Community discussions

MikroTik App
 
mahesharu
just joined
Topic Author
Posts: 8
Joined: Fri Sep 03, 2021 12:24 pm

Issues with NAT rule

Fri Sep 03, 2021 12:47 pm

model : CCR1009-7G-1C-1S+

We are using the following above model, the NAT rule worked so far fine. But all a sudden it the public sites were not accessible.
Could see the traffic and packet request for HTTP/HTTPS is reaching upto the router. But the the NATing not working.
Checked if there are any other firewall rule to block. But nothing found. Any idea why this has stopped?
or in order to find the issue, how to proceed with?

/ip firewall filter> print
;;; Allow FORWARD SSH/HTTP/HTTPS
chain=forward action=accept protocol=tcp dst-address=192.168.xx.xx in-interface=vlan28 dst-port=22,80,443 log=no log-prefix=""
...
/ip firewall nat> print
;;; DSTNAT Web (HTTP,HTTPS) via ISP
chain=dstnat action=dst-nat to-addresses=192.168.xx.xx protocol=tcp dst-address=103.249.80.67 dst-port=80,443 log=yes log-prefix="dst-nat"
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Issues with NAT rule

Fri Sep 03, 2021 3:35 pm

By showing the config
/export hide-sensitive file=anynameyouwish

Also are you attempting to do port forwarding?
If so are the users in the same subnet as the server but are not using the LANIP but WANIP to reach the server?
 
mahesharu
just joined
Topic Author
Posts: 8
Joined: Fri Sep 03, 2021 12:24 pm

Re: Issues with NAT rule

Sat Sep 04, 2021 8:13 am

By showing the config
/export hide-sensitive file=anynameyouwish
ip firewall filter> print
;;; Allow FORWARD SSH/HTTP/HTTPS
chain=forward action=accept protocol=tcp dst-address=192.168.8.12 in-interface=vlan28 dst-port=22,80,443 log=no log-prefix=""
...
/ip firewall nat> print
;;; DSTNAT Web (HTTP,HTTPS) via ISP
chain=dstnat action=dst-nat to-addresses=192.168.8.12 protocol=tcp dst-address=103.249.80.67 dst-port=80,443 log=yes log-prefix="dst-nat"
Also are you attempting to do port forwarding?
If so are the users in the same subnet as the server but are not using the LANIP but WANIP to reach the server?
Yes, we are. We are using the mikrotik as our edge router. All the HTTP/HTTPS request from the Internet needs to get forwarded to our web-proxy. Web-proxy server takes care of the internal packet routing based the host name.

I would also like to know, if there is any commends to check if the port forwarding works as decided.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Issues with NAT rule

Sat Sep 04, 2021 2:21 pm

So you have two MT devices or just one in the mix?
If the MT is just the edge router and moving traffic to a second router, that has nothing to do with firewall forwarding rules in terms of specifics.
a. You need the general firewall rule that allows port forwarding (the default rule suffices for example)
b. You need a port forward rule (dst-nat rule) on the MIKROTIK where the destination address is the static WANIP of the MT (or if dynamic simply state in-interface-list=WAN) and where the TO-ADDRESS is the LANIP (on the MT subnet) of the next router (the nexts router wan IP). Then any further port forwarding has nothing to do with the mT edge router.
Last edited by anav on Sat Sep 04, 2021 7:08 pm, edited 2 times in total.
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Issues with NAT rule

Sat Sep 04, 2021 5:35 pm

I would recommend you to remove your Public IP...

So vlan28 is your WAN interface ?
The rules look fine ...
 
mahesharu
just joined
Topic Author
Posts: 8
Joined: Fri Sep 03, 2021 12:24 pm

Re: Issues with NAT rule

Sun Sep 05, 2021 5:18 pm

So you have two MT devices or just one in the mix?
If the MT is just the edge router and moving traffic to a second router, that has nothing to do with firewall forwarding rules in terms of specifics.
a. You need the general firewall rule that allows port forwarding (the default rule suffices for example)
b. You need a port forward rule (dst-nat rule) on the MIKROTIK where the destination address is the static WANIP of the MT (or if dynamic simply state in-interface-list=WAN) and where the TO-ADDRESS is the LANIP (on the MT subnet) of the next router (the nexts router wan IP). Then any further port forwarding has nothing to do with the mT edge router.
I am using only one MT in my case. So if you look at my previous update, I have updated the general firewall that allows port forwarding and the created port forward rule (dst-nat rule) on the MIKROTIK where the destination address with the static WANIP, specifying the TO-ADDRESS of the LANIP.

