Community discussions

MikroTik App
 
donnyforbes78
just joined
Topic Author
Posts: 22
Joined: Fri Dec 04, 2020 12:21 am

Port Forwarding

Fri Apr 23, 2021 7:29 pm

Here is what I am trying to get accomplished,

1. external IP 23.31.142.153 to forward to an internal -> IP of 10.10.37.xxx:8844

Here is what I have done.

1. set up a NAT like this

General Tab:
dstnat
Dst Address: 23.31.142.153
protocal: 6 (tcp)
Dest Port: 9100

Action tab:
dst-nat
To Address: 10.10.37.110
To Port: 8844

When testing this I am seeing the following
nc -vz 23.31.142.153 9100
nc: connectx to 23.31.142.153 port 9100 (tcp) failed: Network is unreachable

Is there something I am missing? I will attached some screenshots here as well...
Also please let me know if you need any other information.

Please advise..
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port Forwarding

Fri Apr 23, 2021 7:40 pm

There is only one NAT section in firewall rules (not a general and an action - why make shit up??_

dstnat rule format is
add action=dst-nat chain=dstnat dst-port=9100 protocol=tcp in-interface-list=WAN \
to-address=10.10.37.xxx to-ports=8844

What one must ensure is that in the Forward Chain of the /ip firewall filter rules,
that one has a rule to allow Destination NAT,
Something like.

add action=accept chain=forward comment="allow port forwarding" in-interface-list=WAN \
connection-nat-state=dstnat connection-state=new
 
donnyforbes78
just joined
Topic Author
Posts: 22
Joined: Fri Dec 04, 2020 12:21 am

Re: Port Forwarding

Fri Apr 23, 2021 7:51 pm

Here is my forward filter rule attached. Do I need to create another one or can I just use this existing one attached?
You do not have the required permissions to view the files attached to this post.
 
donnyforbes78
just joined
Topic Author
Posts: 22
Joined: Fri Dec 04, 2020 12:21 am

Re: Port Forwarding

Fri Apr 23, 2021 7:54 pm

There is only one NAT section in firewall rules (not a general and an action - why make shit up??_

dstnat rule format is
add action=dst-nat chain=dstnat dst-port=9100 protocol=tcp in-interface-list=WAN \
to-address=10.10.37.xxx to-ports=8844

What one must ensure is that in the Forward Chain of the /ip firewall filter rules,
that one has a rule to allow Destination NAT,
Something like.

add action=accept chain=forward comment="allow port forwarding" in-interface-list=WAN \
connection-nat-state=dstnat connection-state=new
I have added the In. Interface to "bridge-wan"
 
donnyforbes78
just joined
Topic Author
Posts: 22
Joined: Fri Dec 04, 2020 12:21 am

Re: Port Forwarding

Fri Apr 23, 2021 8:08 pm

Still not working. Please advise I really need to get this to work.
Thank you for your time.
 
donnyforbes78
just joined
Topic Author
Posts: 22
Joined: Fri Dec 04, 2020 12:21 am

Re: Port Forwarding

Fri Apr 23, 2021 8:27 pm

Ok did what was recommended and no go. Please see attachments.
Please tell me what I am missing ..
still getting this

nc -vz 23.31.142.153 9100
nc: connectx to 23.31.142.153 port 9100 (tcp) failed: Network is unreachable

Please advise and see the attachments
You do not have the required permissions to view the files attached to this post.
 
donnyforbes78
just joined
Topic Author
Posts: 22
Joined: Fri Dec 04, 2020 12:21 am

Re: Port Forwarding

Fri Apr 23, 2021 9:02 pm

Could someone please assist me with this. I really need to get it working.. Any help would be appreciated.

Thanks
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port Forwarding

Fri Apr 23, 2021 9:23 pm

This is not an immediate response forum, patience is a virtue!!

Please post your config for us to look at the jpegs are of little value.
/export hide-sensitive file=anynameyouwish
 
donnyforbes78
just joined
Topic Author
Posts: 22
Joined: Fri Dec 04, 2020 12:21 am

