Community discussions

MikroTik App
 
User avatar
bisar
just joined
Topic Author
Posts: 12
Joined: Fri Apr 23, 2021 9:25 am
Location: Bucharest
Contact:

Port forwarding dst-nat on 2nd WAN

Fri Apr 23, 2021 10:00 am

Hi guys,

I need help here.
I have two ISPs, WAN1 RDS (which is my default ISP on ether1), WAN2 (Orange, which was installed later on, ether2)
I want to expose port 5201 (iperf3) also on WAN2 (Orange) the problem is that when trying the public IP with telnet on port 5201 it is not reachable and I don't know why.
Moreover the same port is already exposed on WAN1 (RDS) and it is working without any issues.
Somehow, I think that I am missing something.

Please see my screenshots attachments.

Thank you!
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port forwarding dst-nat on 2nd WAN

Fri Apr 23, 2021 3:41 pm

/export hide-sensitive file=anynameyouwish
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Port forwarding dst-nat on 2nd WAN

Fri Apr 23, 2021 4:12 pm

If you have two gateway, only one at the time is used

about nothing of your routing are know,

simply your reply still go trough RDS, not Orange
 
User avatar
bisar
just joined
Topic Author
Posts: 12
Joined: Fri Apr 23, 2021 9:25 am
Location: Bucharest
Contact:

Re: Port forwarding dst-nat on 2nd WAN

Sat Apr 24, 2021 11:49 am

That’s strange becausr I used the same setup on PfSense and I was able to expose a port on two WANs in the same time, using dstnat rules for each wan :(
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port forwarding dst-nat on 2nd WAN

Sat Apr 24, 2021 1:47 pm

What is strange is that you think two different products from two different vendors will behave the same.
Whats annoying is you asked for help and still have not provided you config so that we can see what the issue 0r issues may be.
 
User avatar
bisar
just joined
Topic Author
Posts: 12
Joined: Fri Apr 23, 2021 9:25 am
Location: Bucharest
Contact:

Re: Port forwarding dst-nat on 2nd WAN

Sat Apr 24, 2021 2:12 pm

I am going to provide the config, but bot now, I am on the road
 
User avatar
bisar
just joined
Topic Author
Posts: 12
Joined: Fri Apr 23, 2021 9:25 am
Location: Bucharest
Contact:

Re: Port forwarding dst-nat on 2nd WAN

Sat Apr 24, 2021 2:15 pm

What is strange is that you think two different products from two different vendors will behave the same.
Whats annoying is you asked for help and still have not provided you config so that we can see what the issue 0r issues may be.
I don’t know why you are getting annoyed so fast, it was just an example, of course I know that there’s two different products :)
I am new to Mikrotik, just bought two GWs, I am still a noob, I am learning, please be patient with me
As I said, I’ll arrive home and I’ll provide the conf
 
User avatar
bisar
just joined
Topic Author
Posts: 12
Joined: Fri Apr 23, 2021 9:25 am
Location: Bucharest
Contact:

Re: Port forwarding dst-nat on 2nd WAN

Sat Apr 24, 2021 2:29 pm

/export hide-sensitive file=anynameyouwish
Hi Anav, I have attached the conf file.
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port forwarding dst-nat on 2nd WAN

Sat Apr 24, 2021 7:34 pm

My apologies, will look at the config...........
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port forwarding dst-nat on 2nd WAN

Sat Apr 24, 2021 7:57 pm

Below is a line by line look at the config without context.

(1) Set this rule to NONE as its use is unclear and it is known to potentially cause issues.
/interface detect-internet
set detect-interface-list=all

(2) Bit Confused on the purpose of ETHER2 Orange (is it a second WAN?) It has no definition otherwise as a dhcp client or a subnet with dhpc server or subnet etc...... ????

(3) Remove the reference to RDS here, it is not required because you have already used out-interface-list=WAN which includes RDS!!
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface=RDS out-interface-list=WAN

(4) Remove this until the reason for having another source nat rules is clear and the config matches up with other parts. There is nothing defined in the config for 192.168.1.0??
Also a source nat VALID 'action' is either scr-nat or masquerade!!
add action=accept chain=srcnat dst-address=192.168.1.0/24 src-address=\

(5) One destination NAT rule is different from the others................ LOL Without some matching config setup its not going to accomplish too much.
add action=dst-nat chain=dstnat comment="IPERF3 Orange" dst-port=5201 \
in-interface=Orange protocol=tcp to-addresses=192.168.2.10 to-ports=5201
192.168.2.0/24

(6) Okay I see you have added a router for a second WAN, but again where is the IP DHCP client info??
Im starting to think that WAN is a fixed static WANIP???
I am also not sure if the construction of the route is correct.
Typically one would have a clean router without the pref source info and then a second Route for the preferred source.
Also not sure why the ping check is there and the distance.............. Is this a primary or secondary wan, or a fail over wan etc...............

