Community discussions

MikroTik App
 
enos80
just joined
Topic Author
Posts: 7
Joined: Thu Apr 08, 2021 1:51 am

Port forwarding not working?

Thu Apr 08, 2021 2:17 am

Hello all. I've had my hAP ac for a few weeks. I was able to get it online and basic configuration done without issue. Tried a VPN server and that sort of worked, to get a break from that I switched over to port forwarding to get my webserver back online.

For some background.

I'm using ddclient to update my domains name server with my external IP. I have confirmed that is working by turning on webfig in IP / Services then loading my domain.com address. RouterOS login pulls up.

I have tested my virtual hosts on the webserver. I can independently pull up both virtual hosts. I have also used online port checkers that confirm ports are open. Anyway I'm positive something is wrong with my config. I'm enjoying mikrotik, but little things like basic port fowarding seem more difficult than necessary. Below is my full config. If anyone can tell me what might be wrong in my config

# apr/07/2021 17:59:14 by RouterOS 6.48.1
# software id = W8WH-68AP
#
# model = RB962UiGS-5HacT2HnT
# serial number = CC500DFB167A
/interface bridge
add admin-mac=08:55:31:BA:9D:AC auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=WPA supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=GuestWIFI supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge security-profile=WPA ssid=Sputnik wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge security-profile=WPA ssid=Sputnik-5G wireless-protocol=802.11 wps-mode=disabled
add disabled=no mac-address=0A:55:31:BA:9D:B2 master-interface=wlan1 name=wlan4 security-profile=GuestWIFI ssid="Make WiFi Great Again" wps-mode=disabled
/ip pool
add name=dhcp ranges=10.10.0.130-10.10.0.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge filter
# no interface
add action=drop chain=forward in-interface=*A
# no interface
add action=drop chain=forward out-interface=*A
add action=drop chain=forward in-interface=wlan4
add action=drop chain=forward out-interface=wlan4
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge interface=*A
add bridge=bridge interface=wlan4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=10.10.0.1/24 comment=defconf interface=bridge network=10.10.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=10.10.0.0/24 comment=defconf gateway=10.10.0.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.10.0.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward comment="Raspberry Pi Webserver 443" dst-address=10.10.0.41 dst-port=443 in-interface=ether1 protocol=tcp
add action=accept chain=forward comment="Raspberry Pi Webserver 80" connection-type="" dst-address=10.10.0.41 dst-port=80 in-interface=ether1 protocol=tcp
add action=accept chain=forward dst-address=10.10.0.144 dst-port=22 in-interface=ether1 protocol=tcp
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface-list=!LAN
/ip firewall nat
add action=dst-nat chain=dstnat comment="Raspberry Pi Web Server 80" dst-port=80 in-interface=ether1 protocol=tcp to-addresses=10.10.0.41 to-ports=80
add action=dst-nat chain=dstnat comment="Raspberry Pi Webserver 443" dst-port=443 in-interface=ether1 protocol=tcp to-addresses=10.10.0.41 to-ports=443
add action=dst-nat chain=dstnat dst-port=22 in-interface=ether1 protocol=tcp to-addresses=10.10.0.144 to-ports=22
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=*****
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=America/Chicago
/system identity
set name="MikroTik Router"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[enos80@MikroTik Router] >
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port forwarding not working?

Thu Apr 08, 2021 1:49 pm

Get rid of this. Its rarely used and can cause issues.
Just use the normal and default firewall rules for traffic control at layer 3.
/Interface bridge filter
# no interface
add action=drop chain=forward in-interface=*A
# no interface
add action=drop chain=forward out-interface=*A
add action=drop chain=forward in-interface=wlan4
add action=drop chain=forward out-interface=wlan4



Get rid of these extra bridges ...
.. you only should need one bridge.
.add bridge=bridge interface=*A
add bridge=bridge interface=wlan4

c. where is DNS setting on this line??
/ip dhcp-server network
add address=10.10.0.0/24 comment=defconf gateway=10.10.0.1 netmask=24

d. Get rid of the port forward rules you put in the forward chain, you already have them correctly configured in the NAT CHAIN.
rules in teh forward chain. If SO they belong in the NAT setup NOT forward chain.
add action=accept chain=forward comment="Raspberry Pi Webserver 443" dst-address=10.10.0.41 dst-port=443 in-interface=ether1 protocol=tcp
add action=accept chain=forward comment="Raspberry Pi Webserver 80" connection-type="" dst-address=10.10.0.41 dst-port=80 in-interface=ether1 protocol=tcp
add action=accept chain=forward dst-address=10.10.0.144 dst-port=22 in-interface=ether1 protocol=tcp


e. by the way, if you want to access the servers on your network using the WANIP address of the router (and not the more logical direct LANIP) then you are in a loopback or hairpin nat scenario which takes extra config steps.
 
