
Forum Veteran
Forum Veteran
Posts: 997
Joined: Fri Jun 26, 2020 4:37 pm

Re: Can't access hosts via certain ports from a computer connected to an hEX-S

Fri Oct 09, 2020 3:09 pm

1. If I use webfig (all Linux machines here, so no WinBox)
What do you mean "no Winbox"? Winbox runs just fine on Linux and was designed to work with WINE straight out the box: https://techsoftcenter.com/how-to-run-w ... buntu-etc/

As the other member suggested, post your config.
 
FBachofner
newbie
Topic Author
Posts: 28
Joined: Wed Jan 29, 2020 11:40 am

Re: Can't access hosts via certain ports from a computer connected to an hEX-S

Fri Oct 09, 2020 7:10 pm

Hi DarkNate:

Thanks for pointing out WinBox works well under WINE. In my experience many newer Windows programs often don't work so nicely under WINE, so your comments are promising. It's nice that MikroTik thought of this when designing WinBox. I'll give it a shot after reading the linked article.

That said, with a couple particular (limited, even maybe?) use cases (such as connecting to a MikroTik device using MAC address -- maybe particularly useful for initial setup and/or after resetting misbehaving wAPs ?) is there much reason to use WinBox over webfig? It seems that webfig is a pretty first-class interface to MikroTik devices (although everyone writing articles seems to prefer WinBox).
 
FBachofner
newbie
Topic Author
Posts: 28
Joined: Wed Jan 29, 2020 11:40 am

Re: Can't access hosts via certain ports from a computer connected to an hEX-S

Fri Oct 09, 2020 7:34 pm

post the complete config
/export file=sensitive file=anynameyouwish

Thank you Anav for pointing out this existed! A subsequent search uncovered what seems to be the correct syntax when my first attempt was not properly redacted . . .

For other newbie visitors, I think you may have meant something more like:
/export hide-sensitive file=my-Security-Redacted-filename
"hide-sensitive" being the key to redacting the configuration file

I have attached my redacted hEX-S configuration file.

Being able to upload a complete yet (in particular) security-redacted configuration is a CLEAR win for MikroTik/RouterOS over consumer-grade routers. I anticipate this new "skill" just completely validated my decision to try out MikroTik. [ I further presume this will be super useful to copy "adapted" configurations to similar networking environments without having to configure a new setup on a setting-by-setting basis. This looks better than what I have been able to achieve with saved DD-WRT configuration files. ]

Thank you in advance for anyone who has some time to point me in the right way on my configuration.
You do not have the required permissions to view the files attached to this post.
 
User avatar
gnro
newbie
Posts: 36
Joined: Sun Aug 05, 2018 9:52 am

Re: Can't access hosts via certain ports from a computer connected to an hEX-S

Fri Oct 09, 2020 9:31 pm

Modify the lines:
/ip firewall nat
add action=dst-nat chain=dstnat comment="RBG-Server: SSH" dst-port=2200 \
    protocol=tcp to-addresses=192.168.1.100 to-ports=2200
add action=dst-nat chain=dstnat comment="RBG-Server: Webmin" dst-port=10000 \
    protocol=tcp to-addresses=192.168.1.100
to:
/ip firewall nat
add action=dst-nat chain=dstnat comment="RBG-Server: SSH" dst-port=2200 \
    protocol=tcp to-addresses=192.168.1.100 to-ports=2200 out-interface-list=WAN 
add action=dst-nat chain=dstnat comment="RBG-Server: Webmin" dst-port=10000 \
    protocol=tcp to-addresses=192.168.1.100 out-interface-list=WAN 
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Can't access hosts via certain ports from a computer connected to an hEX-S

Fri Oct 09, 2020 9:51 pm

my apologies for the wrong syntax! glad you found the right one!!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Can't access hosts via certain ports from a computer connected to an hEX-S

Fri Oct 09, 2020 9:57 pm

Recommend one bridge and use the vlans to separate out separation of subnets.
As for groupings the better ways to accomplish this and also support firewall rules are
interface lists and address group lists.