Summary, okay so you have a second WAN, why dont I see in the confg the following.

ip dhcp client for WAN2 ??
Ip route for WAN1 ??

++++++++++
FW rules

(7) No clue what the purpose of this rule is......
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp

(8) not up on ipv6 so will not be able to comment on those rules, other than saying I am not sure its a good thing to open up port 139 (but maybe thats my ipv4 showing ??)

(9) You seem to have the same sets of rules for VPN on both the input chain and forward chain, my limited experience tells me that is not correct and suspect that they should not be on the forward chain??

(10) This I would set to NONE for security reasons.
/tool mac-server
set allowed-interface-list=LAN

(11) You seem to be missing the generic rule required to permit dst-nat to come through the WAN interface (port forwarding).
This new rule needs to be placed before the LAST Rule you have in the forward chain which blocks all not coming from the LAN.
add action=accept chain=forward comment="Allow Port Forwarding" connection-nat-state=dstnat \
connection-state=new in-interface-list=WAN
 
User avatar
bisar
just joined
Topic Author
Posts: 12
Joined: Fri Apr 23, 2021 9:25 am
Location: Bucharest
Contact:

Re: Port forwarding dst-nat on 2nd WAN

Sun Apr 25, 2021 12:18 pm

Below is a line by line look at the config without context.

(1) Set this rule to NONE as its use is unclear and it is known to potentially cause issues.
/interface detect-internet
set detect-interface-list=all

Will do!

(2) Bit Confused on the purpose of ETHER2 Orange (is it a second WAN?) It has no definition otherwise as a dhcp client or a subnet with dhpc server or subnet etc...... ????

Ether2 is the second WAN, the Orange ISP, they are providing a fixed public IP.

(3) Remove the reference to RDS here, it is not required because you have already used out-interface-list=WAN which includes RDS!!
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface=RDS out-interface-list=WAN

Will do

(4) Remove this until the reason for having another source nat rules is clear and the config matches up with other parts. There is nothing defined in the config for 192.168.1.0??
Also a source nat VALID 'action' is either scr-nat or masquerade!!
add action=accept chain=srcnat dst-address=192.168.1.0/24 src-address=\

There's an IPSEC tunnel between this location an a 2nd location, 192.168.1.0 is the subnet of the other location, my subnet from this location is 192.168.2.0

(5) One destination NAT rule is different from the others................ LOL Without some matching config setup its not going to accomplish too much.
add action=dst-nat chain=dstnat comment="IPERF3 Orange" dst-port=5201 \
in-interface=Orange protocol=tcp to-addresses=192.168.2.10 to-ports=5201
192.168.2.0/24

I understand, I just copied the existing rule for WAN1 (RDS)

(6) Okay I see you have added a router for a second WAN, but again where is the IP DHCP client info??
Im starting to think that WAN is a fixed static WANIP???
I am also not sure if the construction of the route is correct.
Typically one would have a clean router without the pref source info and then a second Route for the preferred source.
Also not sure why the ping check is there and the distance.............. Is this a primary or secondary wan, or a fail over wan etc...............

Summary, okay so you have a second WAN, why dont I see in the confg the following.

ip dhcp client for WAN2 ??
Ip route for WAN1 ??

++++++++++
FW rules

Not sure here, so, basically on Ether2 I plugged in a patch cord which goes into the Orange ONT (it is set in bridge mode) which provides a static public IP and the intent is to be used a secondary WAN (failover) which was not set yet.

(7) No clue what the purpose of this rule is......
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp

No clue, I haven't set it, maybe it was there by default, dunno.

(8) not up on ipv6 so will not be able to comment on those rules, other than saying I am not sure its a good thing to open up port 139 (but maybe thats my ipv4 showing ??)

Really I don't know why port 139 is open, I haven't set that rule up, I will have a look into it

(9) You seem to have the same sets of rules for VPN on both the input chain and forward chain, my limited experience tells me that is not correct and suspect that they should not be on the forward chain??

This is corrected.

(10) This I would set to NONE for security reasons.
/tool mac-server
set allowed-interface-list=LAN

Will do

(11) You seem to be missing the generic rule required to permit dst-nat to come through the WAN interface (port forwarding).
This new rule needs to be placed before the LAST Rule you have in the forward chain which blocks all not coming from the LAN.
add action=accept chain=forward comment="Allow Port Forwarding" connection-nat-state=dstnat \
connection-state=new in-interface-list=WAN
Will do.

