Community discussions

MikroTik App
 
User avatar
GoliafRS
just joined
Topic Author
Posts: 5
Joined: Mon Jan 11, 2021 8:37 pm

Port forwarding and firewall improvements

Mon Jan 11, 2021 8:43 pm

Hi.

Tell me please what wrong with my configuration?
I need port forwarding (2302, 2305) and this config not working, but should, maybe.

And can someone give some advice on how to improve my firewall rules if necessary.

Sorry, my English not perfect.

Thx.
You do not have the required permissions to view the files attached to this post.
 
diba
just joined
Posts: 6
Joined: Thu Apr 27, 2017 1:37 am

Re: Port forwarding and firewall improvements

Tue Jan 12, 2021 9:53 pm

The simplest method to do port forwarding is this:
/ip firewall nat
add action=dst-nat chain=dstnat in-interface-list=WAN dst-port=2302 protocol=tcp to-addresses=192.168.88.101
add action=dst-nat chain=dstnat in-interface-list=WAN dst-port=2302 protocol=udp to-addresses=192.168.88.101
add action=dst-nat chain=dstnat in-interface-list=WAN dst-port=2305 protocol=tcp to-addresses=192.168.88.101
add action=dst-nat chain=dstnat in-interface-list=WAN dst-port=2305 protocol=udp to-addresses=192.168.88.101
However it doesn't work from LAN, only from the internet.

Would be awesome if an expert could tell us how to do proper port forwarding, with access from LAN, without client IP address getting replaced with router's.
 
Sob
Forum Guru
Forum Guru
Posts: 6474
Joined: Mon Apr 20, 2009 9:11 pm

Re: Port forwarding and firewall improvements

Tue Jan 12, 2021 10:33 pm

It doesn't work from LAN because of in-interface-list=WAN. To fix it, replace it with dst-address=<your public address> (if you have static address). If you have dynamic address, you can use dst-address-type=local. If it's for port that is also used for service on router (for example, you may need <public address>:80 for your webserver, but also <internal address>:80 for WebFig at the same time), add additional dst-address=!<internal address> to exclude it ("!" means "not").

If your internal server sees router's address instead of real client's address, you need to fix your srcnat rule(s). Common mistake is unconditional masquerade rule, but you actually want it only for traffic to internet, so it should have out-interface-list=WAN. Then if access from LAN should work, you need another srcnat rule for hairpin NAT. Simple one can be:
/ip firewall nat
add chain=srcnat src-address=<local subnet> dst-address=<local subnet> action=masquerade
Excessive quoting is useless and annoying. If you use it, please consider if you could do without it.
 
Sob
Forum Guru
Forum Guru
Posts: 6474
Joined: Mon Apr 20, 2009 9:11 pm

Re: Port forwarding and firewall improvements

Tue Jan 12, 2021 10:37 pm

And for OP, if you didn't make a mistake and only tested it from LAN (which wouldn't work), are you sure that you have public IP address?
Excessive quoting is useless and annoying. If you use it, please consider if you could do without it.
 
User avatar
GoliafRS
just joined
Topic Author
Posts: 5
Joined: Mon Jan 11, 2021 8:37 pm

Re: Port forwarding and firewall improvements

Wed Jan 13, 2021 12:11 am

Hi.

Thank you very much for so many answers.
I'm confused.

I will explain the essence of my problem, it is trivial.
I set up a dedicated server on my computer for the game. This server requires two ports. Accordingly, I want these ports to be forwarded from the local network to the outside and back.

I have a static IP.

In total, I applied the settings that you advised, the NAT settings now look like this:
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat dst-address=192.168.88.0/24 src-address=192.168.88.0/24
add action=netmap chain=dstnat dst-address=STATIC_IP dst-port=2302 protocol=tcp to-addresses=192.168.88.101 to-ports=2302
add action=netmap chain=dstnat dst-address=STATIC_IP dst-port=2302 protocol=udp to-addresses=192.168.88.101 to-ports=2302
add action=netmap chain=dstnat dst-address=STATIC_IP dst-port=2305 protocol=tcp to-addresses=192.168.88.101 to-ports=2305
add action=netmap chain=dstnat dst-address=STATIC_IP dst-port=2305 protocol=udp to-addresses=192.168.88.101 to-ports=2305

Looking ahead, I will say that I tried to change the incoming interface to the WAN list in the rules. It does not work either with him or without him.
Server, according to my static IP, is still unavailable, therefore the ports are still not forwarded.

I guess I made a mistake in setting up the masquerade, because right now how the masquerade works is the biggest mystery to me right now.

Please tell me where I made a mistake and what I have not yet understood?

Thx.
 
Sob
Forum Guru
Forum Guru
Posts: 6474
Joined: Mon Apr 20, 2009 9:11 pm

Re: Port forwarding and firewall improvements

Wed Jan 13, 2021 12:50 am

Two questions:

- Is your STATIC_IP same as you see at https://wtfismyip.com/clean?
- If you look at dstnat rules' counters, if there anything or just zeroes?

Other than that, you can use action=dstnat instead of action=netmap (there doesn't seem to be a difference, but dstnat is more common), and you don't have to add to-ports when the port is same as in dst-port.