Re: Port Forwarding

Fri Apr 23, 2021 9:37 pm

Sorry about that, just under a lot of pressure

# apr/23/2021 14:33:40 by RouterOS 6.46.4
# software id = Y9ZG-URCJ
#
# model = CCR1009-7G-1C-1S+
# serial number = 7AEE07EA7845
/interface bridge
add fast-forward=no name=bridge-mgm
add fast-forward=no name=bridge-wan
/interface ethernet
set [ find default-name=ether1 ] comment=wan-comcast speed=100Mbps
set [ find default-name=ether2 ] comment=paloalto-comcast speed=100Mbps
set [ find default-name=ether3 ] comment=comcast-cameras-mikrotik speed=\
100Mbps
set [ find default-name=ether4 ] comment=voip speed=100Mbps
set [ find default-name=ether5 ] comment=palo-alto-management-failover speed=\
100Mbps
set [ find default-name=ether6 ] comment=palo-alto-management speed=100Mbps
set [ find default-name=ether7 ] comment=att-backup speed=100Mbps
set [ find default-name=sfp-sfpplus1 ] advertise=\
10M-full,100M-full,1000M-full
/interface vlan
add interface=ether7 name=trust-management vlan-id=35
add interface=ether7 name=trust-scanprint vlan-id=37
add interface=ether7 name=trust-tablets vlan-id=36
add interface=ether7 name=trust-timeclocks vlan-id=38
add interface=ether7 name=trust-users vlan-id=30
add interface=ether4 name=voip-management vlan-id=35
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des lifetime=52w1d
/ip pool
add name=dhcp_pool6 ranges=10.10.35.200-10.10.35.240
add name=dhcp_pool7 ranges=10.10.32.20-10.10.32.220
add name=dhcp_pool10 ranges=10.10.3.254
add name=dhcp_pool11 ranges=10.10.30.20-10.10.31.220
add name=dhcp_pool12 ranges=10.10.35.200-10.10.35.254
add name=dhcp_pool13 ranges=10.10.36.20-10.10.36.254
add name=dhcp_pool14 ranges=10.10.37.20-10.10.37.254
add name=dhcp_pool15 ranges=10.0.35.1-10.0.35.2
/ip dhcp-server
add address-pool=dhcp_pool6 disabled=no interface=voip-management name=dhcp1
add address-pool=dhcp_pool7 disabled=no interface=ether4 name=dhcp2
add address-pool=dhcp_pool11 disabled=no interface=trust-users lease-time=30m \
name=dhcp4
add address-pool=dhcp_pool12 disabled=no interface=trust-management name=\
dhcp5
add address-pool=dhcp_pool13 disabled=no interface=trust-tablets name=dhcp6
add address-pool=dhcp_pool14 disabled=no interface=trust-scanprint name=dhcp7
add address-pool=dhcp_pool15 disabled=no interface=bridge-mgm lease-time=1m \
name=dhcp3
/queue tree
add max-limit=400M name=parent_download parent=global priority=1
add max-limit=40M name=parent_upload parent=global priority=1
add max-limit=20M name=1.child_rtp_in packet-mark=PBX_RTP_IN parent=\
parent_download priority=1
add max-limit=5M name=2.child_sip_in packet-mark=PBX_SIP_IN parent=\
parent_download priority=2
add max-limit=4M name=1.child_rtp_out packet-mark=PBX_RTP_OUT parent=\
parent_upload priority=1
add max-limit=1M name=2.child_sip_out packet-mark=PBX_SIP_OUT parent=\
parent_upload priority=2
add max-limit=370M name=3.child_all_other_traffic_in packet-mark=\
ALL_TRAFFIC_IN parent=parent_download
add max-limit=35M name="3. child_all_other_traffic_out" packet-mark=\
ALL_TRAFFIC_OUT parent=parent_upload
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/user group
set write policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,we\
b,sniff,sensitive,api,romon,dude,tikapp,!password"
/interface bridge port
add bridge=bridge-wan interface=ether1
add bridge=bridge-wan interface=ether2
add bridge=bridge-wan interface=ether3
add bridge=bridge-mgm interface=ether6
add bridge=bridge-mgm interface=ether5
/interface l2tp-server server
set enabled=yes ipsec-secret="\$Atlantaaopsvpn04as" use-ipsec=yes
/interface sstp-server server
set authentication=mschap2 certificate=server-certificate enabled=yes \
force-aes=yes pfs=yes
/ip address
add address=23.31.142.153/29 comment=comcast interface=bridge-wan network=\
23.31.142.152
add address=10.0.35.6/29 comment=paloalto-mgm interface=bridge-mgm network=\
10.0.35.0
add address=10.10.32.1/24 comment=voip-interface interface=ether4 network=\
10.10.32.0
add address=10.10.35.1/24 comment=voip-management interface=voip-management \
network=10.10.35.0
add address=10.10.30.1/23 comment=firewall-lan-backup interface=trust-users \
network=10.10.30.0
add address=10.10.35.1/24 comment=firewall-lan-backup interface=\
trust-management network=10.10.35.0
add address=10.10.36.1/24 comment=firewall-lan-backup interface=trust-tablets \
network=10.10.36.0
add address=10.10.37.1/24 comment=firewall-lan-backup interface=\
trust-scanprint network=10.10.37.0
add address=10.10.38.1/24 comment=firewall-lan-backup interface=\
trust-timeclocks network=10.10.38.0
add address=12.235.174.212/28 comment=att interface=ether7 network=\
12.235.174.208
/ip dhcp-server network
add address=10.0.35.0/29 dns-server=10.0.35.6 gateway=10.0.35.6
add address=10.10.3.0/24 dns-server=10.10.3.1 gateway=10.10.3.1
add address=10.10.30.0/23 dns-server=10.10.30.1 gateway=10.10.30.1