enos80
just joined
Topic Author
Posts: 7
Joined: Thu Apr 08, 2021 1:51 am

Re: Port forwarding not working?

Thu Apr 08, 2021 3:41 pm

I had wanted to update this last night. Apparently the port forwarding works just not from my local network. When I VPN into my work or just use a commercial VPN the domain.com name resolves and points to my raspberry pi. In addition the Mikrotik lets the traffic through and forwards.

When I'm on my LAN however it does not. Can anyone assist with why that might be the case?

@anav - I'll follow your suggestions. This was just the default config and anything that was prompted, As far as lanip vs. wanip I'm just tyring to emulate my previous setup as much as possible. I have a registered domain name domain.com that points to my wan IP, but I use it mostly for name resolution.

If I want to RDP into windows server in my home network when I'm away from home It's more convenient to RDP into www.domain.com and have my router forward that port to the correct PC. I use it to SSH into a jump point raspberry pi. ssh name@domain.com -p randoport when my VPN asks for the server name it's easier to use www.domain.com

Ideally this should work the same on a LAN connection as it does a WAN connection. domain.com should point to the same website regardless of if I'm in or out of my LAN, same for RDP, SSH and VPN.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port forwarding not working?

Thu Apr 08, 2021 5:17 pm

Hi enos, then you are probably also dealing with hairpin nat and will need to modify your setup.
However prefer to see you working from a fixed up config as all the other noise may get in the way.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port forwarding not working?

Thu Apr 08, 2021 5:19 pm

Once you have cleaned up the config then you may be ready to try this.......... but recommend you post your config first for a review.

Here is the short explanation. You have come across the need for loopback called in the MT world, HairpinNAT.
This occurs when users on the same LAN as a server are mandated to use the public IP of the network the server is on, vice the much easier and direct LANIP of the server.

If creating a new subnet is of no interest, then there are multiple ways to solve your dilemma.
In all cases the first thing you need to do is construct a separate srcnat rule (keep the default one) and it looks like this
add chain=srcnat action=masquerade source-address=192.168.1.0/24 destination-address=192.168.1.0/24

Then you need to configure the destination-NAT rule depending upon whether or not you have a static WANIP or a DYNAMIC WANIP.
If you have a static/fixed WANIP then no change to your current destination-nat rule is required.
add chain=dstnat action=dst-nat dst-address=fixedwanip protocol=xx dst-port=yyyy to-addresses=LANIP to-ports (only required if translating to a different port).

If you have a dynamic WANIP then you can do it several ways,
(1) one work around is to use the IP Cloud and free ddns service on the router as per steveOC ( https://www.bing.com/videos/search?q=yo ... &FORM=VIRE)
We are replacing the static wanip (dst-address) by getting the current wanip. Enable the IP cloud, copy the ddns long winded host name on the router and put it in the firewall address list and name the list
"myWANIP". The firewall list will resolve the name to your current wanip.
then your rule becomes
add chain=dstnat action=dst-nat dst-address-list=myWANIP protocol=xx dst-port=yyyy to-addresses=LANIP

(2) Another gucci method, from *****Sob (didnt know he was italian ;-) is similar in that one in effect pulls the active current wanip and sticks into a firewall address list, from the current dhcp client settings via a script.
So put this in for the dhcp client advanced script area.
:if ($bound=1) do={
/ip firewall address-list set [/ip firewall address-list find where comment="wan1ip"] address=$"lease-address" disabled=no
} else={
/ip firewall address-list set [/ip firewall address-list find where comment="wan1ip"] disabled=yes
}
Where,
/ip firewall address-list
add comment=wan1ip disabled=yes list=external_wan
and rule becomes
add chain=dstnat action=dst-nat dst-address-list=external_wan protocol=xx dst-port=yyyy to-addresses=LANIP

The advantage over the DDNS method is that updates are instant.
The advantage of the DDNS method is useful when there's NAT 1:1 and router itself doesn't have public address, plus tis simple and easy to do!!