Masquerade is simple. First rule takes care of LAN->internet connections. Second one is for LAN->LAN connections, in case you'd connect to STATIC_IP from LAN.
Excessive quoting is useless and annoying. If you use it, please consider if you could do without it.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1895
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Port forwarding and firewall improvements

Wed Jan 13, 2021 4:02 am

Real admins use real keyboards.
To quote or not to quote, there is the topic: viewtopic.php?f=2&t=168474
 
User avatar
GoliafRS
just joined
Topic Author
Posts: 5
Joined: Mon Jan 11, 2021 8:37 pm

Re: Port forwarding and firewall improvements

Wed Jan 13, 2021 7:21 am

- Is your STATIC_IP same as you see at https://wtfismyip.com/clean?
- If you look at dstnat rules' counters, if there anything or just zeroes?
- Yes.
- All counters just zeros. No packets, no bytes. But the new masquerade rule still captured a couple of packets, but not when I ping the port from the outside.

Other than that, you can use action=dstnat instead of action=netmap (there doesn't seem to be a difference, but dstnat is more common), and you don't have to add to-ports when the port is same as in dst-port.
I know the difference, I'm just trying to set it up as accurately as possible so that it works at least to begin with. Therefore, I will do the optimization.

Masquerade is simple. First rule takes care of LAN->internet connections. Second one is for LAN->LAN connections, in case you'd connect to STATIC_IP from LAN.
Thank you, it became clearer.

Thx, already read it, but still not understand what i do wrong.
You do not have the required permissions to view the files attached to this post.
 
Sob
Forum Guru
Forum Guru
Posts: 6474
Joined: Mon Apr 20, 2009 9:11 pm

Re: Port forwarding and firewall improvements

Wed Jan 13, 2021 7:33 am

But judging by the screenshot and the rule added by UPnP, you don't have STATIC_IP directly on router (in IP->Addresses), right? If not and you actually have just NAT 1:1, dstnat rules with dst-address=STATIC_IP won't work for connections from internet. You can use dst-address=192.168.100.2 and see it that helps. Or in-interface=ether1, if you tried that before, should have worked too.
Excessive quoting is useless and annoying. If you use it, please consider if you could do without it.
 
User avatar
GoliafRS
just joined
Topic Author
Posts: 5
Joined: Mon Jan 11, 2021 8:37 pm

Re: Port forwarding and firewall improvements

Wed Jan 13, 2021 7:48 am

Before I started changing the NAT settings, my rules were configured for the interface ether1.
And yes, most surprisingly, the UPnP rules work, and registered packets and bytes.

I will describe my network as it actually is.
You do not have the required permissions to view the files attached to this post.
 
Sob
Forum Guru
Forum Guru
Posts: 6474
Joined: Mon Apr 20, 2009 9:11 pm

Re: Port forwarding and firewall improvements  [SOLVED]

Wed Jan 13, 2021 8:04 am

If you don't need hairpin NAT, i.e. the ability to connect to STATIC_IP:<forwarded_port> from LAN (it was the other poster who mentioned it), then use:
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=192.168.100.2 dst-port=2302 protocol=tcp to-addresses=192.168.88.101
...
If you do need hairpin NAT, then you can use this:
/ip firewall address-list
add address=192.168.100.2 list=wan_addr
add address=STATIC_IP list=wan_addr
/ip firewall nat
add action=dst-nat chain=dstnat dst-address-list=wan_addr dst-port=2302 protocol=tcp to-addresses=192.168.88.101
...
If it won't work, then there's either something wrong with your testing, or ISP forwards ports to you selectively, only some and not all.
Excessive quoting is useless and annoying. If you use it, please consider if you could do without it.
 
afuchs
just joined
Posts: 15
Joined: Wed Jul 03, 2019 11:10 am

Re: Port forwarding and firewall improvements

Wed Jan 13, 2021 10:24 am

I didn't see a
/ip firewall filter
add action=accept chain=forward dst-port=2302 protocol=udp
add action=accept chain=forward dst-port=2302 protocol=tcp
add action=accept chain=forward dst-port=2305 protocol=udp
add action=accept chain=forward dst-port=2305 protocol=tcp
or likewise in the export, so perhaps the traffic is droped by your firewall.
You must allow the traffic in the forward chain that you want to forward.
 
User avatar
GoliafRS
just joined
Topic Author
Posts: 5
Joined: Mon Jan 11, 2021 8:37 pm

Re: Port forwarding and firewall improvements

Wed Jan 13, 2021 7:06 pm

You must allow the traffic in the forward chain that you want to forward.
No, that's not the problem.
I do not have a single rule that blocked traffic to specific ports and addresses.


The result of this story is as follows.

My router is not connected to the Internet directly, but through an optical terminal from the provider.
Having asked the provider to configure this terminal as a bridge to my router, the problem was immediately solved.
The router can see the external static address and accordingly forward the ports to it.

I apologize for the time taken from the specialists of this form.

Thanks to all.
 
Sob
Forum Guru
Forum Guru
Posts: 6474
Joined: Mon Apr 20, 2009 9:11 pm

Re: Port forwarding and firewall improvements

Thu Jan 14, 2021 3:25 am

Don't apologize, that's what the forum is for. Enjoy the happy end.
Excessive quoting is useless and annoying. If you use it, please consider if you could do without it.

Who is online

Users browsing this forum: ck41, hpet, mike7 and 69 guests