Bridge NAT Port Forwarding

dke · Thu Jan 14, 2021 2:04 pm

I'm trying to do a dstNAT based on the physical port on the router (in-interface), whereas the respective ports are bridged.

/interface bridge nat add chain=dstnat in-interface=ether1 src-port=60006 dst-port=60001 ip-protocol=tcp mac-protocol=ip
/interface bridge nat add chain=dstnat in-interface=ether2 src-port=60006 dst-port=60002 ip-protocol=tcp mac-protocol=ip

I also tried it with IP Firewall (with Bridge Settings Use IP Firewall), but also here the NAT is not working/not counted.

Any hints if this is the right way to go?

Thanks,
Daniel

tdw · Thu Jan 14, 2021 3:39 pm

/interface bridge nat operates at layer 2 / ethernet and changes the MAC address based on the to-dst-mac-address parameter. The dst-port is just one of many selectors to identify a packets on which to perform actions.

Is the traffic passing through the bridge to another port, in which case you do need use-ip-firewall=yes to force bridged traffic through the IP firewall chains, or being routed by the Mikrotik, in which case it isn't. Also, the in-interface will be the bridge itself, there is also a in-bridge-port selector.

dke · Thu Jan 14, 2021 3:59 pm

The traffic is passing through the bridge to another port.
I have set the bridge to use-ip-firewall=yes and used the in-bridge-port=ether2 selector:

 chain=dstnat action=accept protocol=tcp in-bridge-port=ether2 src-port=60006 dst-port=60001 log=no log-prefix=""

Is there a minimum set of selectors I have to specify? I was assuming everything I keep empty means <all>.

Thank you.

tdw · Thu Jan 14, 2021 5:16 pm

Yes, unless a particular selector / matcher is used it will apply to all traffic. That rule has no to-addresses or to-ports so nothing would be changed.

dke · Thu Jan 14, 2021 7:16 pm

Thank you very much for pointing to to-ports, I misinterpreted the "dst"-part - that's what I have been looking for.

Unfortunately the NAT is not working as I wish. In my test case, I have two iperf servers running on port 60001 and 60002. If the traffic comes from ether2, I'd like to use 60001, otherwise 60002.

If I do a NAT with to-addresses and use the router IP address as destination (with port 60006), the NAT counter is incremented but I get connection refused. Is it because there is no chance for the server to reply, i.e. do I need a reverse NAT rule as well?

If I do a NAT without to-addresses and use the iperf server IP (with port 60006), the NAT seems to not be used, although all other selectors are empty. Apparently a general misunderstanding on my side?

chain=dstnat action=accept to-ports=60001 protocol=tcp in-bridge-port=ether2 dst-port=60006 log=no log-prefix=""

Out of curiosity, why are those to-ports/to-addresses parameters missing in the winbox GUI? They don't seem unimportant to me for NATs?

Thanks again.

tdw · Thu Jan 14, 2021 8:14 pm

Did you clear the connection tracking entries or wait (~3 minutes for UDP connections)? The connection state includes flags to indicate if source and/or destination NAT is required, these are set on the first packet of a connection. As UDP doesn't have any concept of a connection, unlike TCP where you can peek at the TCP header flags, a timer is used. If you haven't found them some of the help pages may be useful https://help.mikrotik.com/docs/display/ROS/NAT and https://help.mikrotik.com/docs/display/ ... n+RouterOS

The selectors for firewall filter/NAT/mangle rules are on the General, Advanced and & Extras tab in Winbox, the Action tab includes the relevant parameters for the action selected such as to-addresses and to-ports for dst-nat.

dke · Thu Jan 14, 2021 8:52 pm

The reason I haven't seen the to-ports parameter is that I had "accept" as action - I assume dst-nat is required for chain & action?

I looked into the connections and found this temporary entry:

7    C   d protocol=tcp src-address=192.168.144.58:54806 dst-address=192.168.144.6:60006 reply-src-address=192.168.144.30:60001 reply-dst-address=192.168.144.58:54806 
            tcp-state=syn-sent timeout=1s orig-packets=3 orig-bytes=156 orig-fasttrack-packets=0 orig-fasttrack-bytes=0 repl-packets=0 repl-bytes=0 repl-fasttrack-packets=0 
            repl-fasttrack-bytes=0 orig-rate=0bps repl-rate=0bps

This goes away after few seconds and I get a connection timed out.
The reply-src-address seems alright?

What am I missing? I think we are close. Thanks for your help :-)

edit for completeness: .6 is NAT router, .58 iperf client, .30 iperf server

Bridge NAT Port Forwarding

Bridge NAT Port Forwarding

Re: Bridge NAT Port Forwarding

Re: Bridge NAT Port Forwarding

Re: Bridge NAT Port Forwarding

Re: Bridge NAT Port Forwarding

Re: Bridge NAT Port Forwarding

Re: Bridge NAT Port Forwarding

Who is online