Rule of thumb if you have whole as single subnet or part subnet use IP addresses
If you have a a group of interfaces use interface list.
If you have one or more specific IP addresses use IP Addresses.

Obviously since one can put subnets into address lists there is lots of flexibility but I tend to keep address lists to when I have individual IPs in the mix.

Just a heads up the best ref for vlans is
viewtopic.php?t=143620

I will look at your config soon, just need to go shopping first.................not sure i agree with the poster above me, i wouldnt jump on it yet.
Change your config to a single bridge and read the ref first.
 
User avatar
gnro
newbie
Posts: 36
Joined: Sun Aug 05, 2018 9:52 am

Re: Can't access hosts via certain ports from a computer connected to an hEX-S

Fri Oct 09, 2020 10:09 pm

It's almost like a hairpin nat. The forward rule matches packets going to ports 2200 or 10000 even going "out" from LAN to internet.
It's a "wrong" config as presented in one of the MUM events.
I have "used" this approach until I learned this is not the best and more specific is better.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Can't access hosts via certain ports from a computer connected to an hEX-S

Fri Oct 09, 2020 11:21 pm

Comments:
1. USE only one bridge!
2. USE interface lists or address lists or my preference is vlans to separate subnets.
++++++++++++++++++++++++++++++++++++++++
The above are suggestions but not necessary.

(3) The below is a problem as quite clearly you cant both using the same address!!
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether2 network=\
192.168.1.0

add address=192.168.1.1/24 interface=Bridge-LAN_Ethernet+wAP-Ports network=\
192.168.1.0

I think clearly you meant this for the first one to be.........
add address=192.168.2.1/24 interface=Bridge_for_Guest-WiFi network=\
192.168.2.0


(4) Potentially Missing an entry for interface lists? (depends you may have excluded it due to winbox access control etc...)
/interface list member
add comment=defconf interface=Bridge-LAN_Ethernet+wAP-Ports list=LAN
add interface=Bridge_for_Guest-WiFi network list=LAN ??
add comment=defconf interface=ether1 list=WAN

So whats left.

(5) Destination Nat rules. Missing part of the rules for all and that is where is it coming from??
If dynamic you can detail the Fixed IP (destination address), if dynamic you detail the in-interface-list=WAN typically.

For example the first rule.
add action=dst-nat chain=dstnat comment="RBG-Server: SSH" dst-port=2200 \
protocol=tcp to-addresses=192.168.1.100 to-ports=2200

Could be........
add action=dst-nat chain=dstnat comment="RBG-Server: SSH" dst-port=2200 destination-address=xx.xxx.xx.xx (fixed WANIP address) \
protocol=tcp to-addresses=192.168.1.100 (note: to port is not required if identical to dst-port as you did with the rest of the rules oddly enough)
OR
add action=dst-nat chain=dstnat comment="RBG-Server: SSH" dst-port=2200 in-interface-list=WAN (dynamic WANIP address)
protocol=tcp to-addresses=192.168.1.100

(6) YOu have a duplicate in that you tried to define using port 2200 twice?????? get rid of one of them. In other words you cannot forward the same port to two different IP addresses on the LAN.

(7) Lastly sourcenat if you have a dynamic WANIP that looks fine.

as for the one created for vpn, I am not knowledgeable enough to know if this required, appropriate or correct. :-(
?add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Can't access hosts via certain ports from a computer connected to an hEX-S

Fri Oct 09, 2020 11:29 pm

By the way your port forwarding rules....................... could be encapsulated in two rules LOL.

add action=dst-nat chain=dstnat dst-port=2200,5900,10000 in-interface-list=WAN\
protocol=tcp to-addresses=192.168.1.100

add action=dst-nat chain=dstnat dst-port=2210,3389,5910,10010 in-interface-list=WAN\
protocol=tcp to-addresses=192.168.1.110


If for some reason you needed to access port 2200 on a different device you have two options, change the port number on one of the devices/servers such that you dont duplicate 2200 OR use port translation. In other words you come at the router, externally, with a different port as follows.

add action=dst-nat chain=dstnat dst-port=22000 in-interface-list=WAN\
protocol=tcp to-addresses=192.168.1.100 to-port=2200

In this way the router will be able to track an external WANIP request coming in on port 22000, is supposed to go to IP 192.168.1.1 on port 2200.
The router should then be able to route the return traffic properly.
 