add address=10.10.32.0/24 dns-server=10.10.32.1 gateway=10.10.32.1
add address=10.10.35.0/24 dns-server=10.10.35.1 gateway=10.10.35.1
add address=10.10.36.0/24 dns-server=10.10.36.1 gateway=10.10.36.1
add address=10.10.37.0/24 dns-server=10.10.37.1 gateway=10.10.37.1
/ip dns
set allow-remote-requests=yes servers=208.67.222.222,8.8.8.8
/ip firewall address-list
add address=162.221.91.219 comment=freePBX list=voip-server
add address=45.76.0.57 list=site24x7
add address=198.74.56.175 list=site24x7
add address=45.33.65.221 list=site24x7
add address=45.63.10.251 list=site24x7
add address=198.74.62.39 list=site24x7
add address=50.3.30.119 list=site24x7
add address=184.95.56.8 list=site24x7
add address=173.213.96.152 list=site24x7
add address=50.2.81.144 list=site24x7
add address=45.79.199.86 list=site24x7
add address=108.61.192.146 list=site24x7
add address=45.79.213.84 list=site24x7
add address=50.116.38.61 list=site24x7
add address=45.32.229.88 list=site24x7
add address=104.140.20.131 list=site24x7
add address=45.32.225.170 list=site24x7
add address=104.140.20.235 list=site24x7
add address=185.72.156.40 list=site24x7
add address=38.88.202.192/29 list=homechef
add address=50.254.50.184/29 list=homechef
add address=96.72.122.0/29 list=homechef
add address=50.234.75.44/30 list=homechef
add address=50.207.169.176/28 list=homechef
add address=69.38.184.56/29 list=homechef
add address=157.130.239.112/30 list=homechef
add address=65.223.27.88/30 list=homechef
add address=66.146.179.128/29 list=homechef
add address=23.31.142.152/29 list=homechef
add address=12.235.174.208/28 list=homechef
add address=190.13.133.235 list=blocked-IPs
add address=170.246.115.157 list=blocked-IPs
add address=216.108.236.34 list=site24x7
add address=66.42.86.226 list=site24x7
add address=72.14.191.239 list=site24x7
add address=47.254.199.158 list=site24x7
add address=149.154.152.93 list=site24x7
add address=5.189.164.222 list=site24x7
add address=162.218.229.234 list=site24x7
add address=site24x7.enduserexp.com list=site24x7
add address=37.190.61.107 list=blocked-ips
add address=95.161.196.66 list=blocked-ips
add address=146.0.77.157 list=blocked-ips
add address=121.52.156.41 list=blocked-ips
add address=80.82.77.33 list=blocked-ips
add address=71.6.135.131 list=blocked-ips
add address=103.255.5.110 list=blocked-ips
add address=43.247.17.2 list=blocked-ips
add address=31.11.228.66 list=blocked-ips
add address=5.188.87.76 list=blocked-ips
add address=89.40.127.7 list=blocked-ips
add address=37.216.242.186 list=blocked-ips
add address=61.222.236.37 list=blocked-ips
add address=202.181.230.38 list=blocked-ips
add address=177.184.200.194 list=blocked-ips
add address=182.184.74.167 list=blocked-ips
add address=5.188.87.19 list=blocked-ips
add address=71.6.158.166 list=blocked-ips
add address=178.218.88.154 list=blocked-ips
add address=194.28.112.50 list=blocked-ips
add address=194.8.130.50 list=blocked-ips
add address=94.102.49.190 list=blocked-ips
add address=81.17.65.85 list=blocked-ips
add address=94.29.124.153 list=blocked-ips
add address=46.22.120.82 list=blocked-ips
add address=189.38.86.15 list=blocked-ips
add address=46.181.116.37 list=blocked-ips
add address=173.212.216.181 list=blocked-ips
add address=78.128.112.54 list=blocked-ips
add address=122.54.135.236 list=blocked-ips
add address=71.6.146.185 list=blocked-ips
add address=83.228.97.28 list=blocked-ips
add address=87.96.222.192 list=blocked-ips
add address=104.248.64.4 list=blocked-ips
add address=5.101.40.252 list=blocked-ips
add address=66.240.205.34 list=blocked-ips
add address=194.28.112.140 list=blocked-ips
add address=79.136.43.133 list=blocked-ips
add address=125.209.115.206 list=blocked-ips
add address=46.180.237.174 list=blocked-ips
add address=125.19.52.252 list=blocked-ips
add address=190.58.151.18 list=blocked-ips
add address=213.27.81.158 list=blocked-ips
add address=122.201.19.99 list=blocked-ips
add address=198.20.99.130 list=blocked-ips
add address=207.38.238.186 list=blocked-ips
add address=66.240.192.138 list=blocked-ips
add address=200.0.32.62 list=blocked-ips
add address=8.8.8.8 list=allow-DNS
add address=208.67.222.222 list=allow-DNS
add address=66.240.236.119 list=blocked-ips
add address=89.38.145.76 list=blocked-ips
add address=37.49.231.82 list=blocked-ips
add address=62.210.142.207 list=blocked-ips
add address=93.174.95.106 list=blocked-ips
add address=109.226.199.197 list=blocked-ips
add address=212.129.30.255 list=blocked-ips
add address=125.212.217.215 list=blocked-ips
add address=59.124.166.233 list=blocked-ips
add address=89.248.167.131 list=blocked-ips
add address=82.200.30.162 list=blocked-ips
add address=74.208.47.90 list=blocked-ips
add address=114.42.140.127 list=blocked-ips
add address=185.85.204.30 list=blocked-ips
add address=80.211.177.43 list=blocked-ips
add address=212.55.98.120 list=blocked-ips