(3) Finally there is a third method which does not involved extracting any WANIP or mimicking the static WANIP scenario. This involves frick trucking the router by saying look for the interface that is not local as the source of the incoming traffic.
add chain=dstnat action=dst-nat dst-address-type=local dst-address=!192.168.1.1 \
protocol=xx dst-port=yyyy to-addresses=LANIP

***** Anyone know where SOB is, havent seem him post in a long time (concerned!)
Last edited by anav on Mon May 17, 2021 1:09 am, edited 1 time in total.
 
enos80
just joined
Topic Author
Posts: 7
Joined: Thu Apr 08, 2021 1:51 am

Re: Port forwarding not working?

Thu Apr 08, 2021 6:15 pm

anav,

I appreciate this so much.

A few questions.

wlan4 is my guest wifi. do I want them in the bridge?
Are NAT rules applied before firewall rules or are they not related? How do those two interact. I believed that incoming traffic was checked against the firewall passed then forwarded to the nat table. is that not correct?

I plan on putting an adguard dns server on my network at that point I suspect I'll just change the DHCP server to reflect that servers ip?

Finally here is my updated config with your first round of changes.


[enos80@MikroTik Router] > /export hide-sensitive
# apr/08/2021 10:09:43 by RouterOS 6.48.1
# software id = W8WH-68AP
#
# model = RB962UiGS-5HacT2HnT
# serial number = CC500DFB167A
/interface bridge
add admin-mac=08:55:31:BA:9D:AC auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=WPA supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=GuestWIFI supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto installation=\
indoor mode=ap-bridge security-profile=WPA ssid=Sputnik wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
installation=indoor mode=ap-bridge security-profile=WPA ssid=Sputnik-5G wireless-protocol=802.11 wps-mode=disabled
add disabled=no mac-address=0A:55:31:BA:9D:B2 master-interface=wlan1 name=wlan4 security-profile=GuestWIFI ssid="Make WiFi Great Again" \
wps-mode=disabled
/ip pool
add name=dhcp ranges=10.10.0.130-10.10.0.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge interface=wlan4
add bridge=bridge interface=*A
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=10.10.0.1/24 comment=defconf interface=bridge network=10.10.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=10.10.0.0/24 comment=defconf dns-server=10.10.0.1 gateway=10.10.0.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.10.0.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
in-interface-list=WAN
add action=accept chain=forward dst-address=10.10.0.41
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Raspberry Pi Web Server 80" dst-port=80 in-interface=ether1 protocol=tcp to-addresses=\
10.10.0.41 to-ports=80
add action=dst-nat chain=dstnat comment="Raspberry Pi Webserver 443" dst-port=443 in-interface=ether1 protocol=tcp to-addresses=\
10.10.0.41 to-ports=443
add action=dst-nat chain=dstnat dst-port=22 in-interface=ether1 protocol=tcp to-addresses=10.10.0.144 to-ports=22
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=xxxx
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=America/Chicago
/system identity
set name="MikroTik Router"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[enos80@MikroTik Router] >
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port forwarding not working?

Thu Apr 08, 2021 6:56 pm

Hi there,
Yes all etherports (and wlans are considered wireless etherports) should be on the bridge. IN GENERAL! but we have to take a look at your specific case see (2) below.
One only needs one FIREWALL RULE, which basically states to the router allow all NAT traffic heading towards your router.
In other words if the incoming traffic matches a DESTINATION NAT Rule it is allowed past the firewall.

I came from zyxel zywall routers where one had to provide both a port fowarding rule and a firewall rule for each server.
In mikrotik one applies Destination nat rules per port forwarding and one ffirewall rule to cover off all port forwarding.
Note in MT that destination NAT can be for different things as well not just the classic port forwarding.