FBachofner
newbie
Topic Author
Posts: 28
Joined: Wed Jan 29, 2020 11:40 am

Re: Can't access hosts via certain ports from a computer connected to an hEX-S

Fri Oct 09, 2020 11:52 pm

Thank you grno!
Modify the lines:
to:
/ip firewall nat
add action=dst-nat chain=dstnat comment="RBG-Server: SSH" dst-port=2200 \
    protocol=tcp to-addresses=192.168.1.100 to-ports=2200 out-interface-list=WAN 
add action=dst-nat chain=dstnat comment="RBG-Server: Webmin" dst-port=10000 \
    protocol=tcp to-addresses=192.168.1.100 out-interface-list=WAN 

This looked so promising (and seemed to make sense.
However, adding the "out-interface-list=WAN" via WebFig I get the error:
"Couldn't change NAT Rule <> - outgoing interface matching not possible in input and prerouting chains (6)"

Also (curious, does anyone know) what is the logic in naming "Out. Interface" and "Out. Interface List" so similarly ? The first shows physical ports, bridges, etc., the second shows stuff which seems to be a conceptual step "up" (LAN, WAN, etc.)
 
FBachofner
newbie
Topic Author
Posts: 28
Joined: Wed Jan 29, 2020 11:40 am

Re: Can't access hosts via certain ports from a computer connected to an hEX-S

Fri Oct 09, 2020 11:53 pm

my apologies for the wrong syntax! glad you found the right one!!

No problem. Your incorrect syntax at the very least pointed me in the direction of a useable search term!

:-)
 
FBachofner
newbie
Topic Author
Posts: 28
Joined: Wed Jan 29, 2020 11:40 am

Re: Can't access hosts via certain ports from a computer connected to an hEX-S

Tue Apr 06, 2021 8:36 am

I am visiting my Mom again and decided to take another stab at this while my kids are playing with grandma! :-)

This looked so promising (and seemed to make sense.
However, adding the "out-interface-list=WAN" via WebFig I get the error:
"Couldn't change NAT Rule <> - outgoing interface matching not possible in input and prerouting chains (6)"

I re-read the comment by @solar77 and realized that @gnro 's advice was likely a minor typo and should have read "in-interface-list=WAN"

I updated my configuration thusly and I now have bidirectional access of machines on these ports.

Thanks to all who helped.

This solved my immediate "pain" . . . my next step will be to consider using a single bridge and VLANs and other best practices described in this thread! Looks like I have a lot of reading ahead!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Can't access hosts via certain ports from a computer connected to an hEX-S

Tue Apr 06, 2021 1:07 pm

All doable Gluck! will be here when you need help!!
 
FBachofner
newbie
Topic Author
Posts: 28
Joined: Wed Jan 29, 2020 11:40 am

Re: Can't access hosts via certain ports from a computer connected to an hEX-S

Tue Apr 06, 2021 8:29 pm

All doable Gluck! will be here when you need help!!

Thanks!

I am starting to read about (your suggestions regarding) using a single bridge and VLANs. It seems a bit counterintuitive to me at first, but the "Router-Switch-AP (all in one)" post seems exactly on point with a very common usage case for me and my clients.