add address=176.32.33.218 list=blocked-ips
add address=71.6.165.200 list=blocked-ips
add address=63.246.129.61 list=blocked-ips
add address=80.82.77.139 list=blocked-ips
add address=91.244.113.70 list=blocked-ips
add address=189.86.106.202 list=blocked-ips
add address=103.54.85.46 list=blocked-ips
add address=80.211.79.72 list=blocked-ips
add address=71.6.146.186 list=blocked-ips
add address=71.6.199.23 list=blocked-ips
add address=219.87.72.2 list=blocked-ips
add address=103.255.5.60 list=blocked-ips
add address=178.62.90.174 list=blocked-ips
add address=68.183.127.2 list=blocked-ips
add address=125.212.217.214 list=blocked-ips
add address=113.20.121.194 list=blocked-ips
add address=66.240.219.146 list=blocked-ips
add address=198.176.54.21 list=blocked-ips
add address=165.227.50.139 list=blocked-ips
add address=187.162.76.188 list=blocked-ips
add address=207.250.96.214 list=blocked-ips
add address=82.200.247.230 list=blocked-ips
add address=120.29.100.254 list=blocked-ips
add address=62.212.230.38 list=blocked-ips
add address=59.103.254.169 list=blocked-ips
add address=80.82.70.118 list=blocked-ips
add address=69.147.146.207 list=blocked-ips
add address=185.6.127.8 list=blocked-ips
add address=85.91.96.162 list=blocked-ips
add address=69.199.22.46 list=blocked-ips
add address=31.167.244.132 list=blocked-ips
add address=69.38.180.72/30 list=homechef
add address=67.216.16.136/29 list=homechef
add address=50.216.82.97 list=homechef
add address=172.98.94.101 comment=site24x7.enduserexp.com list=site24x7
add address=204.141.42.0/23 comment=site24x7.enduserexp.com list=site24x7
add address=65.154.166.0/24 comment=site24x7.enduserexp.com list=site24x7
add address=136.143.190.0/23 comment=site24x7.enduserexp.com list=site24x7
add address=167.160.89.90 comment=site24x7.enduserexp.com list=site24x7
add address=136.143.187.0/24 comment=site24x7.enduserexp.com list=site24x7
add address=8.45.169.0/24 comment=site24x7.enduserexp.com list=site24x7
add address=135.84.80.0/22 comment=site24x7.enduserexp.com list=site24x7
add address=136.143.176.0/20 comment=site24x7.enduserexp.com list=site24x7
add address=54.162.84.42 list=Whitelist
add address=23.22.56.37 list=Whitelist
add address=54.237.76.132 list=Whitelist
add address=3.222.52.72 list=Whitelist
/ip firewall filter
add action=accept chain=input comment="Allow all Traffic from DNS" \
src-address-list=allow-DNS
add action=accept chain=forward comment="Allow all Traffic from DNS" \
src-address-list=allow-DNS
add action=accept chain=output comment="Allow all Traffic from DNS" \
src-address-list=allow-DNS
add action=accept chain=input comment="Allow all PBX Traffic" src-address=\
162.221.91.219
add action=accept chain=forward comment="Allow all PBX Traffic" src-address=\
162.221.91.219
add action=accept chain=output comment="Allow all PBX Traffic" dst-address=\
162.221.91.219
add action=accept chain=forward comment="Allow all Traffic from P2L" log=yes \
src-address-list=homechef
add action=drop chain=input comment="Drop Malicious IPs" src-address-list=\
blocked-ips
add action=drop chain=forward comment="Drop Malicious IPs" src-address-list=\
blocked-ips
add action=drop chain=output comment="Drop Malicious IPs" src-address-list=\
blocked-ips
add action=accept chain=input comment="Allow admin SSH Requests" dst-port=22 \
protocol=tcp src-address-list=homechef
add action=accept chain=input comment="Allow admin SSH Requests" dst-port=22 \
protocol=udp src-address-list=homechef
add action=drop chain=input comment="Drop all SSH Requests" dst-port=22 \
protocol=tcp
add action=drop chain=input comment="Drop all SSH Requests" dst-port=22 \
protocol=udp
add action=drop chain=input comment="Drop all Input DNS Requests" dst-port=53 \
in-interface=bridge-wan protocol=tcp
add action=drop chain=input comment="Drop all Input DNS Requests" dst-port=53 \
in-interface=bridge-wan protocol=udp
add action=accept chain=input comment="Allow WinBox only from HomeChef IP's" \
dst-port=9191 protocol=tcp src-address-list=homechef
add action=drop chain=input comment="Drop all other WinBox Requests" \
dst-port=9191 protocol=tcp
add action=accept chain=input comment="Allow all Site24x7 ICMP" protocol=icmp \
src-address-list=site24x7
add action=accept chain=input comment="Allow all HomeChef ICMP" protocol=icmp \
src-address-list=homechef
add action=drop chain=input comment="Drop all other ICMP" in-interface=\
bridge-wan protocol=icmp src-address-list=!site24x7
add action=accept chain=input comment="Permit established connections" \
connection-state=established
add action=accept chain=input comment="Permit related connections" \
connection-state=related
add action=accept chain=input comment="Allow whitelisted sources" \
src-address-list=Whitelist
add action=accept chain=forward comment="Allow port forwarding" \
connection-nat-state=dstnat connection-state=new in-interface=bridge-wan \
