Page 1 of 1

DSTNAT doesn't opening port

Posted: Thu Apr 22, 2021 11:49 pm
by netgus
Hello to all

Newbie in Mikrotik, to make me a little bit the hand, I setup a quick lab where I want to make a LAN base conf (no problem),
a source nat (masquerade) to go out on Internet, and publish a service from Internet to internal.
And now, I'm stuck on destination NAT, probably for a problem of understanding on my part. I made a simple NAT rule:
chain = dstnat
In.Interface.list = WAN (DHCP/ether1)
protocol = 6
Dst.port = 443
action = dstnat
to address = x.x.x.x (IP in the same subnet as the Mikrotik router)
to port = 443

Where I'm a bit confused, and mostly because it doesn't work, is if you should make a FW (forward) rule or not.
# apr/22/2021 16:40:38 by RouterOS 6.47.8
# software id = S171-9SQD
#
# model = 2011UAS-2HnD
# serial number = 3F0702E51D4B
/interface wireless
set [ find default-name=wlan1 ] disabled=no mode=ap-bridge ssid=Margotte wireless-protocol=802.11
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
/ip address
add address=192.168.60.2/30 interface=ether2 network=192.168.60.0
/ip dhcp-client
add disabled=no interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=443 in-interface-list=WAN log=yes protocol=tcp to-addresses=192.168.60.1 \
    to-ports=443
I guess this point has already been discussed in this forum, but my research gave me a lot of feedback and I didn't find anything clear for me.

Thanks for your help.

Re: DSTNAT doesn't opening port

Posted: Fri Apr 23, 2021 1:01 am
by anav
If you had the default set of firewall rules, A MUST for any internet facing device, one of the forward chain rules contains the means to allow port forwarding traffic.
A clearer rule to use in the lab environment would be

/ip firewall filter
add chain=forward action=accept comment="allow port forwarding" in-interface-list=WAN \
connection-state=new connection-nat-state=dstnat

Re: DSTNAT doesn't opening port

Posted: Fri Apr 23, 2021 2:16 am
by netgus
Thank you for your feedback

I followed your instructions, but unfortunately it still doesn't work. I have tried several scenarios. Without success.
# apr/22/2021 19:01:35 by RouterOS 6.47.8
# software id = S171-9SQD
#
# model = 2011UAS-2HnD
# serial number = 3F0702E51D4B
/interface wireless
set [ find default-name=wlan1 ] disabled=no mode=ap-bridge ssid=Margotte wireless-protocol=802.11
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
/ip address
add address=192.168.60.2/30 interface=ether2 network=192.168.60.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add disabled=no interface=ether1
/ip firewall filter
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=accept chain=forward comment="Allow port forwarding" connection-nat-state=dstnat connection-state=new \
    in-interface-list=WAN
add action=drop chain=input comment="Drop everything that is not LAN" in-interface-list=!LAN
/ip firewall nat
add action=dst-nat chain=dstnat comment="Allow DSTNAT for 192.168.60.1 on the port 443" dst-port=443 \
    in-interface-list=WAN log=yes protocol=tcp to-addresses=192.168.60.1 to-ports=443
add action=dst-nat chain=dstnat comment="Allow DSTNAT for 192.168.100.70 on the port 80" dst-port=80 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.100.70 to-ports=80
add action=masquerade chain=srcnat comment="Allow SRCNAT traffic to Internet" out-interface-list=WAN
/ip route
add disabled=yes distance=1 gateway=192.168.111.1
add distance=1 dst-address=192.168.100.0/24 gateway=192.168.60.1
/lcd interface pages
set 0 interfaces=sfp1,ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10
I'm able to ping the interfaces.
I use the Curl to validate that the port openings are functional. The result is the same with port 443.

I have rebooted the router. I did a "/system reset-configuration".
Everything seems to work except the DSTNAT.
curl -vk http://192.168.111.114
* Rebuilt URL to: http://192.168.111.114/
*   Trying 192.168.111.114...
* TCP_NODELAY set
* Connection failed
* connect to 192.168.111.114 port 80 failed: Operation timed out
* Failed to connect to 192.168.111.114 port 80: Operation timed out
* Closing connection 0
curl: (7) Failed to connect to 192.168.111.114 port 80: Operation timed out

Re: DSTNAT doesn't opening port

Posted: Fri Apr 23, 2021 3:41 am
by anav
(1) This seems non-standard
/ip address
add address=192.168.60.2/30 interface=ether2 network=192.168.60.0

TO
/ip address
add address=192.168.60.1/24 interface=ether2 network=192.168.60.0

(2) where is dhcp server, ip pool, dhcp-server-network ???

Re: DSTNAT doesn't opening port

Posted: Fri Apr 23, 2021 5:16 am
by netgus
The interface is just in /30 (subnetting). I put it in /24, but it doesn't change anything.

In my lab, I don't need a DHCP server.
I put the RouterOS v6.48.2 (stable) version too
/ip address
add address=192.168.60.2/24 interface=ether2 network=192.168.60.0

Re: DSTNAT doesn't opening port

Posted: Fri Apr 23, 2021 3:42 pm
by anav
lab network diagram??

Re: DSTNAT doesn't opening port

Posted: Fri Apr 23, 2021 4:22 pm
by 2frogs
When testing for the ports to be open, are you testing from a device on the WAN side or the server on LAN? Your NAT rule only allows from the WAN. I see no error with your NAT rules. As far Filter rules, the default state (without rules) is to accept. Your original configuration was not block the NAT.

If you was testing from WAN, I would suggest the issue is with the configuration of the server. A firewall on the server or an IP configuration error. You should move that ether to a bridge and add a second port to connect a device to test to it's LAN IP.

Re: DSTNAT doesn't opening port

Posted: Fri Apr 23, 2021 4:29 pm
by netgus
Here it is, I hope it will be clearer
test (1).png

Re: DSTNAT doesn't opening port

Posted: Fri Apr 23, 2021 4:39 pm
by anav
Well you have the cisco router in between so does that forward the port to the WANIP of the MIkrotik ROuter (the LANIP on the cisco private subnet).

Re: DSTNAT doesn't opening port

Posted: Mon Apr 26, 2021 11:28 am
by karlisi
curl test from 192.168.60.0/24 or /30 network works?