Community discussions

MikroTik App
 
konrad911
just joined
Topic Author
Posts: 2
Joined: Fri Jun 18, 2021 7:27 pm

Port forwarding once again (DST-NAT)

Fri Jun 18, 2021 7:38 pm

Hi All,
I tried for few hours to sort this out, but just cannot...

In theory, easy thing - want to access Web server in my LAN via WAN interface.

But it's not working (even though on my other RB - RB912 it's working [between LTE and LAN]).

Here's my RB450 with 2x WAN (Eth4&Eth5) + LAN bridge where my Web server is (192.168.88.71).
WAN2(Eth4) I set up just for testing purposes. WAN1 (Eth5) is connected to ISP device.
# jun/17/2021 12:22:17 by RouterOS 6.48.3
# software id = 2QS3-Q818
#
# model = 450G
# serial number = 23260186B69C
/interface bridge
add admin-mac=00:0C:42:5B:EE:2C arp=proxy-arp auto-mac=no comment=defconf \
    name=bridge_eth1-3
/interface ethernet
set [ find default-name=ether1 ] name=ether1-mgmt speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] name=ether4-wan2 speed=100Mbps
set [ find default-name=ether5 ] name=ether5-pronet speed=100Mbps
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.100-192.168.88.200
add name=WAN2-DHCP ranges=10.1.1.10-10.1.1.100
/ip dhcp-server
add address-pool=default-dhcp bootp-support=none disabled=no interface=\
    bridge_eth1-3 lease-time=8h name=dhcp1
add address-pool=WAN2-DHCP disabled=no interface=ether4-wan2 name=WAN2-DHCP
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge_eth1-3 comment=defconf interface=ether1-mgmt
add bridge=bridge_eth1-3 interface=ether2
add bridge=bridge_eth1-3 interface=ether3
/ip neighbor discovery-settings
set discover-interface-list=none
/interface list member
add comment=defconf interface=bridge_eth1-3 list=LAN
add interface=ether5-pronet list=WAN
add interface=ether4-wan2 list=LAN
/ip address
add address=192.168.88.250/24 comment="LAN Bridge Eth1-Eth3" interface=\
    bridge_eth1-3 network=192.168.88.0
add address=10.1.1.1/24 comment="TEST WAN" interface=ether4-wan2 network=\
    10.1.1.0
/ip dhcp-client
add disabled=no interface=ether5-pronet
/ip dhcp-server network
add address=10.1.1.0/24 comment=WAN2-DHCP dns-none=yes gateway=10.1.1.1 \
    netmask=24
add address=192.168.88.0/24 comment="LAN" dns-server=\
    8.8.8.8,8.8.4.4 gateway=192.168.88.250
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=fasttrack-connection chain=forward comment=\
    "Allow Fasttrack Established Related " connection-state=\
    established,related
add action=accept chain=input comment="Allow Ping" protocol=icmp
add action=accept chain=input comment="Accept Established / Related" \
    connection-state=established,related
add action=accept chain=forward connection-state=\
    established,related,untracked
add action=accept chain=input comment=\
    "Accept Management input from LAN on ETH1-3" in-interface-list=LAN \
    src-address=192.168.88.0/24
add action=accept chain=input comment="Allow Management Input on WAN2 - Eth4" \
    in-interface=ether4-wan2
add action=accept chain=forward in-interface=ether4-wan2
add action=accept chain=forward comment="Allow Port Forwarding - DSTNAT" \
    connection-nat-state=dstnat connection-state=new log=yes
add action=drop chain=forward comment="Drop All from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN \
    log=yes
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=drop chain=input comment="Drop Input ALL" in-interface-list=all \
    log=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Port forward to SuperZFS (80)" \
    dst-address=10.1.1.1 dst-port=80 in-interface=ether4-wan2 log=yes \
    protocol=tcp to-addresses=192.168.88.71 to-ports=80
/ip route
add check-gateway=ping comment="ISP Otvarta" disabled=yes distance=10 \
    gateway=192.168.88.1
add check-gateway=ping comment="ISP ProNet" disabled=yes distance=1 gateway=\
    192.168.2.254
add comment="Otvarta WAN" distance=1 dst-address=10.250.5.0/24 gateway=\
    192.168.88.1
add distance=1 dst-address=172.16.0.0/24 gateway=192.168.88.1
add distance=1 dst-address=192.168.89.0/24 gateway=192.168.88.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2200
set www-ssl certificate=Webfig disabled=no
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name="MikroTik RB450"
/system note
set note="\
    \n##### WARNING #####\
    \nAuthorized administrators only.\
    \nAccess to this device is monitored."
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool netwatch
add down-script="/ip route disable 0" host=155.133.0.7 interval=10s \
    up-script="/ip route enable 0"
add down-script="/ip route disable 1" host=10.250.2.86 interval=10s \
    up-script="/ip route enable 1"
What am I missing?
PS. Few things might be wrong, as just changed ISP, but for dst-nas this should not have impact.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port forwarding once again (DST-NAT)