But I don't see any traffic on my web-proxy server from opened port.
 
mahesharu
just joined
Topic Author
Posts: 8
Joined: Fri Sep 03, 2021 12:24 pm

Re: Issues with NAT rule

Sun Sep 05, 2021 5:20 pm

I would recommend you to remove your Public IP...

So vlan28 is your WAN interface ?
The rules look fine ...
I can't remove the public IP address because we have connection from more than one ISP. So the public DNS is set to resolve using the mentioned public IP address.

So vlan28 is your WAN interface ?
Yes
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Issues with NAT rule

Sun Sep 05, 2021 5:42 pm

I would recommend you to remove your Public IP...

So vlan28 is your WAN interface ?
The rules look fine ...
I can't remove the public IP address because we have connection from more than one ISP. So the public DNS is set to resolve using the mentioned public IP address.

So vlan28 is your WAN interface ?
Yes
I mean remove it from your posts here :D

Your NAT and Firewall rules on your first post are just fine...
Your problem seems to be elsewhere ...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Issues with NAT rule

Sun Sep 05, 2021 6:05 pm

hard to tell without seeing the whole config
/export hide-sensitive file=anynameyouwish
 
mahesharu
just joined
Topic Author
Posts: 8
Joined: Fri Sep 03, 2021 12:24 pm

Re: Issues with NAT rule

Mon Sep 06, 2021 8:25 am

hard to tell without seeing the whole config
/export hide-sensitive file=anynameyouwish
Added the config file in the attachment.
Last edited by mahesharu on Tue Sep 07, 2021 7:49 am, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Issues with NAT rule

Mon Sep 06, 2021 3:52 pm

Very complex multi-wan setup way past my paygrade.
However I do not that you have two interfaces eth2 and eth3 used for LAN traffic and the management lan on ether 4 attached to a management bridge.
All on separate subnets.

What gets confusing for me is your forward firewall rules for ACN (eth2) and ERN (eth3) where all the subnets mentioned in those rules
are not the subnets of ACN or ERN ????? Nor are these subnets defined anywhere else........ ???????

Overall there are so many block rules it begs for a change ..... At the end of the forward chain suggesting put in a LAST RULE
add chain=forward action=drop comment=drop all else.

Which means all you need in the forward chain for rules is the following default style rules............
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment=\
"Allow Port Forwarding - DSTNAT" connection-nat-state=dstnat \
connection-state=new in-interface-list=WAN
***********************************************************************************************************
add action=drop chain=forward


Now effectively all the block rules you have in the forward chain are DONE!
The next step is ONLY to identify which traffic that is blocked you wish to allow. (put them where the ******************* line is located )
For example you may wish to give eth2, eth3 and management lan access to the internet.
 
mahesharu
just joined
Topic Author
Posts: 8
Joined: Fri Sep 03, 2021 12:24 pm

Re: Issues with NAT rule

Tue Sep 07, 2021 7:57 am

Hi Anav,

Thank you so much for your time and effort that you spend to help with this issue. I think the issue is not on the firewall or edge router side.
I created a similar firewall filter rule and NAT rule setting with another WAN IP address.
That works fine. The drop rule that you have mentioned are placed at the end of the rule set. So that should have not been problem(maybe I am wrong). If I am wrong, why it has to work with another WAN IP address?

It's really confusing me now, I doubt if the issue is on the router? or the ISP is blocking?
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Issues with NAT rule

Tue Sep 07, 2021 1:10 pm

Hi Anav,

Thank you so much for your time and effort that you spend to help with this issue. I think the issue is not on the firewall or edge router side.
I created a similar firewall filter rule and NAT rule setting with another WAN IP address.
That works fine. The drop rule that you have mentioned are placed at the end of the rule set. So that should have not been problem(maybe I am wrong). If I am wrong, why it has to work with another WAN IP address?

It's really confusing me now, I doubt if the issue is on the router? or the ISP is blocking?
Exactly, i mention on post #8 that most probably your problem is elsewhere...
Did you try to change the external ports and test again ? don't use 80 and 443 as external ports but lets say 8081 and 8082 and dst-nat to ports 80 and 443...
 
mahesharu
just joined
Topic Author
Posts: 8
Joined: Fri Sep 03, 2021 12:24 pm

Re: Issues with NAT rule

Tue Sep 07, 2021 1:25 pm

Exactly, i mention on post #8 that most probably your problem is elsewhere...
Did you try to change the external ports and test again ? don't use 80 and 443 as external ports but lets say 8081 and 8082 and dst-nat to ports 80 and 443...
No, I haven't tried changing the external ports. I can try changing that. But I have only created similar rule and changed the WANIP address.

Who is online

Users browsing this forum: tongtong and 46 guests