Curious: although it's probably moot with the relatively small amounts of data we push, wouldn't separating out guest users with multiple bridges (which occur at the hardware level) be faster than segmenting with VLANs (which occur at the software level, right?) ?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Can't access hosts via certain ports from a computer connected to an hEX-S

Tue Apr 06, 2021 9:23 pm

Question above me, in that I have always thought bridges were software driven entities not hardware.
I like to keep it simple, one bridge is enough, just like one woman is enough!!
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Can't access hosts via certain ports from a computer connected to an hEX-S

Tue Apr 06, 2021 10:07 pm

Curious: although it's probably moot with the relatively small amounts of data we push, wouldn't separating out guest users with multiple bridges (which occur at the hardware level) be faster than segmenting with VLANs (which occur at the software level, right?) ?
As @anav mentioned, bridges in ROS are mostly on software level. Only in certain conditions they can be HW offloaded. On most devices only simple configuration can be HW offloaded (simple bridge spanning raw ethernet ports) without VLANS or any non-trivial configuration. More or less "dumb switch" functionality. Additionally only single bridge per switch chip can be offloaded. Most devices come with single switch chip, only a few have two (RB2011, RB3011 and RB4011) and with those one has to be careful how to group ports to different bridges. And: singke port can only be member of single bridge.

So you might gain some performance if using multiple bridges, but likely not much if at all, at expense of complicated setup.
 
FBachofner
newbie
Topic Author
Posts: 28
Joined: Wed Jan 29, 2020 11:40 am

Re: Can't access hosts via certain ports from a computer connected to an hEX-S

Wed Apr 07, 2021 9:51 pm

Thanks so much @anav, @mkx and @kennnnnnnneth

I must have read somewhere in the documentation that (as @mkv points out) "simple configuration can be HW offloaded (simple bridge spanning raw ethernet ports)"
If so, I clearly did not fully pay attention to the details!

Ironically, I also have a RB4011 "waiting in the wings" (for my personal/home office network) for when I have (at least slightly) better understanding of RouterOS and a fully workable configuration for my Mom's house. [ The most amazing thing has been the setup at her house (while clearly imperfect) has been rock solid for over a year. She gamely agreed to be my MikroTik "guinea-pig"! ;-) ]

Even with the RB4011's increased switching capabilities it is sounding like I should definitely consider a single bridge and VLAN configuration concept with that too. The additional benefit would be (I hope) super simple re-deployment to other networks (including hEX-S based) with similar routing requirements [this means: virtually all my clients -- who I typically (currently) have on DD-WRT (and more recently on OpenWRT) on consumer grade routers like TP-Link Archer C7 and similar ].

I am a couple hours away from attempting to apply some of these ideas on my "test" network here. I predict the biggest challenge will be to get CAPsMAN working once I change over to VLAN with a single bridge, but we will see.

With my initial MikroTik setup/configuration challenges in early 2020, I'm pretty convinced that I will break a bunch of functionality later today, so I hope you guys are still around later! Mom and the kids will be disappointed if Wi-Fi goes down "too long." Smarty-me has a preconfigured Archer C7 with OpenWRT on standby in case I really mess things up! :-)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Can't access hosts via certain ports from a computer connected to an hEX-S

Wed Apr 07, 2021 11:33 pm

 
FBachofner
newbie
Topic Author
Posts: 28
Joined: Wed Jan 29, 2020 11:40 am

Re: Can't access hosts via certain ports from a computer connected to an hEX-S

Mon Apr 12, 2021 4:56 am

Sorry I went quiet for a couple days.

As I (physically) fleshed out the network I discovered that 3 out of 16 ports on my Mom's 1 year old switch were bad.

I received a replacement yesterday and will hook it up in an hour or two when the varnish on a mounting plate for my custom cabinet is dry. [ The new switch is a slightly different physical format as I decided to upgrade her from 16 to 24 ports for expandability, so I had some carpentry to do! This is in a guest bedroom, so a conventional "rack" is not an option. ]

Meanwhile, I drew a network map and will post that into a new thread in a moment for any advance advice on VLANs, etc.

Thanks again, all! :-)

Who is online

Users browsing this forum: Bing [Bot], devnull0 and 48 guests