(1) WHAT is interface A* ??
interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge interface=wlan4

add bridge=bridge interface=*A

(2) The problem with a GUEST WLAN is that it should not be on the same subnet as your HOME LAN, regardless if on the same bridge or not on a bridge or on a different bridge etc...
My recommendation is to use vlans but that adds complexity that may not be required. So forgetting about vlans two options! In both options you will need to fill in the required additional subnet criteria starting with IP address, IP pool, DHCP server, DHCP server network.
i. attach this to a new bridge............. interface bridge-guest OR'
ii attach directly to WLAN4
Finally in both cases:
add bridge-guest or WLAN4 to the interface list of LAN
Done.

(3) Delete this line it is NOT required.
add action=accept chain=forward dst-address=10.10.0.41
I have a feeling you think this is needed for port forwarding.......

However this rule already allows it and basically states drop all traffic coming from the WAN except if it has a corresponding DST nat rule.
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
in-interface-list=WAN
The default firewall rules work on a premise that all traffic is allowed at L3, unless you specifically stop it.
That is why for example you see no rule allow LAN to WAN traffic. It is allowed because you havent blocked it.
That is why for example your WLAN4 folks can talk to WLAN1 folks even on different bridges or vlans,. It is allowed because you havent blocked it.
Now the default rules and setup are SAFE out off the box, but there is a better way to do this once you start adding complications!

(4) The better way is for the forward chain, is to have a philosophy of the reverse! Basically ALL is blocked unless you specifically allow out. Which I much prefer as I know what I want to allow but have no ideas of all the things I could or need to possibly block.
Thus one replaces the one rule I noted above by Two rules that make life cleaner simpler to read and understand.
i. add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat connection-state=new \
in-interface-list=WAN
ii. add action=drop chain=forward comment="drop all else"

So adding these rules will in effect do the same as the single rule but are much easier to understand. Now for example all WAN to LAN traffic other than for port forwarding will be dropped by the last rule. For example all Home traffic to Guest traffic will be dropped (IF You had them on different subnets) by the last rule.
What this should point out to you is that no internet traffic will occur so you will need to allow this as per the following
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN, and before the last rule (the drop rule should be the last rule).
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port forwarding not working?

Thu Apr 08, 2021 7:03 pm

Once the above is setup then we can tackle hairpin nat!!
By the way if you put your server on a third subnet by itself.
Lets say the server is on ether4 port,
Then remove ether 4 from the bridge and simply associate the server with ether4 Or create a bridge for the server.
In this way all home users will be able to use the server as you desire without any hairpin nat configuration required. Up to you!
 
enos80
just joined
Topic Author
Posts: 7
Joined: Thu Apr 08, 2021 1:51 am

Re: Port forwarding not working?

Fri Apr 09, 2021 12:25 am

anav,

Thank you for the explanation of the relationship between firewall and NAT. On to your comments.

1. I added *A based on one of your previous comments. I must have misunderstood. I've removed *A
Get rid of these extra bridges ..... you only should need one bridge.
.add bridge=bridge interface=*A
add bridge=bridge interface=wlan4
2. I don't actually use my guest WiFi. But I want to keep it, preferably it would only allow internet access and be unable to interact with my home network. Maybe we can come back to this later? I'd like to try and tackle this one myself as a Mikrotik Lesson. With the comments you've already made I think I can get 99% of the way there.

3. I don't really know why that rule was there. I must have forgotten it. I've deleted. I think I understand the drop rule.. So if I ever do need to open a port I have to put that firewall rule before this drop rule for it to get applied? I am all for getting my router to a safe place to start then tinkering later.

4. I would much rather block everything and only specific but like the Guest LAN I'm not in a position to fully learn firewall rules yet. Once I get my network to the same place as my previous router (certain ports are forwarded to certain servers on my network, and that working in and out of the LAN) and I figure out how to get the VPN server on the Mikrotik working I can shift focus from Critical issues to Nice to learn / tinker issues.

Again, I can't express how grateful I am for all of your time. I love the granularity RouterOS will provide, but learning it is a process.