log=yes
add action=drop chain=input comment="WAN - default deny" disabled=yes \
in-interface=bridge-wan src-address-list=!site24x7
add action=add-src-to-address-list address-list=blocked-addr \
address-list-timeout=1d chain=input comment="Add IP to SRC List" \
connection-limit=40000,32 protocol=tcp
add action=tarpit chain=input comment="Tarpit IP from SRC List" \
connection-limit=3,32 protocol=tcp src-address-list=blocked-addr
add action=jump chain=forward comment="SYN Flood protect" connection-state=\
new jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add action=accept chain=SYN-Protect comment="Accept New Syn-ACK" \
connection-state=new limit=400,5:packet protocol=tcp tcp-flags=syn
add action=drop chain=SYN-Protect comment="Drop Invalid Syn-ACK" \
connection-state=new protocol=tcp tcp-flags=syn
add action=accept chain=forward comment=\
"Allow Established Forwarding Requests" connection-nat-state=dstnat \
connection-state=established,related
add action=accept chain=input comment="Allow Established Input Requests" \
connection-nat-state="" connection-state=established,related
add action=drop chain=forward comment="Drop Forward Invalid Packets" \
connection-state=invalid
/ip firewall mangle
add action=mark-packet chain=prerouting comment=pbx-rtp-in in-interface=\
bridge-wan new-packet-mark=PBX_RTP_IN passthrough=no protocol=udp \
src-address=162.221.91.219 src-port=!5060
add action=mark-packet chain=prerouting comment=pbx-sip-in in-interface=\
bridge-wan new-packet-mark=PBX_SIP_IN passthrough=no protocol=udp \
src-address=162.221.91.219 src-port=5060
add action=mark-packet chain=prerouting comment=all-traffic in-interface=\
bridge-wan new-packet-mark=ALL_TRAFFIC_IN passthrough=no src-address=\
!162.221.91.219
add action=mark-packet chain=postrouting comment=pbx-rtp-out dst-address=\
162.221.91.219 dst-port=!5060 new-packet-mark=PBX_RTP_OUT out-interface=\
bridge-wan passthrough=no protocol=udp
add action=mark-packet chain=postrouting comment=pbx-sip-out dst-address=\
162.221.91.219 dst-port=5060 new-packet-mark=PBX_SIP_OUT out-interface=\
bridge-wan passthrough=no protocol=udp
add action=mark-packet chain=postrouting comment=all-traffic-out dst-address=\
!162.221.91.219 new-packet-mark=ALL_TRAFFIC_OUT out-interface=bridge-wan \
passthrough=no
/ip firewall nat
add action=src-nat chain=srcnat comment=comcast-nat out-interface=bridge-wan \
src-address=10.0.0.0/8 to-addresses=23.31.142.153
add action=src-nat chain=srcnat comment=att-nat out-interface=ether7 \
src-address=10.0.0.0/8 to-addresses=12.235.174.212
add action=dst-nat chain=dstnat comment=voip-phone-dst-nat dst-address=\
23.31.142.153 dst-port=8090 protocol=tcp src-address-list=homechef \
to-addresses=10.10.32.216 to-ports=80
add action=dst-nat chain=dstnat comment=voip-phone-dst-nat dst-address=\
23.31.142.153 dst-port=8091 protocol=tcp src-address=38.88.202.198 \
to-addresses=10.10.32.212 to-ports=80
add action=dst-nat chain=dstnat comment=voip-phone-dst-nat dst-address=\
12.235.174.212 dst-port=8090 protocol=tcp src-address=38.88.202.198 \
to-addresses=10.10.32.216 to-ports=80
add action=dst-nat chain=dstnat comment=paloalto-active-nat dst-address=\
23.31.142.153 dst-port=8080 protocol=tcp src-address-list=homechef \
to-addresses=10.0.35.1 to-ports=443
add action=dst-nat chain=dstnat comment=voip-switch dst-address=23.31.142.153 \
dst-port=8085 protocol=tcp src-address-list=homechef to-addresses=\
10.10.35.21 to-ports=443
add action=dst-nat chain=dstnat comment=paloalto-active-nat-ssh dst-address=\
23.31.142.153 dst-port=2222 protocol=tcp src-address=38.88.202.198 \
to-addresses=10.0.35.1 to-ports=22
add action=dst-nat chain=dstnat comment=paloalto-passive-nat dst-address=\
23.31.142.153 dst-port=8081 protocol=tcp src-address-list=homechef \
to-addresses=10.0.35.2 to-ports=443
add action=dst-nat chain=dstnat comment=paloalto-passive-nat-ssh dst-address=\
23.31.142.153 dst-port=2223 protocol=tcp src-address=38.88.202.198 \
to-addresses=10.0.35.2 to-ports=22
add action=dst-nat chain=dstnat comment="P2L DXM Controller 1" dst-address=\
23.31.142.153 dst-port=9100 log=yes protocol=tcp to-addresses=\
10.10.37.110 to-ports=8844
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set sip disabled=yes ports=5061 sip-timeout=10s
set pptp disabled=yes
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip route
add check-gateway=ping distance=1 gateway=23.31.142.158
add check-gateway=ping distance=10 gateway=12.235.174.209
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=38.88.202.198/32 disabled=yes
set api disabled=yes
set winbox port=9191
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system clock
set time-zone-name=America/New_York
/system identity
set name=ATL-VoIP
/tool sniffer
set filter-interface=ether1 filter-ip-address=162.221.91.219/32 memory-limit=\
1000KiB
 
