Community discussions

MikroTik App
 
adriandonlan
just joined
Topic Author
Posts: 11
Joined: Thu Jun 28, 2018 3:17 pm
Location: London

Port Forwarding again!

Mon Jun 07, 2021 3:09 pm

Hi All
I have just tried to setup port forwarding for a VM in the internal network but it does not appear to be working. I have tried a number of different configurations but no luck. I can see that a connection is made to the Mikrotik router on its public IP but it's not being passed to the local VM. It maybe that the firewall rules are blocking the transfer somehow.
Essentially I would like a connection to 21.33.xx.xxx to be forwarded to 10.20.18.99 so pretty simple really but its not working. Now this setup has two WAN ports (one leased line and one BT infinity) ideally I'd like both to work but I'll settle for the leased line.
Please find the config below
# jun/07/2021 12:54:03 by RouterOS 6.44
# software id = Z0EH-ETIU
#
# model = CCR1009-7G-1C-1S+

/interface bridge
add fast-forward=no name=bridge1
/interface ethernet
set [ find default-name=ether2 ] name=BTInfinity speed=100Mbps
set [ find default-name=ether1 ] name=BTLeased speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=sfp-sfpplus1 ] advertise=\
10M-full,100M-full,1000M-full
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.20.18.20-10.20.18.254
add name=VPN ranges=10.10.10.2-10.10.10.100
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge1 lease-time=1w10m \
name=Internal_dhcp