Mon Jun 21, 2021 9:52 pm

Hairpin nat no doubt...........
Lots of ways to skin the cat for hairpinnat.
The issue is caused when your server is on the same subnet as your LAN users.
The solutions are abundant.

The two easiest ones are:
(1) Quite simply get LAN users to use LANIP
(2) Move the server to its own subnet and quite frankly if you dont want your users to use LANIP, then it probably should be on a different subent/vlan.

IF above is not doable,
then the rest depends upon
a. which ISP are you using to access the SERVER (from external)? and
b. is the IP static or dynamic?

Regardless the one essential step is that you will need to add a sourcenat rule at the top of sourcenat rules.
add action=src-nat chain=masquerade src-address=192.168.178.0/24 dst-address=192.168.178.0/24
(OR WHATEVER THE SUBNET IS THAT YOUR SERVER AND USERS ARE ON)

If you consider your WANIP on ether2 static then basically no change is required on the dst-nat rule.
add action=dst-nat chain=dstnat comment=SalesServer dst-address=staticwanip \
dst-port=9101 log=yes protocol=tcp to-addresses=192.168.178.122

(to port NOT required if same as dst-port, in-interface not required as you have stated the dst-address already)

IF you have a dynamic IP there are different options.
 
konrad911
just joined
Topic Author
Posts: 2
Joined: Fri Jun 18, 2021 7:27 pm

Re: Port forwarding once again (DST-NAT)

Thu Jun 24, 2021 1:07 am

Hi anav and thanks for the reply.

Hairpin NAT was something I was reading about already, and yes it helped to access the Web server by it's "public" IP (ISP's IP on my WAN interface).
However the culprit alone was not the configuration of my Mikrotik device... It was the default GW of the Web server.

Lesson learned.

So currently I have 2 WAN links (one Radio-Line, one LTE) and in theory both have public IP addresses.
- ISP1 (LTE with data limits) assigns private IP to my LTE interface (10.x.x.x) [other RB], but I can access it via the public IP from the Internet (I expect port forwarding for all traffic).
- ISP2 (Radio-Line no data limits) assigns private IP to my Eth5 (192.168.x.x) and public IP to the Radio-Device they provided (UBNT with airOS).
I cannot access my DST-NATed Web server (port 80) through that ISP2 Public IP, they claim they have forwarded the ports to my Eth5... Port Scan of that public IP reveals ports 53,65022 and 65443 open (UBNT airOS). I checked when I disconnect PoE on that device the services die, reconnect power and the ports are open shortly after again.
When I connect to my ISP2 WAN interface (Eth5 on my RB450) directly (plug in UTP cable from my laptop's Eth to RB450 Eth5) and configure the same subnet (192.168.x.x) I can access my Web server by pointing to the ISP (private) IP address at my Eth5 (ISP2 WAN interface). So my DST-NAT works for sure.

Is there a way to prove to the ISP they failed with port forwarding?

Many thanks.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port forwarding once again (DST-NAT)

Thu Jun 24, 2021 2:09 am

Do activate your IP cloud on the router. It will show what your public IP address is!!
As for the rest clearly 80 is not open and other ports seem to be open
I usually use gibsons to check status of my ports.

https://www.grc.com/x/ne.dll?bh0bkyd2

perhaps they reject using port 80 because its the common http port!
Suggesting you ask like a port such as 56780 and in your Dst nat rule simply translate this to port 80 for the server (assuming your server is incapable of another port).
Just have to let your users know to add the port to any URL. www.serveraddress.com:56780

Who is online

Users browsing this forum: Google [Bot] and 56 guests