donnyforbes78
just joined
Topic Author
Posts: 22
Joined: Fri Dec 04, 2020 12:21 am

Re: Port Forwarding

Fri Apr 23, 2021 9:53 pm

Thank you for looking at this really do appreciate your help as I am stuck.

Thanks again.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port Forwarding

Fri Apr 23, 2021 10:41 pm

Luv to help but I am having trouble imagining the network without a diagram.
I dont see clealry how many WAN connections you have, nor the reason for a second bridge for the WAN.
I have no clue why none of your VLANs are interfaced to a bridge............

Therefore a network diagram and what is going for each port will allow one to accurately find the problems in the config (there seem to be many).
Youve asked for an 10 minute oil change but it looks like a fully day repair LOL.
 
donnyforbes78
just joined
Topic Author
Posts: 22
Joined: Fri Dec 04, 2020 12:21 am

Re: Port Forwarding

Fri Apr 23, 2021 11:24 pm

Please tell me what you need from me to help and make this easier. I think you get the idea of what i am trying to accomplished and I have set NAT up before in which are working, but for some reason on this one is not working and it appears to say network not found

nc -vz 23.31.142.153 9100
nc: connectx to 23.31.142.153 port 9100 (tcp) failed: Network is unreachable

Which I am assuming there is an issue hitting the 10.10.37.xxx network since I see the stuff getting to this 23.31.142.153.