/interface bridge port
add bridge=bridge1 hw=no interface=ether3
add bridge=bridge1 hw=no interface=ether4
add bridge=bridge1 hw=no interface=ether5
add bridge=bridge1 hw=no interface=ether6
add bridge=bridge1 hw=no interface=ether7
add bridge=bridge1 hw=no interface=sfp-sfpplus1
add bridge=bridge1 hw=no interface=combo1
/interface bridge settings
set use-ip-firewall=yes
/interface detect-internet
set detect-interface-list=WAN
/interface list member
add interface=BTLeased list=WAN
add interface=bridge1 list=LAN
/interface pptp-server server
set enabled=yes
/ip address
add address=10.20.18.1/24 comment=defconf interface=sfp-sfpplus1 network=\
10.20.18.0
add address=192.168.1.1/24 interface=BTInfinity network=192.168.1.0
add address=217.33.xx.xxx/29 interface=BTLeased network=217.33.xx.xxx
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add dhcp-options=hostname,clientid interface=BTLeased
/ip dhcp-server network
add address=10.10.10.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=10.10.10.1
add address=10.20.18.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=10.20.18.1
/ip dns
set servers=1.1.1.1,1.0.0.1
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=NotPublic
add address=100.64.0.0/10 comment=RFC6890 list=NotPublic
add address=127.0.0.0/8 comment=RFC6890 list=NotPublic
add address=169.254.0.0/16 comment=RFC6890 list=NotPublic
add address=172.16.0.0/12 comment=RFC6890 list=NotPublic
add address=192.0.0.0/24 comment=RFC6890 list=NotPublic
add address=192.0.2.0/24 comment=RFC6890 list=NotPublic
add address=192.88.99.0/24 comment=RFC3068 list=NotPublic
add address=198.18.0.0/15 comment=RFC6890 list=NotPublic
add address=198.51.100.0/24 comment=RFC6890 list=NotPublic
add address=203.0.113.0/24 comment=RFC6890 list=NotPublic
add address=224.0.0.0/4 comment=RFC4601 list=NotPublic
/ip firewall filter
add chain=input comment="Accept established and related packets" \
connection-state=established,related
add action=drop chain=input comment="Drop invalid packets" connection-state=\
invalid
add action=drop chain=input comment=\
"Drop all packets which are not destined to routes IP address" \
dst-address-type=!local
add action=drop chain=input comment=\
"Drop all packets which does not have unicast source IP address" \
src-address-type=!unicast
add action=add-src-to-address-list address-list=Syn_Flooder \
address-list-timeout=30m chain=input comment=\
"Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp \
tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" \
src-address-list=Syn_Flooder
add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add action=accept chain=input comment="Accept to established connections" \
connection-state=established
add action=accept chain=input comment="Accept to related connections" \
connection-state=related
add action=accept chain=input comment="VM Connection" dst-port=3389 log=yes \
log-prefix=vm protocol=tcp
add action=accept chain=input comment="cloudkey tcp 443" dst-address=\
10.20.18.7 dst-port=443 protocol=tcp
add action=accept chain=input comment="cloudkey access udp" dst-address=\
10.20.18.7 dst-port=3478 protocol=udp
add action=accept chain=input comment="cloudkey access 443 udp" dst-address=\
10.20.18.7 dst-port=443 protocol=udp
add action=add-src-to-address-list address-list=Port_Scanner \
address-list-timeout=1w chain=input comment="Port Scanner Detect" \
protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" \
src-address-list=Port_Scanner
add action=accept chain=input comment="WinBox remote access" dst-port=8291 \
protocol=tcp
add action=jump chain=input comment="Jump for icmp input flow" jump-target=\
ICMP protocol=icmp
add action=jump chain=forward comment="Jump for icmp forward flow" \
jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
bogons
add action=add-src-to-address-list address-list=spammers \
address-list-timeout=3h chain=forward comment=\
"Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=\
25,587 limit=30/1m,0:packet protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 \
protocol=tcp src-address-list=spammers
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" \
icmp-options=8:0 limit=1,5 protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=\
icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 \
protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=\
3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS \
RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" disabled=yes
add action=drop chain=input comment="Squild Blacklist: SBL Spamhaus." \
in-interface=BTInfinity log=yes log-prefix="BL_sbl spamhaus" \
src-address-list="sbl spamhaus"
add action=drop chain=input comment="Squild Blacklist: SBL DShield." \
in-interface=BTInfinity log=yes log-prefix="BL_sbl dshield" \
src-address-list="sbl dshield"
add action=drop chain=input comment="Squild Blacklist: SBL Blocklist.de." \
in-interface=BTInfinity log=yes log-prefix="BL_sbl blocklist.de" \
src-address-list="sbl blocklist.de"
add action=drop chain=input comment="Squild Blacklist: SBL Blocklist.de." \
in-interface=BTLeased log=yes log-prefix="BL_sbl blocklist.de" \
src-address-list="sbl blocklist.de"
add action=drop chain=input comment="Squild Blacklist: SBL DShield." \
in-interface=BTLeased log=yes log-prefix="BL_sbl dshield" \
src-address-list="sbl dshield"
add action=drop chain=input comment="Squild Blacklist: SBL Spamhaus." \
in-interface=BTLeased log=yes log-prefix="BL_sbl spamhaus" \
src-address-list="sbl spamhaus"
add action=drop chain=forward comment="Squild Blacklist: SBL Spamhaus." log=\
yes log-prefix="BL_sbl spamhaus" out-interface=BTLeased src-address-list=\
"sbl spamhaus"
add action=drop chain=forward comment="Squild Blacklist: SBL Spamhaus." log=\
yes log-prefix="BL_sbl spamhaus" out-interface=BTInfinity \
src-address-list="sbl spamhaus"
add action=drop chain=forward comment="Squild Blacklist: SBL DShield." log=\
yes log-prefix="BL_sbl dshield" out-interface=BTLeased src-address-list=\
"sbl dshield"
add action=drop chain=forward comment="Squild Blacklist: SBL DShield." log=\
yes log-prefix="BL_sbl dshield" out-interface=BTInfinity \
src-address-list="sbl dshield"
add action=drop chain=forward comment="Squild Blacklist: SBL Blocklist.de." \
log=yes log-prefix="BL_sbl blocklist.de" out-interface=BTLeased \
src-address-list="sbl blocklist.de"
add action=drop chain=forward comment="Squild Blacklist: SBL Blocklist.de." \
log=yes log-prefix="BL_sbl blocklist.de" out-interface=BTInfinity \
src-address-list="sbl blocklist.de"
/ip firewall mangle
add action=accept chain=prerouting dst-address=192.168.1.0/24 in-interface=\
bridge1
add action=accept chain=prerouting dst-address=217.33.xx.xxx/29 in-interface=\
bridge1
add action=mark-connection chain=prerouting connection-mark=no-mark \
in-interface=BTInfinity new-connection-mark=BTInfinity_conn passthrough=\
yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
in-interface=BTLeased new-connection-mark=BTLeased_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
connection-type="" disabled=yes dst-port=22,63179 in-interface=bridge1 \
new-connection-mark=BTLeased_conn passthrough=no protocol=tcp
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface=bridge1 new-connection-mark=\
BTInfinity_conn passthrough=yes per-connection-classifier=\
both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface=bridge1 new-connection-mark=\
BTLeased_conn passthrough=yes per-connection-classifier=\
both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=BTInfinity_conn \
in-interface=bridge1 new-routing-mark=to_infinity passthrough=yes
add action=mark-routing chain=prerouting connection-mark=BTLeased_conn \
in-interface=bridge1 new-routing-mark=to_leased passthrough=yes
add action=mark-routing chain=output connection-mark=BTInfinity_conn \
new-routing-mark=to_infinity passthrough=yes
add action=mark-routing chain=output connection-mark=BTLeased_conn \
new-routing-mark=to_leased passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=BTLeased
add action=masquerade chain=srcnat out-interface=BTInfinity
add action=dst-nat chain=dstnat dst-address=217.33.xx.xxx log=yes log-prefix=\
VM protocol=tcp src-port=3389 to-addresses=10.20.18.99 to-ports=3389
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set sip disabled=yes
/ip route
add check-gateway=ping distance=1 gateway=192.168.1.254 routing-mark=\
to_infinity
add check-gateway=ping distance=1 gateway=217.33.xx.xxx routing-mark=\
to_leased
add check-gateway=ping distance=1 gateway=217.33.xx.xxx
add check-gateway=ping distance=1 gateway=192.168.1.254
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes

add comment=Firewall interval=1d name=\
Blacklist_SquidBlacklist_Download_drop.malicious.rsc on-event=\
"/system script run Blacklist_SquidBlacklist_Download_drop.malicious.rsc" \
policy=read,test start-date=jan/01/2018 start-time=22:16:00
add comment=Firewall interval=1d name=\
Blacklist_SquidBlacklist_Import_drop.malicious.rsc on-event=\
"/system script run Blacklist_SquidBlacklist_Import_drop.malicious.rsc" \
policy=read,write start-date=jan/01/2018 start-time=22:25:00
add comment=\
"Backup config and send it to Adrian using a specific gmail address" \
interval=1w name=Backup on-event="/system script run EmailBackup.rsc" \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=jan/12/2019 start-time=02:17:32
/system script
add comment=Firewall dont-require-permissions=no name=\
Blacklist_SquidBlacklist_Download_drop.malicious.rsc owner=Adrian policy=\
read,test source=":log warning \"START - Download blacklist (drop.maliciou\
s.rsc) updates.\";\r\
\n/tool fetch address=www.squidblacklist.org host=www.squidblacklist.org m\
ode=http src-path=/downloads/drop.malicious.rsc dst-path=/disk1/blacklists\
/drop.malicious.rsc\r\
\n:log warning \"END - Download blacklist (drop.malicious.rsc) updates.\";\
"
add comment=Firewall dont-require-permissions=no name=\
Blacklist_SquidBlacklist_Import_drop.malicious.rsc owner=Adrian policy=\
read,write source=":log warning \"START - Import blacklist (drop.malicious\
.rsc) update.\";\r\
\nimport /disk1/blacklists/drop.malicious.rsc\r\
\n:log warning \"END - Import blacklist (drop.malicious.rsc) update.\";"
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port Forwarding again!

Mon Jun 07, 2021 3:38 pm

add action=dst-nat chain=dstnat dst-address=217.33.xx.xxx log=yes log-prefix=\
VM protocol=tcp src-port=3389 to-addresses=10.20.18.99 to-ports=3389

should be dst
 
adriandonlan
just joined
Topic Author
Posts: 11
Joined: Thu Jun 28, 2018 3:17 pm
Location: London

Re: Port Forwarding again!

Mon Jun 07, 2021 4:10 pm

Excellent thanks a lot for the help

Who is online

Users browsing this forum: BioMax, oscar120584 and 34 guests