Note: On RDS which is on ether1 uses a PPPoE connection.
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Port forwarding dst-nat on 2nd WAN

Sun Apr 25, 2021 12:37 pm

(11) You seem to be missing the generic rule required to permit dst-nat to come through the WAN interface (port forwarding).
This new rule needs to be placed before the LAST Rule you have in the forward chain which blocks all not coming from the LAN.
add action=accept chain=forward comment="Allow Port Forwarding" connection-nat-state=dstnat \
connection-state=new in-interface-list=WAN
But you do state that this DNAT setup works fine with only 1 ISP.
Therefore, the "generic rule to permit dst-nat" must be already in place (or DNAT will not function)
So how can that be if your config does not contain it ?


EDIT : It seems you do not have ANY IPv4 firewall-rules ? (except for the generic scr-nat/masq rule to go out to Internet). That's quite dangerous as there is no default "deny" policy !!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port forwarding dst-nat on 2nd WAN

Sun Apr 25, 2021 1:42 pm

What? Can someone explain why one needs ipv4 rules if they are using ipv6.
This is all too confusing and stupid, if one has to set two sets of rules LOL.
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: Port forwarding dst-nat on 2nd WAN

Sun Apr 25, 2021 5:05 pm

The IPv6 rules appear to be the default, and as there is no other IPv6 configuration likely that the IPv6 package is enabled but not used.

Not having any IPv4 firewall rules is really bad, especially as the DNS server allows remote requests so can be used in UDP amplification attacks.

Going back to the original issue - as there is no connection and routing marking the incoming traffic from either WAN will return via the default route through WAN1, so likely fail for WAN2. The WAN2 connection traffic should be marked and have an additional routing table to return the marked traffic via that WAN.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port forwarding dst-nat on 2nd WAN

Sun Apr 25, 2021 5:27 pm

THere is nothing default about IPV6 setup, the OP would have had to put them in and set them up and thus one should assume its an ipv6 connection in which case I should depart as I have no experience with IPV6
 
User avatar
bisar
just joined
Topic Author
Posts: 12
Joined: Fri Apr 23, 2021 9:25 am
Location: Bucharest
Contact:

Re: Port forwarding dst-nat on 2nd WAN

Sun Apr 25, 2021 6:11 pm

(11) You seem to be missing the generic rule required to permit dst-nat to come through the WAN interface (port forwarding).
This new rule needs to be placed before the LAST Rule you have in the forward chain which blocks all not coming from the LAN.
add action=accept chain=forward comment="Allow Port Forwarding" connection-nat-state=dstnat \
connection-state=new in-interface-list=WAN
But you do state that this DNAT setup works fine with only 1 ISP.
Therefore, the "generic rule to permit dst-nat" must be already in place (or DNAT will not function)
So how can that be if your config does not contain it ?


EDIT : It seems you do not have ANY IPv4 firewall-rules ? (except for the generic scr-nat/masq rule to go out to Internet). That's quite dangerous as there is no default "deny" policy !!
Somehow I secured the box by adding also the IPV4 using the rules here:

https://wiki.mikrotik.com/wiki/Manual:S ... our_Router

I've also added the IPV6 rules

I have also IPV6 enabled, because if I don't nothing works on IPV4, I don't know if this is ISP related, or if it is a problem between the keyboard and the chair :))

Anyway I am still learning, I am not a networking guru.
On interfaces status I see that on Orange WAN there's no traffic, which is kind of normal if nothing is set, but DST nat rule on port 5201 for Orange still doesn't work. I feel that I am stuck here. Somehow I feel that WAN2 is not responsive, If I ping the public IP of Orange (WAN2, ether2) from another location it doesn't answer, this doesn't apply for WAN1 (RDS) which responds to ping.

I've uploaded the new conf output.
You do not have the required permissions to view the files attached to this post.
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Port forwarding dst-nat on 2nd WAN

Sun Apr 25, 2021 7:57 pm

And if you unplug ISP1 and only use Orange do things then work ?
 
User avatar
bisar
just joined
Topic Author
Posts: 12
Joined: Fri Apr 23, 2021 9:25 am
Location: Bucharest
Contact:

Re: Port forwarding dst-nat on 2nd WAN

Sun Apr 25, 2021 9:05 pm

And if you unplug ISP1 and only use Orange do things then work ?
I'll try when I'll be on the location.
Thanks for the advice.

Who is online

Users browsing this forum: Ahrefs [Bot], BioMax, Buckeye, herger, konradnh, lkeszt and 32 guests