I have provided you with the config, but not sure what else you need. We do have two bridges one being "bridge-wan" and the other 'bridge-mgm"

Please let me know what else you need to assist me. I really need to get this working.

Thanks again.
 
donnyforbes78
just joined
Topic Author
Posts: 22
Joined: Fri Dec 04, 2020 12:21 am

Re: Port Forwarding

Fri Apr 23, 2021 11:45 pm

Please tell me what you need from me to help and make this easier. I think you get the idea of what i am trying to accomplished and I have set NAT up before in which are working, but for some reason on this one is not working and it appears to say network not found

nc -vz 23.31.142.153 9100
nc: connectx to 23.31.142.153 port 9100 (tcp) failed: Network is unreachable

Which I am assuming there is an issue hitting the 10.10.37.xxx network since I see the stuff getting to this 23.31.142.153.

I have provided you with the config, but not sure what else you need. We do have two bridges one being "bridge-wan" and the other 'bridge-mgm"

Please let me know what else you need to assist me. I really need to get this working.

Thanks again.
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Port Forwarding

Fri Apr 23, 2021 11:50 pm

That forward rule with the flag "dnat" ? Can you uncheck "new" please ?
The NEW state tells us that the packet is the first packet that we see. This means that the first packet that the conntrack module sees, within a specific connection, will be matched.
For example, if we see an SYN packet and it is the first packet in a connection that we see, it will match;

Do you have logging on all "drops" etc ? I would be interesting to see if any thing else coming from the samen source-IP is dropped, so you can understand where it hits in your filters.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Port Forwarding

Sat Apr 24, 2021 12:01 am

nc -vz 23.31.142.153 9100
nc: connectx to 23.31.142.153 port 9100 (tcp) failed: Network is unreachable
Your PC, or the device were you launch netcat, where are?
Outside the network, or inside?
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Port Forwarding

Sat Apr 24, 2021 12:04 am

nc -vz 23.31.142.153 9100
nc: connectx to 23.31.142.153 port 9100 (tcp) failed: Network is unreachable
Your PC, or the device were you launch netcat, where are?
Outside the network, or inside?
Looking at his log snippet it states 50.216.82.97 as source so I think he is really testing coming in externally.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Port Forwarding

Sat Apr 24, 2021 12:32 am

first of all, you locally can access 10.10.37.110:8844 from another 10.x.x.x device???

some hint:

upgrade to 6.46.8

then change your ipsec password, you have exposed it on export: ipsec-secret="\$8591bb64516aopsvpn04as" (censored)


for test add this two rules on top of the others:

/ip firewall filter
add action=accept chain=input src-address=50.216.82.97
add action=accept chain=forward src-address=50.216.82.97

paste this on new ternimal for fix some other tings:
/interface bridge
set [find] fast-forward=yes
/interface ethernet
set [ find default-name=ether1 ] speed=1Gbps
set [ find default-name=ether2 ] speed=1Gbps
set [ find default-name=ether3 ] speed=1Gbps
set [ find default-name=ether4 ] speed=1Gbps
set [ find default-name=ether5 ] speed=1Gbps
set [ find default-name=ether6 ] speed=1Gbps
set [ find default-name=ether7 ] speed=1Gbps
set [ find default-name=sfp-sfpplus1 ] advertise=1000M-full,10000M-full
/ip ssh
set allow-none-crypto=no forwarding-enabled=no
and change first rule on your nat:

from
/ip firewall nat
add action=src-nat chain=srcnat comment=comcast-nat out-interface=bridge-wan src-address=10.0.0.0/8 to-addresses=23.31.142.153

to
/ip firewall nat
add action=masquerade chain=srcnat comment="NAT Comcast" out-interface=bridge-wan src-address=10.0.0.0/8


the rule yoiu add has no error from my point of view:
add action=dst-nat chain=dstnat comment="P2L DXM Controller 1" dst-address=23.31.142.153 dst-port=9100 log=yes protocol=tcp to-addresses=10.10.37.110 to-ports=8844
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port Forwarding

Sat Apr 24, 2021 12:40 am

I get the feeling that you didnt create this config because you didnt uderstand the request for a network diagram which would explain the Inputs on the WAN side and the networking setup involved, devices and ports etc......