-- updated config

# apr/08/2021 16:18:27 by RouterOS 6.48.1
# software id = W8WH-68AP
#
# model = RB962UiGS-5HacT2HnT
# serial number = CC500DFB167A
/interface bridge
add admin-mac=08:55:31:BA:9D:AC auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=WPA supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=GuestWIFI supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto installation=\
indoor mode=ap-bridge security-profile=WPA ssid=Sputnik wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
installation=indoor mode=ap-bridge security-profile=WPA ssid=Sputnik-5G wireless-protocol=802.11 wps-mode=disabled
add disabled=no mac-address=0A:55:31:BA:9D:B2 master-interface=wlan1 name=wlan4 security-profile=GuestWIFI ssid="Make WiFi Great Again" \
wps-mode=disabled
/ip pool
add name=dhcp ranges=10.10.0.130-10.10.0.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge interface=wlan4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=10.10.0.1/24 comment=defconf interface=bridge network=10.10.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=10.10.0.0/24 comment=defconf dns-server=10.10.0.1 gateway=10.10.0.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.10.0.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
in-interface-list=WAN
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Raspberry Pi Web Server 80" dst-port=80 in-interface=ether1 protocol=tcp to-addresses=\
10.10.0.41 to-ports=80
add action=dst-nat chain=dstnat comment="Raspberry Pi Webserver 443" dst-port=443 in-interface=ether1 protocol=tcp to-addresses=\
10.10.0.41 to-ports=443
add action=dst-nat chain=dstnat dst-port=22 in-interface=ether1 protocol=tcp to-addresses=10.10.0.144 to-ports=22
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=xxxxx
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=America/Chicago
/system identity
set name="MikroTik Router"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[enos80@MikroTik Router] >
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port forwarding not working?

Fri Apr 09, 2021 3:02 am

Seems like this should work for you at the moment.
One thing I would change is the following no access via unprotected mac address access, keep only mac winbox active.
FROM
/tool mac-server
set allowed-interface-list=LAN

/tool mac-server mac-winbox
set allowed-interface-list=LAN

TO
/tool mac-server
set allowed-interface-list=none {mac address access is not a secure method and should not be active}
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
enos80
just joined
Topic Author
Posts: 7
Joined: Thu Apr 08, 2021 1:51 am

Re: Port forwarding not working?

Fri Apr 09, 2021 3:10 am

Thank you..

I found this (https://wiki.mikrotik.com/wiki/Hairpin_NAT). I'm going to try to follow along with this.. And see if I can't make it work. If not I'll come back and bug you some more.

Thanks again for all the help
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port forwarding not working?

Fri Apr 09, 2021 3:13 am

Thank you..

I found this (https://wiki.mikrotik.com/wiki/Hairpin_NAT). I'm going to try to follow along with this.. And see if I can't make it work. If not I'll come back and bug you some more.

Thanks again for all the help
Dont waste your time, I covered completely the best ways to handle hairpin nat above at 11:19. POST #5

But go ahead and get confused....... this link may be a bit better.
https://help.mikrotik.com/docs/display/ROS/NAT
 
enos80
just joined
Topic Author
Posts: 7
Joined: Thu Apr 08, 2021 1:51 am

Re: Port forwarding not working?

Fri Apr 09, 2021 3:31 am

Thank you!
 
enos80
just joined
Topic Author
Posts: 7
Joined: Thu Apr 08, 2021 1:51 am

Re: Port forwarding not working?

Fri Apr 09, 2021 5:30 pm

EDIT:
When I remove in Interface from my dstnat rules I now have the intended behavior.. Are there any adverse side effects from leaving it this way.. See config below.

I tried Steve's Hairpin NAT and it did not work.

If I'm outside my network www.domainname.com resolves and points to my raspberry pi. If I'm inside my network www.domainname.com refuses to connect.

