Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Port forwarding  [SOLVED]

Post Reply
 
justarankamateur
just joined
Topic Author
Posts: 9
Joined: Sat Oct 03, 2020 4:22 pm

Port forwarding

Sat Nov 21, 2020 8:55 pm

I have had this working in the past, but clearly there is something I've forgotten. I have a RB4011iGS configured as a router and it sits behind my ISP's router. The config is:

1. The ISP router has a forward rule to allow any inbound WAN UDP traffic to port 1194 (OpenVPN) to be forwarded to my RB4011iGS on the LAN side
2. RB4011iGS is also configured as a router and has a dstnat rule to forward any traffic from the WAN side on port 1194 to my OpenVPN server on the LAN.
3. I can see trafffic is being forward from the ISP router and hitting my dstnat rule on the RB4011iGS but for some reason I am not seeing the tunnel being established.

The traffic however is not getting to my openVPN server. Here is dstnat rule:
Code: Select all
add action=dst-nat chain=dstnat dst-address=192.168.0.10 dst-port=1194 in-interface-list=WAN log=yes \
    log-prefix=dstnat_ protocol=udp to-addresses=192.168.2.45 to-ports=1194
What am I missing here because this should be fairly trivial but weeks of playing with it has made me non the wiser.

Here is my full config:
Code: Select all
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment="VLAN list" name=vlan
add include=LAN,vlan name=all-vlan-lan
add name="Management VLAN"
add include=vlan name=all-vlan
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface list member
add comment=defconf interface=LanBridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=VLAN5 list=vlan
add interface=VLAN10 list=vlan
add interface=VLAN20 list=vlan
add interface=VLAN30 list=vlan
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add interface=VLAN10 list=all-vlan
add interface=VLAN20 list=all-vlan
add interface=VLAN30 list=all-vlan
add interface=VLAN5 list=all-vlan
/ip address
add address=192.168.88.1/24 comment=defconf disabled=yes interface=LanBridge network=192.168.88.0
add address=192.168.2.1/24 interface=LanBridge network=192.168.2.0
add address=192.168.5.1/24 interface=VLAN5 network=192.168.5.0
add address=192.168.10.1/24 interface=VLAN10 network=192.168.10.0
add address=192.168.20.1/24 interface=VLAN20 network=192.168.20.0
add address=192.168.30.1/24 interface=VLAN30 network=192.168.30.0
/ip firewall address-list
add address=192.168.2.0/24 list=192.168.2.0/24
add address=192.168.5.0/24 list=192.168.5.0/24
add address=192.168.10.0/24 list=192.168.10.0/24
add address=192.168.20.0/24 list=192.168.20.0/24
add address=192.168.30.0/24 list=192.168.30.0/24
add address=192.168.2.1-192.168.2.254 comment="Admin access subnet" list=adminAccess
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid log-prefix=\
    drop-invalid_
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow DNS from LAN/VLAN" dst-port=53 in-interface-list=all-vlan-lan \
    protocol=tcp
add action=accept chain=input comment="Allow DNS from LAN/VLAN" dst-port=53 in-interface-list=all-vlan-lan \
    protocol=udp
add action=accept chain=input comment="Allow admin access to router (Webfig)" in-interface-list=LAN \
    log-prefix=admin-access_ src-address-list=adminAccess
add action=drop chain=input comment="drop all else"
add action=accept chain=forward comment="defconf: accept established, related, untracked" connection-state=\
    established,related,untracked
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="Allow dstnat for established, related" connection-nat-state=dstnat \
    connection-state=established,related disabled=yes in-interface=ether1
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1
add action=drop chain=forward comment="Drop all inter vlan traffic\
    \n" in-interface-list=all-vlan log-prefix=INTER-VLAN-DROP out-interface-list=all-vlan
add action=drop chain=forward comment="Drop all traffic to native VLAN not from native VLAN" dst-address=\
    192.168.2.0/24 dst-address-list="" src-address=!192.168.2.0/24
add action=accept chain=forward comment="VLAN30 to WAN - Mars" out-interface-list=WAN src-address=\
    192.168.30.0/24
add action=accept chain=forward comment="VLAN20 to WAN - Mars BH" out-interface-list=WAN src-address=\
    192.168.20.0/24
add action=accept chain=forward comment="VLAN10 to WAN - Guest" out-interface-list=WAN src-address=\
    192.168.10.0/24
add action=accept chain=forward comment="VLAN5 to WAN" out-interface-list=WAN src-address=192.168.5.0/24
add action=accept chain=forward comment="Allow internet access for native VLAN " out-interface-list=WAN \
    src-address=192.168.2.0/24
add action=accept chain=forward comment="Without this rule all internet traffic blocked. I need to specifical\
    ly specify all the allowed services. " disabled=yes log-prefix=CATCH-ALL
add action=drop chain=forward comment="drop all else" log=yes log-prefix=DROP-ALL_
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=\
    WAN
add action=dst-nat chain=dstnat dst-address=192.168.0.10 dst-port=1194 in-interface-list=WAN log=yes \
    log-prefix=dstnat_ protocol=udp to-addresses=192.168.2.45 to-ports=1194
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9121
Joined: Mon Apr 20, 2009 9:11 pm

Re: Port forwarding  [SOLVED]

Sat Nov 21, 2020 9:09 pm

Take this:
Code: Select all
/ip firewall filter
add action=accept chain=forward comment="Allow dstnat for established, related" connection-nat-state=dstnat \
    connection-state=established,related disabled=yes in-interface=ether1
and change it to this:
Code: Select all
/ip firewall filter
add action=accept chain=forward comment="Allow forwarded ports" connection-nat-state=dstnat
It will allow all forwarded ports (dstnatted connections) without further limits. Which is ok, because why would you have dstnat for them, if you wouldn't want them to pass.
Top
 
justarankamateur
just joined
Topic Author
Posts: 9
Joined: Sat Oct 03, 2020 4:22 pm

Re: Port forwarding

Sun Nov 22, 2020 2:15 am

That did the trick. Thank you very much for your prompt response and solution!
Top
Post Reply

Who is online

Users browsing this forum: Amazon [Bot], zabloc and 23 guests
  4. RouterOS
  5. Beginner Basics