Can you confirm you created this config??
I prefer to render assistance when I have more of a grasp of the whole scenario.
The network diagram shows which ports the vlans go on and to which devices etc......
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Port Forwarding

Sat Apr 24, 2021 1:15 am

What the export say without any diagram:
The factory firmware of the device are 6.38.5.
The routerboard are upgraded to 6.46.4 without using netinstall, keeping old default values of 6.38.5 and following version.
Has the wireless package active but ipv6,hotspot,mpls,routing packages like disabled.
the sfp port is empty or unused

Has two wan, one 23.31.142.152/29 and one 12.235.174.208/28
the wan 23.31.142.152/29 are the default wan
and the 12.235.174.208/28 are secondary wan
second wan is used only if ping on 23.31.142.158 stop reply on ping

has two bridge and two ethernet:

bridge-wan used as WAN1 23.31.142.153/29
ether1 wan-comcast (WAN1 source)
ether2 paloalto-comcast
ether3 comcast-cameras-mikrotik

bridge-mgm with dhcp server on ranges=10.0.35.1-10.0.35.2
ether5 palo-alto-management-failover
ether6 palo-alto-management (error: 10.0.35.6/29, the IP go to bridge, not to ethernet on bridge)

ether4 voip 10.10.32.1/24 with dhcp server active on ranges=10.10.32.20-10.10.32.220

ether7 att-backup used as WAN2 12.235.174.212/28

On ether7 are present some VLANs
trust-users 10.10.30.1/23 vlan-id=30 dhcp-server on ranges=10.10.30.20-10.10.31.220
trust-management 10.10.35.1/24 vlan-id=35 dhcp-server on ranges=10.10.35.200-10.10.35.254
trust-tablets 10.10.36.1/24 vlan-id=36 dhcp-server on ranges=10.10.36.20-10.10.36.254
trust-scanprint 10.10.37.1/24 vlan-id=37 dhcp-server on ranges=10.10.37.20-10.10.37.254
trust-timeclocks 10.10.38.1/24 vlan-id=38 without any dhcp

and on ether4 VLAN
voip-management 10.10.35.1/24 vlan-id=35 dhcp-server on ranges=10.10.35.200-10.10.35.240

BAD: VLAN 35 on ether4 and VLAN 35 on ether7 are not communicating with eachoter and share the pool
but this is not hte problem
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port Forwarding

Sat Apr 24, 2021 2:27 am

Nice, even with your explanation I get quickly lost in the confusing config names used.
After a few beer, a nice visual makes helping enjoyable LOL.
I am in no rush, and will gladly create a clearer simpler config that at the end of the day will less likely cause problems and make problems easier to find.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Port Forwarding

Sat Apr 24, 2021 2:51 am

Nice, even with your explanation I get quickly lost in the confusing config names used.
After a few beer, a nice visual makes helping enjoyable LOL.
I am in no rush, and will gladly create a clearer simpler config that at the end of the day will less likely cause problems and make problems easier to find.

I prefer coffee with milk and maple syrup ;)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port Forwarding

Sat Apr 24, 2021 5:27 am

Coffee yes, early in the morning, but Tuscany, where is the red wine and queso!!!
Hey Normis, when MUMS open up, lets do Tuscany!!

Otherwise, I am dreaming about a bike tour through your region!!
 
donnyforbes78
just joined
Topic Author
Posts: 22
Joined: Fri Dec 04, 2020 12:21 am

Re: Port Forwarding

Sat Apr 24, 2021 8:44 am

yeah this was not much help at all. Thanks guys..
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Port Forwarding

Sat Apr 24, 2021 11:23 am

yeah this was not much help at all. Thanks guys..
My suggestion also did not work ?

> Can you test IF a packet actually arrives at the destination device/appliance ? Or can you quickly adapt the NAT to a "test" system in the same LAN and look with tcpdump if it actually arrives ??
> logs,logs,logs : Can you correlate if other packets from your test are dropped somewhere else ?
> Can you move the filter (to accept anything with "dnat" flag set) all the way to the top of the foward chain ?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port Forwarding

Sat Apr 24, 2021 1:56 pm

Without a network diagram, and someone who is the least bit cooperative, progress will be slow.
All I can recommend at this point is scratch/delete the POS config that I am looking at.
'Reset to defaults and port forwarding will work! :-) :-)
 
donnyforbes78
just joined
Topic Author
Posts: 22
Joined: Fri Dec 04, 2020 12:21 am

Re: Port Forwarding

Mon Apr 26, 2021 6:24 pm

The interesting thing is I was able to get this to work on my 10.10.32.xxx network. I suppose I will use this network, however really wanted to see why it was not working on the other one 10.10.37.xxx
and was hoping for some assistance on that.

Who is online

Users browsing this forum: DanMos79 and 43 guests