[enos80@MikroTik Router] > /export hide-sensitive
# apr/09/2021 09:29:12 by RouterOS 6.48.1
# software id = W8WH-68AP
#
# model = RB962UiGS-5HacT2HnT
# serial number = CC500DFB167A
/interface bridge
add admin-mac=08:55:31:BA:9D:AC auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=WPA supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=GuestWIFI supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=\
auto installation=indoor mode=ap-bridge security-profile=WPA ssid=Sputnik wireless-protocol=802.11 wps-mode=\
disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no distance=indoors \
frequency=auto installation=indoor mode=ap-bridge security-profile=WPA ssid=Sputnik-5G wireless-protocol=802.11 \
wps-mode=disabled
add disabled=no mac-address=0A:55:31:BA:9D:B2 master-interface=wlan1 name=wlan4 security-profile=GuestWIFI ssid=\
"Make WiFi Great Again" wps-mode=disabled
/ip pool
add name=dhcp ranges=10.10.0.130-10.10.0.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge interface=wlan4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=10.10.0.1/24 comment=defconf interface=bridge network=10.10.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=10.10.0.0/24 comment=defconf dns-server=10.10.0.1 gateway=10.10.0.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.10.0.1 comment=defconf name=router.lan
/ip firewall address-list
add address=xxxxxxxxxxxxxxxxxxxx=WAN-IP
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=10.10.0.0/24 src-address=10.10.0.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN \
src-address=10.10.0.0/24
add action=dst-nat chain=dstnat comment="Raspberry Pi Web Server 80" dst-address-list=WAN-IP dst-port=80 \
protocol=tcp to-addresses=10.10.0.41 to-ports=80
add action=dst-nat chain=dstnat comment="Raspberry Pi Webserver 443" dst-address-list=WAN-IP dst-port=443 \
protocol=tcp to-addresses=10.10.0.41 to-ports=443
add action=masquerade chain=srcnat comment="masq. vpn traffic" disabled=yes src-address=192.168.89.0/24
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=xxxxxx
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=America/Chicago
/system identity
set name="MikroTik Router"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[enos80@MikroTik Router] >
Last edited by enos80 on Fri Apr 09, 2021 6:48 pm, edited 1 time in total.
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Port forwarding not working?

Fri Apr 09, 2021 6:15 pm

If I'm outside my network www.domainname.com resolves and points to my raspberry pi. If I'm inside my network www.domainname.com refuses to connect.

/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface-list=!LAN
For the hairpin to work you also need to allow this traffic on the forward chain. So packet is coming in from the Bridge and hitting you DNAT then on its way back to the server.
You might want to insert an addition rules like to be place above the "drop" rules in the forward chain.
(example below is how I have mine configured,explicitly mentioning the ingress interface)

add action=accept chain=forward comment="HAIRPIN : Accept any packet with valid DNAT entry" connection-nat-state=dstnat connection-state=established,related,new in-interface=Bridge
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port forwarding not working?

Fri Apr 09, 2021 6:34 pm

(1) Looking okay for the most part.

Remove the source address, not required. See if it works after this removal.
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN \
src-address=10.10.0.0/24

(2) Only have winbox-mac setup, the standard mac-server is not secure set it to NONE
tool mac-server
set allowed-interface-list=LAN

As for not reaching the raspberry PI,
that is weird, it should work.

(3) Just for giggles try adding back the in-interface rules but this way.......... in-interface-list=WAN, dont think it will change anything but worth a try!!

(4) As for Jvans, advice, BOOO!!! I dont see it will help as YOU ALREADY STATE (as per the default firewall rules):
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

Which means all traffic coming from the WAN, that is not DST NAT traffic, should be dropped. ERGO that traffic is allowed!!! We are going from WAN to server!!
Finally to throw ICE on jvans................ you dont use DROP all rules at the end of your chains, although that is a natural next step in better security AFTER WE GET THIS working for you.
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Port forwarding not working?

Fri Apr 09, 2021 8:00 pm

(4) As for Jvans, advice, BOOO!!! I dont see it will help as YOU ALREADY STATE (as per the default firewall rules):
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

Which means all traffic coming from the WAN, that is not DST NAT traffic, should be dropped. ERGO that traffic is allowed!!! We are going from WAN to server!!
Finally to throw ICE on jvans................ you dont use DROP all rules at the end of your chains, although that is a natural next step in better security AFTER WE GET THIS working for you.
No need to behave like a 6 year old here.
There exist always many possible options. My example rule works fine for me. I have dozens of "extra" and "unneeded" rules that I specifically use for logging & making things visual on Splunk.
My goal is never to have the most compact set of rules, and off course at the bottom of any of my chains there is deny any any just in case I forgot something.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port forwarding not working?

Fri Apr 09, 2021 8:39 pm

Your set of extra rules and splunk has little worth to this thread????
I was merely pointing out that the OP already has a firewall rule in place to permit Wan to LAN dst nat traffic and that your suggesting
was not only confusing but it assumed he had a drop all end rule which he does not.
Call it as I see it, dont apologize unless I screwed the OP up and gave bad advice, which I am very likely to do from time to time.
Just try harder next time to be relevant.

Who is online

Users browsing this forum: Nospam, qatar2022 and 46 guests